This article appeared in the December 2009 issue of the ISSA Journal and is reprinted here with permission.

How can data privacy requirements in the European Union be a driver for data privacy initiatives worldwide? What does it mean to have a Data Privacy Directive for EU member states, and how does this really work in practice?

There are no privacy directives worldwide that really match that of the European Union. The Data Protection Directive facilitates harmonization of member states’ laws in providing consistent levels of protections for citizens and ensuring the free flow of personal data within the European Union. The directive sets a baseline, a common level of privacy expectations that not only reinforces current data protection law for member states but also establishes a range of rights for the data subject (you and me).

ADVERTISEMENT

HCCA 29th Annual Compliance Institute

This article provides high-level insight on best practices for data privacy using the EU Data Protection Directive as an example, offering a graphical view;, i.e., a collection, storage and removal model, as a means to demonstrate in a simplistic way the EU directive in practice, and discusses briefly implications both within the EU and globally.

Let us start by questioning what we mean by data privacy and how needs for data privacy differ from information security:

  • It is not just about the intellectual property or information belonging to an organization. That is covered by information security requirements.
  • The information needing protection (personal data) is about you (the data-subject): who you are, what you like, your health, your lifestyle; basically, it is whatever you share that is linked to your identity. All information linked to your identity is called personally identifiable information (PII).
  • Data privacy is not just about “personal data needing protection,” it is about protecting your rights and freedom as an individual; i.e., your right to privacy.

With this in mind, your personal data is collected and stored by government authorities and private enterprises. (For the purpose of this article, I refer to these entities as data-holding authorities). It is the data-holding authority that is interested enough in you to be motivated to collect your personal data and, in the case of the European Union, is required to adhere to data privacy legislation of the member state where it is resident.

For the purpose of this article and for simplicity, the lifecycle of personal information that you share has been divided into three distinct phases: collection, storage (and processing) and removal of personal data. The key actors for all three phases are the data subject and the data-holding authority.

Before we dive in, it is important to understand that a key concept in a working data privacy model is enforceability: data subjects have rights established in explicit rules. For example, in the EU this is made possible by the installation for each member state a commissioner who is responsible for data privacy. The commissioner’s toolbox is privacy legislation; i.e., legislation that is at a minimum implemented to a level of privacy as prescribed in the EU directive.

Personal data collection
The first step is the collection of personal data. Any organization wishing to collect and process the personal information of data subjects is required to adhere to the following:

  • Must  inform the data commissioner and agree to abide by the rules that ensure that the privacy rights of the data subject are respected
  • Must have assigned a data controller that is responsible for ensuring that the personal information of the data subjects is collected, stored and removed as per the data privacy principles laid out by the data commissioner relating to data quality
  • Must not collect personal information without the consent of the data subject
  • Must inform the data subject that data collection will happen 
  • Must inform the data subject that that personal information is being collected for whatever reason
  • Must ensure that the data subject has the choice to opt out of the collection of personal information and/or that which is shared with third parties

Data subjects residing in member states of the European Union are very familiar with the practice of opt-in/opt-out. One example in Sweden is the collection of blood spots of all newborns for purposes of testing for a genetic disease, Phenyle–Ketone–Uria (PKU), and later for storage in a blood bank for research. At this point, the parents have a choice to opt-out of the blood being used for research purposes, but they often do not as it is easier to just leave it as it is. In fact, the best practice is that the data subject should be requested to opt in as the default, rather than having to remember to tick a specific box at the end of the form in order to opt out. Nonetheless, what is important when talking about data privacy best practices is that the data subject has a choice.

Personal data storage/processing
This is the information security part: the assigned controller “must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.” In other words, the data-holding authority must have the security mechanisms in place to ensure the confidentiality, integrity and availability of data stored and transmitted by the data-holding authority. In addition, the requirement on the processing and storage of personal data states that the data shall:

  • Be processed fairly and lawfully
  • Be kept accurate
  • Be kept up-to-date
  • Not be transferred to a country or territory outside the country of origin. The exception being that the country has an adequate level of protections pertaining to the rights and freedoms of the data subject.

Likewise, for all data stored by the data holding authority:

  • The data subject has the right for access to his personal information; i.e., transparency on the processing of his personal data. What this means is that the individual can request if his personal data is being processed and, if so, which data, and to whom the data is being disclosed. So long as the request is reasonable, the data-holding authority must comply with the request of the data subject.  
  • The data subject can question the integrity of the data collected. For example, if the data-holding authority has not updated their records, and the data subject has hard evidence that the personal information held is wrong, the data-holding authority must comply with the request to correct the error.
  • The data subject has the right to object to information being stored if the data is being used for activities that are outside of the scope of what it was collected for; e.g., for marketing activities.

Personal data removal
Finally, the data must be removed once the original purpose of collection is no longer relevant. Furthermore, the data subject has the right to ask for the removal of personal data. This data could be sanitized for the purpose of historical, statistical or scientific purposes; i.e., with the removal of any links to the data subject’s identity. Anonymous data is not within the scope of data privacy directives such as those found in the European Union.

Where this works in practice
The expectation for the right of privacy of personal data is recognized at the highest levels in the European Union. Every European Union country has a data protection commissioner or agency that enforces the rules. In the UK, for example, these rules are codified as law in the Data Protection Act (DPA), which places pressure on governments and organizations to have the necessary data privacy controls implemented. Other EU member states have their own DPA variants.

It is expected that the countries with which EU member states do business must provide a similar level of oversight concerning data privacy. The consequences have been an impact on the free flow of personal data from the European Union to those countries with different data protection levels.

United States of America
The U.S. “Safe Harbor Agreement” has been defined to overcome any deficiencies in the U.S.-approach to information privacy, which is mainly self-regulated with minimal federal legislation. The Safe Harbor provides United States companies the option to voluntarily self-certify to adhere to a set of privacy principles.

Asia-Pacific Economic Cooperation
The Asia-Pacific Economic Cooperation (APEC) is actively engaged in developing the Asia-Pacific privacy standard. The idea of the standard is to provide a practical policy approach to enable accountability in the flow of data while preventing impediments to trade. It provides technical assistance to those APEC economies that have not addressed privacy from a regulatory or policy perspective.

Latin America
Ibero-American Data Protection has been motivated by the need to implement harmonized measures for the protection of personal data that would enable the free flow of information, thus facilitating trade. Very few Latin American countries have privacy legislation in this area.

Conclusion
If you want to know more about the European Union data privacy principles, you need to visit the Web site for the EU Data Protection Directive. Here, you will find the directive along with exceptions and links to how it is implemented by each individual member state.