Given the global nature of commerce and the prevalence of the electronic exchange of information, data security has never been a more critical business issue. This course will provide employees in global organizations with a high-level awareness of the regulatory, legal, and corporate requirements for handling and protecting personal and sensitive information. It will explore the principles underlying the various information security laws in place around the world, and outline best practices for handling data appropriately.
This course was developed with subject matter support provided by Gordon Dadds LLP. Please note, however, that the course materials and content are for informational purposes only and do not constitute legal advice and may or may not reflect the most current legal developments. Nothing herein, or in the course materials, shall be construed as professional advice as to any particular situation or constitute a legal opinion with respect to compliance with legal statutes or statutory instruments. Gordon Dadds LLP accepts no responsibility for their contents and the reliance on the contents is prohibited and at the users risk. Transmission of the information is not intended to create, and receipt does not constitute, a solicitor-client relationship. Readers should not act upon this information without seeking independent legal advice.
All businesses have responsibilities to protect confidential and personal data, and today the risks of data breaches are greater than ever for two reasons. First, because businesses operate in a knowledge economy, more and more data is exchanged as part of simple, routine operations. And second, because businesses often depend on cross-border data flows, they may be subject to foreign data privacy laws in addition to local ones.
More than 130 countries around the world have enacted data protection laws, which means businesses must be proactive in ensuring they are aware of the requirements that apply to them.
It's critical to be able to recognize common types of information that businesses are required to protect, such as:
Unique identifiers of a person may include documents such as identification cards or passport numbers. This data must be safeguarded because it can be used to identify a particular person, and may put people at risk of identity theft.
Information about financial transactions
Information about financial transactions - such as loans and purchases - and details about a person's credit history or assets are also protected by law. In the earlier scenario, we saw how Joe's carelessness with customer credit profiles could have exposed his company's customers to fraud or identity theft.
Personal information that the law deems more sensitive
Some types of information are considered to fall into special categories and may only be processed in limited circumstances, such as where the processing is carried out with the individual’s explicit consent. For example, the right to privacy in relation to medical records is connected with the legitimate concern that an individual may have that this information could affect an individual's insurance coverage or employment.Sometimes, privacy concerns may be linked to a fear of discrimination or harassment. For that reason, individuals often have a right to privacy when it comes to such aspects as sexual orientation, biological traits, and political or religious affiliation.
As we already noted, globalization and the growing body of legal regulations on data protection place increased demands on organizations. Privacy laws can vary widely from country to country, and there may be specific requirements for certain sectors as well.
There is a variety of data protection regulations in different jurisdictions across the world:
- the EU’s General Data Protection Regulation of 2016, known as the GDPR
- Argentina's Personal Data Protection Law of 2000
- Hong Kong's Personal Data (Privacy) Ordinance of 1996
- Canada’s Personal Information Protection and Electronic Documents Act of 2000
- Australia's Privacy Act of 1988, and
- Japan’s Act on the Protection of Personal Information of 2003
The range of these laws presents special challenges for multinational companies, which are likely to require cross-border exchanges of personal data.This can be especially challenging for multinationals based outside the EU or EEA because the EU and EEA regulations may be stricter than the company’s local regulations.
For example, in the European Union and European Economic Area there are restrictions on transferring personal data outside of the European Union or European Economic Area, even if these transfers of data occur internally to the company. From the European Commission's perspective, personal data sent or housed offshore may increase the risk that individuals will lose their data rights. It only regards certain countries - currently Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, and Uruguay – as having sufficiently high standards. Historically, a number of attempts to set up general schemes to ensure US-held data can be regarded as adequately protected have been made, such as “Safe Harbor” and ”Privacy Shield,” but these efforts have failed.
So sending data from, say, Germany to the United States (unless special measures such as protection via contractual clauses are in place) or to China (again, unless special measures are in place) is a potential problem. The restrictions can affect interactive websites, company intranets, customer reservations, customer helplines, customer and employee directories, human resources information systems, and even routine mail and telephone calls.
Despite the range of data protection legislation, there are certain underlying principles that apply generally. Understanding these principles enables companies to put safe practices in place that will minimize threats to data flows. These principles are: Lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality (or security); and Accountability.
Lawfulness, fairness, and transparency
The general principle of ‘lawfulness, fairness, and transparency’ means that an organization must have legitimate grounds (otherwise known as a “lawful basis”) for collecting and using personal data. It must not use the data in a way that is unduly detrimental, unexpected, or misleading to the individual. It must also inform individuals about its intentions in a clear, open, and honest way.
Personal data should be adequate, relevant, and limited to what is required, and should only be stored and used for the specific and legitimate purposes for which it was collected. Data may not be further processed in ways that unfairly go beyond those purposes unless the individual explicitly consents, or there is some other lawful basis for doing so.
Data should only be collected where needed on a basis that is directly related to the purposes for which it is processed. Especially where the personal data is sensitive, it is very important only to collect and retain the minimum amount of information necessary.
Personal data should not be retained for longer than is necessary for the purposes for which it is processed.
An organization holding personal data has an obligation to ensure that the data is accurate and, where necessary, kept up-to-date. There is also a requirement to take reasonable steps to ensure that errors are corrected without delay.
Integrity and confidentiality (security)
Organizations must adopt adequate technical and organizational measures to ensure the integrity and confidentiality of personal data, and to protect personal data against unauthorized or unlawful processing and against accidental loss or destruction. There must also be a swift response to any data breach once it is detected. A basic principle here is that only authorized employees should be able to access, alter, disclose, or destroy the data.
Organizations that process personal data are responsible for complying with the relevant data protection legislation (such as the GDPR in the EU or EEA). They must be able to demonstrate compliance and must be accountable to a supervisory authority.
Let’s consider more specific examples of these principles and the right individuals have to access the information that is held about them.
If a newspaper were to sell its subscriber list to a direct-mail advertiser without customers' knowledge, the "purpose limitation" principle would be violated. The newspaper did not collect its customers' information to resell it, and its subscribers did not consent to this use of the information. Also, the newspaper arguably violates the "lawfulness, fairness, and transparency" principle by improperly profiting from the data it holds on its subscribers.
An example of breaching the "data minimization" principle would be if travelers were required to indicate their sexual orientation or religion when booking a vacation online. This information is considered to fall within a special category and since it is not relevant to the purpose of the transaction, it cannot be required.
Accuracy is important because inaccuracy can have serious consequences. For instance, suppose that an individual informs a credit agency that some of the information in his credit report is incorrect. If the agency confirms what the individual says with the lender, but fails to update the individual's record, it would violate the "accuracy" principle.
Storage limitation means that data should not be held indefinitely when it is no longer required since holding data that is not required increases the risk of it being hacked or leaked.
Sometimes personal data is either accidentally or intentionally disclosed to unauthorized people. Or, it may be accessed, altered, or destroyed by someone without the authority to do so. Whenever personal information is put at risk or compromised in some way, it is known as a personal data breach.
In the earlier scenario, you learned how personal customer credit data became public after an unencrypted memory stick was stolen. There have also been cases where laptop computers, tablets, or smartphones with personal information have been lost or stolen.
The penalties for violating data laws can be significant. Under EU law, for example, individuals have a private right of action for data breaches, and each European country has at least one dedicated supervisory authority to enforce data protection laws, including the power to impose administrative fines.
In the EU, failing to notify individuals affected by a data breach when required to do so can result in significant fines or other penalties.
In addition, individuals involved in malicious data breaches or other violations of data protection regulations may face criminal penalties.
In addition to these penalties, mismanagement of personal information can lead to adverse publicity for the organization.
Customers are likely to take their business elsewhere if news stories give them reason to doubt that their personal data is secure.
Now that you understand the incentives for your organization's compliance with data protection laws, let's consider your responsibilities as an employee.
In short, you are required to handle confidential information and other data responsibly, safely, and according to your employer's policies and requirements. Four general principles are useful to keep in mind. First, avoid any inappropriate disclosure. Second, take steps to keep the information secure. Third, remember that individuals usually have a right to access their personal data, and other rights that you must respect. And fourth, immediately report any breaches you become aware of.
Avoid inappropriate disclosure
The first principle is to avoid disclosing personal customer information or sensitive company information to unauthorized persons such as colleagues who have no business reason to know the information, family members, or friends.
Keep information secure
If you're responsible for collecting personal data or updating it, make sure you back up that data so it is not lost. And be careful with passwords. To minimize the risk of unauthorized access, make sure you follow your company's requirements for strong passwords, and change them often.If you occasionally have to work away from the office, use caution when bringing sensitive information with you. For example, in the earlier scenario, Joe's storing customer credit information on an unencrypted USB drive created a serious security risk.Also, be sure to secure paper documents containing personal data, and properly dispose of them if they are no longer needed.
Allow appropriate access and respect other rights of data subjects
Keep in mind that data subjects are usually entitled to know what personal information about them is being processed and why. Also, if the information was acquired from another source, they may have a right to know that source, if it is available. Follow your company's procedure if you receive a request from customers to access their data. Keep in mind also the other rights that individuals may have in relation to their personal data.
Report a breach
If you become aware of a personal data breach, it is critical to escalate the matter quickly and appropriately so the company can take immediate action.