1 / 25

The Business Side of Privacy

The Business Side of Privacy. A Workable & Practical Balance. Agenda. Your Rights & the Business Needs What Should be in Place Sensitive Information Third Party Information Catch All. Your Right & The Business Need.

alexia
Download Presentation

The Business Side of Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Business Side of Privacy A Workable & Practical Balance

  2. Agenda • Your Rights & the Business Needs • What Should be in Place • Sensitive Information • Third Party Information • Catch All

  3. Your Right & The Business Need • You have the right to privacy & confidentiality with respect to your personal information • Businesses depend on the ready availability of data about people

  4. Collection of Information All businesses collect client information • Trades Professions • Education Providers • Retail Industry • Your Employer • Health Care Providers & Insurance Co. • Banks & Credit Companies • Utility Companies

  5. Normal Business Use • Information is collected in the normal course of doing business/providing service • Expectation that the information collected is used for the purposes of providing services to you as a customer (limited collection) • Some businesses find creative ways to collect information for research & development or marketing

  6. Business To Do List • All businesses are required to protect the information they collect from unauthorized access and misuse • Protocols in place to respond to any request for information • Businesses must ensure safeguards are in place to protect what they collect • Retention & destruction guidelines must also be in place • Information is yours, the record is owned by the business

  7. What Should be in Place? • Privacy Policy • How personal information is protected • How it is managed • Security Policy • Technologies used • Expectations of employees • Operational practices • Release of Information Policy • Where requests are common

  8. The Purposes • Responsibility for appropriate collection of and access to information (designated role within organization) • Policies created, communicated & understood • Consistent practices in storage, access & release • Consent to access/release information • Operational practices relating to technology

  9. Privacy Policy - Outline • Accountability of the company • Identify the purpose of collecting information & limitation thereof • Who is responsible • Consent to collect • Disclosure and retention • Safeguards to protection • Right to access

  10. Security Policy Outline • Office technologies in place • Desk top PCs stand alone • LAN & WAN, Networks • Mobile devices (laptops, ‘crackberries’) • Passwords • Defined Access & Security Rights • Back-up processes • Disaster Recovery • Encryption on mobile equipment • Storage during travel • Destruction of data

  11. Release of Information Policy • Defines who in the organization is responsible • Increases awareness & strengthen practices • Engages the stakeholders • Applies fair principles • What is required to release information • Conditions that must be met

  12. Types of Records • Physical, Hard Copy • Electronic • In either case, who has the right to access? • Record Life Cycles • Creation • Tracking • Storage • Retention & Destruction

  13. Office Layout • Physical layout of businesses • Location of records • Location of PC monitors & screens • Privacy of meetings & phone conversations • Discarding of physical paper documents – blue bins & shredding companies • Working files left in the open

  14. Sensitive or Extensive Information • Where service providers collect sensitive or extensive detailed information about clients there is the expectation that processes exist to appropriately collect, store and protect that information • The individual places their trust in the business that this is done

  15. Types of Businesses in this Category • Healthcare facilities • Medical Clinics • Private Healthcare Providers • Education providers • Professional Psychology Services • Nursing Homes & Long Term Care Facilities • Research both in Pharmaceutical Clinical Trials & Population Health Studies using Secondary Data • Pharmacies • Certain Government Services such as Community Services & Health initiatives (Telemedicine)

  16. Sensitive Information • Services where external stakeholders have a vested interest in the client/customer • Know the stakeholders • Know the process for consent to release & what should be released & who can release • Be familiar with how information can be obtained and how to respond • Establish relationships – ease of communications & working relationships

  17. Ordered Release • Law enforcement agencies • Subpoenas, Warrants, Order for Production • Legal Council • Original documents may be required • True Copy may be acceptable • Risk Management & Security Controlled • Where other recording media are used, they are included in the release

  18. Third Party Information • In some services, personal information extends beyond the 1 client or individual • A higher degree of privacy protection is required, but not yet well understood • In such instances, release of information is complicated by third party information content • Consent to release cannot be given by the 1 client • Organization’s responsibility to protect all information

  19. Third Party Review • Instances where a whole file is requested for release a review of content is recommended to ensure third party information is not unknowingly released • The business owner of the record and, where necessary, legal representation of the business that owns the record are responsible for decision making

  20. Your Rights • You have the right to access records that business create (follow the process the business has established) • You have the right to request correction of information • You have the right to know when your information is released • There may be a fee, know in advance

  21. Access & Release Costs • Costs associated with providing information • Resource time • Copy Expenses • Monitoring equipment and/or time • Who gets billed? • Minimize costs in the interests of the client

  22. Retention & Destruction • All types of information (records & documents) both physical & electronic, have a relevant life cycle for retention • Financial records • Age of consent – medical files • Vital Stats • Retention may permit different storage media during life cycle • The end of life cycle permits appropriate disposal – shredding, burning, deletion

  23. Systems & Applications • Software solutions, databases, tools, IT environments • Security levels, User Rights, Activity Logs • New or upgraded solutions where new processes or a conversion of data that may result in changes to how it’s collected or who has access • Privacy Impact Assessment – Due Diligence

  24. The Bottom Line • Establish the necessary protocols, policies & procedures • Know client needs • Know stakeholder needs • Work actively with privacy advocates • Balance the right of the individual to have personal information protected with operational business requirements

  25. Thank-You! • Linda McKarney, a Senior Consultant with The Barrington Consulting Group, has over 22 years of public and private sector experience including 5 years as Director of Health Information Services at the Nova Scotia Hospital. Specializing in information privacy and system security safeguards including mental health and forensic information, Linda has worked collaboratively with stakeholders to develop and deploy operational policies and procedures that govern the collection of and access to information. Linda’s practical experience in organizational privacy and confidentiality, retention, release and destruction of information has given her valuable insight into everyday practices where businesses routinely collect personal information. Linda McKarney The Barrington Consulting Company 1791 Barrington St. Halifax B3J 3K9 902.491.4462 www.barringtongrp.ca

More Related