tRIANGLE arma chapter Thursday FEBRUARY 1 2018 Presented by brett wise crm cipt cippus igp cip TODAYS OBJECTIVES After todays presentation you should have a better understanding of InformationData Privacy at a high level ID: 732086
Download Presentation The PPT/PDF document "INFORMATION PRIVACY: OPENING DOORS FOR ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
INFORMATION PRIVACY: OPENING DOORS FOR IG AND RIM PROFESSIONALS
tRIANGLE arma chapter
Thursday, FEBRUARY 1, 2018
Presented by brett wise, crm cipt cipp/us igp cipSlide2
TODAY’S OBJECTIVES
After today’s presentation, you should have a better understanding of:
Information/Data Privacy (at a high level)
The relationship between the fields of IG/RIM and Privacy
The role of Retention in RIM and Privacy’s relationship
How technology and laws/regulations can impact both Privacy and RIM
The importance of Information Security to Privacy and RIM
Professional opportunities for IG/RIM practitioners created by the increased focus on the field of Privacy, including requisite skillsSlide3
ABOUT THE PRESENTATION
We won’t cover an in-depth review of Privacy, RIM or IG
No Deep Diving!
However, please feel free to reach out to me anytime
And… the Presentation will have discussions and prizes!Slide4
WHAT IS PRIVACY?
Privacy
is “the appropriate use of personal information under the circumstances. Privacy is an individual’s right to control the collection, use and disclosure of personal information.” - definition from the IAPP
“
Privacy
encompasses the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal
of personal information.” - definition from the AICPAClasses of Privacy: Bodily Privacy
Territorial Privacy
Communications PrivacyInformation Privacy “Crossover of classes” Slide5
WHAT IS PRIVACY?, cont.
Privacy Protection Models:
Comprehensive (EU)
Sectoral (US)
Co-regulatory (Australia)
No general regulations/laws
EU’s Special Categories of Data: Racial or ethnic origin; Political opinions; Religious or philosophical beliefs; Trade-union membership; Processing of genetic/biometric data (for the purposes of unique identification; and Data concerning health or the sex life or sexual orientation
Views on Sensitive Personal Information:
EU tends to view sensitive PI as a “privacy” issue (a human right)US tends to view sensitive PI as a “security” issue (a constitutional right)
Privacy in the United States:
Federal Laws
State Laws (especially Identity Theft and Breaches)
only 1 state (Alabama) does not have a data breach notification law(s)
State Breach Notification Laws:
First name or initial and last name, along with:
Social Security Number;
Driver’s License Number or State ID Card Number; or
Account number (credit/debit) plus security/access code or password that would allow access
Several exceptions across states (medical/healthcare, federal/state ID #s, biometric data, tax info, employment info, mother’s maiden name, digital signature,…???)Slide6
WHAT IS PRIVACY?, cont.
Other Key Concepts:
Privacy Policy and Notice
Consent and Choice (Opt-In and Opt-Out)
Information Security
Fair Information Practices, OECD Guidelines, GAPP, and PIPEDA
from The Atlantic, 3/1/2012Slide7
OECD GUIDELINES
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness Individual Participation
Accountability Slide8
WHAT IS RIM?
You all know this!!!
“The field of management responsible for establishing and implementing policies, systems, and procedures to capture, create, access, distribute, use, store, secure, retrieve, and ensure disposition of an organization’s records and information.”
-
ARMA’s Glossary of Records and Information Management TermsSlide9
A “SYMBIOTIC” RELATIONSHIPBETWEEN PRIVACY AND RIM
The fields of Privacy and RIM are very much interrelated!
Privacy has historically been integral to the practice of RIM (although subtly until recently)
Fundamental concepts shared between Privacy and RIM
Compliance
Retention and Disposition
Information/Data Classification
And many more…
Correlation between the
OECD Guidelines
and the
Generally Accepted Recordkeeping Principles®Slide10
“THE PRINCIPLES”
OR
“THE OECD GUIDELINES”
Concept #1:
PROTECTION
The Principles
NOTE: The OECD has the Security Safeguard Guideline.
Concept #2:
OPENNESSThe OECD GuidelinesNOTE: The Principles has the Principle of Transparency.Slide11
“THE PRINCIPLES”
OR
“THE OECD GUIDELINES”
Concept #3:
ACCOUNTABILITY
Both
The Principles
are:
AccountabilityProtection
Compliance
Availability
Retention
Disposition
TransparencySlide12
THE ROLE OF RETENTION
Generally Accepted Recordkeeping Principles of Retention and Disposition are fundamental concepts for any RIM program
Accessibility (Retention) and Findability (Disposition)
Organizational Use and Meeting Business Obligations
Controlling Storage Costs
Complying with Laws and Regulations
Laws and regulations make Retention a mandatory requirement of most Privacy programs (it’s always best practice!!!)
The best way to prevent a data breach is...Slide13
INFORMATIONGOVERNANCE:
An Organizational Effort Involving Privacy and RIMSlide14
TECHNOLOGY
Significance cannot be understated!
#1 most influential force for the fields of Privacy, RIM, and IG (
BY FAR
)
Revolutionizing the field of RIMTransition toward electronic records and data
Expanded business and compliance requirementsVastly improved tools AND challenges (keeping up???)
Required knowledgebase and skill sets
… An equally dramatic impact on the field of PrivacyData, electronic records, the Internet, cloud computing, mobile devices, cyber crime, data breaches, Big Data, online advertising, online tracking, etc. etc. etc. Proliferation in laws and regulations focused on Privacy and Information Security (many, many more to come)
A global focusSlide15
LAWS AND REGULATIONS
Foundational to both Privacy and RIM
Legal/Regulatory environment is dynamic
The impact of laws and regulations is always increasing (e.g., GDPR)
Impact on an organization may depend on industry, jurisdiction, and/or organization’s risk tolerance
A global considerationSlide16
LAWS AND REGULATIONS, cont.
Examples of Federal Laws:
Gramm-Leach-Bliley Act (GLBA)
HIPAA/HITECH
Telecommunications Act of 1996
Electronic Communications Privacy Act of 1986 (ECPA)
Employment Laws (ADA, FCRA, etc.)
FOIAPatriot Act and Freedom Act
Sarbanes-Oxley Act of 2002 Examples of State Laws:
California AB 1950 (2004)
Mass. 201 CMR 17 (2010)
Examples of International Laws:
General Data Protection Regulation (GDPR)
Safe Harbor Act
Privacy ShieldSlide17
WHAT IS THE GDPR?
The General Data Protection Regulation
Does not
only
apply to the EU
Strong Privacy requirements w/ potentially costly penalties for non-compliance
Goes into effect on May 25, 2018
Lots of questions remain about how the GDPR will ultimately be defined and implementedSlide18
THE ROLE OF INFORMATON SECURITY
Security is a fundamental concept of RIM (e.g., Principle of Protection)
Security is also a key Privacy concept: Physical, Administrative, and Technological
“You can have Security without Privacy, but you
cannot have Privacy without Security”
CIA
= Confidentiality Integrity
A
vailability
NOTE: Two of these are Generally Accepted Recordkeeping Principles.Slide19
WHY INFORMATION SECURITY?
2013
2014
2016
2017Slide20
PROFESSIONAL OPPORTUNITIES FOR RIM PRACTICIONERS
WITHIN THE PRIVACY FIELD
Privacy is driving a renewed “appreciation” for RIM programs and professionals
RIM is very much respected and appreciated by Privacy professionals
Management of the Information Lifecycle is critical, especially Retention/Disposition
Privacy crosses basically all sectors (especially critical to financial, health, utilities and other highly regulated industries)
Opportunities exist globally!Slide21
TYPES OF OPPORTUNITIES
PRIVACY-SPECIFIC
Higher-level Positions (Manager, Director, Officer, VP, Counsel, C-level, etc.)
5+ years “dedicated” Privacy experience
and/or
Law Degree
Mid- to Low- Level Positions (Specialist, Analyst, etc.)
2+ years “dedicated” Privacy experience andBachelor’s Degree (Information-related)
Health-related Position: HIM background/certification
PRIVACY-RELATED
More and more IG/RIM job descriptions are seeking some level of knowledge/experience with Privacy
Seeking certifications (e.g., CRM, IGP, Privacy-focus)
54 ARMA members have a CIPP certification
Technology experience (becoming more critical)
Privacy/Compliance experience (e.g., familiarity with various laws and regulations)
Know how Privacy intersects with IG/RIM and seek out (if possible) opportunities to participate in Privacy ManagementSlide22
TAKING ADVANTAGE OF THE OPPORTUNITIES
RIM professionals
must
develop the proper skill set(s) to be successful in the field of Privacy
AND
continue this skill development!
Some Critical Skills:Understand concepts and applications for:
Foundational Privacy Knowledge/Skills
IT (systems admin, data communication, IT governance, development, etc.)Information SecurityData Governance
Understand how laws and regulations impact these disciplines
and
your organization
Be able to “Manage” Risk
SPEAK THE LANGUAGE!!!Slide23
RELEVANT CERTIFICATIONSSlide24
HIGHER EDUCATIONSlide25
QUESTIONS/DISCUSSION
DATA PRIVACY DAY –
JANUARY 28, 2018
Brett Wise, CRM CIPT CIPP/US IGP CIP
Director of Records & Information Management
The American Board of Pediatrics
Chapel Hill, North Carolina
brettwise@hotmail.com
or
bwise@abpeds.org