250 likes | 354 Views
The Business Side of Privacy. A Workable & Practical Balance. Agenda. Your Rights & the Business Needs What Should be in Place Sensitive Information Third Party Information Catch All. Your Right & The Business Need.
E N D
The Business Side of Privacy A Workable & Practical Balance
Agenda • Your Rights & the Business Needs • What Should be in Place • Sensitive Information • Third Party Information • Catch All
Your Right & The Business Need • You have the right to privacy & confidentiality with respect to your personal information • Businesses depend on the ready availability of data about people
Collection of Information All businesses collect client information • Trades Professions • Education Providers • Retail Industry • Your Employer • Health Care Providers & Insurance Co. • Banks & Credit Companies • Utility Companies
Normal Business Use • Information is collected in the normal course of doing business/providing service • Expectation that the information collected is used for the purposes of providing services to you as a customer (limited collection) • Some businesses find creative ways to collect information for research & development or marketing
Business To Do List • All businesses are required to protect the information they collect from unauthorized access and misuse • Protocols in place to respond to any request for information • Businesses must ensure safeguards are in place to protect what they collect • Retention & destruction guidelines must also be in place • Information is yours, the record is owned by the business
What Should be in Place? • Privacy Policy • How personal information is protected • How it is managed • Security Policy • Technologies used • Expectations of employees • Operational practices • Release of Information Policy • Where requests are common
The Purposes • Responsibility for appropriate collection of and access to information (designated role within organization) • Policies created, communicated & understood • Consistent practices in storage, access & release • Consent to access/release information • Operational practices relating to technology
Privacy Policy - Outline • Accountability of the company • Identify the purpose of collecting information & limitation thereof • Who is responsible • Consent to collect • Disclosure and retention • Safeguards to protection • Right to access
Security Policy Outline • Office technologies in place • Desk top PCs stand alone • LAN & WAN, Networks • Mobile devices (laptops, ‘crackberries’) • Passwords • Defined Access & Security Rights • Back-up processes • Disaster Recovery • Encryption on mobile equipment • Storage during travel • Destruction of data
Release of Information Policy • Defines who in the organization is responsible • Increases awareness & strengthen practices • Engages the stakeholders • Applies fair principles • What is required to release information • Conditions that must be met
Types of Records • Physical, Hard Copy • Electronic • In either case, who has the right to access? • Record Life Cycles • Creation • Tracking • Storage • Retention & Destruction
Office Layout • Physical layout of businesses • Location of records • Location of PC monitors & screens • Privacy of meetings & phone conversations • Discarding of physical paper documents – blue bins & shredding companies • Working files left in the open
Sensitive or Extensive Information • Where service providers collect sensitive or extensive detailed information about clients there is the expectation that processes exist to appropriately collect, store and protect that information • The individual places their trust in the business that this is done
Types of Businesses in this Category • Healthcare facilities • Medical Clinics • Private Healthcare Providers • Education providers • Professional Psychology Services • Nursing Homes & Long Term Care Facilities • Research both in Pharmaceutical Clinical Trials & Population Health Studies using Secondary Data • Pharmacies • Certain Government Services such as Community Services & Health initiatives (Telemedicine)
Sensitive Information • Services where external stakeholders have a vested interest in the client/customer • Know the stakeholders • Know the process for consent to release & what should be released & who can release • Be familiar with how information can be obtained and how to respond • Establish relationships – ease of communications & working relationships
Ordered Release • Law enforcement agencies • Subpoenas, Warrants, Order for Production • Legal Council • Original documents may be required • True Copy may be acceptable • Risk Management & Security Controlled • Where other recording media are used, they are included in the release
Third Party Information • In some services, personal information extends beyond the 1 client or individual • A higher degree of privacy protection is required, but not yet well understood • In such instances, release of information is complicated by third party information content • Consent to release cannot be given by the 1 client • Organization’s responsibility to protect all information
Third Party Review • Instances where a whole file is requested for release a review of content is recommended to ensure third party information is not unknowingly released • The business owner of the record and, where necessary, legal representation of the business that owns the record are responsible for decision making
Your Rights • You have the right to access records that business create (follow the process the business has established) • You have the right to request correction of information • You have the right to know when your information is released • There may be a fee, know in advance
Access & Release Costs • Costs associated with providing information • Resource time • Copy Expenses • Monitoring equipment and/or time • Who gets billed? • Minimize costs in the interests of the client
Retention & Destruction • All types of information (records & documents) both physical & electronic, have a relevant life cycle for retention • Financial records • Age of consent – medical files • Vital Stats • Retention may permit different storage media during life cycle • The end of life cycle permits appropriate disposal – shredding, burning, deletion
Systems & Applications • Software solutions, databases, tools, IT environments • Security levels, User Rights, Activity Logs • New or upgraded solutions where new processes or a conversion of data that may result in changes to how it’s collected or who has access • Privacy Impact Assessment – Due Diligence
The Bottom Line • Establish the necessary protocols, policies & procedures • Know client needs • Know stakeholder needs • Work actively with privacy advocates • Balance the right of the individual to have personal information protected with operational business requirements
Thank-You! • Linda McKarney, a Senior Consultant with The Barrington Consulting Group, has over 22 years of public and private sector experience including 5 years as Director of Health Information Services at the Nova Scotia Hospital. Specializing in information privacy and system security safeguards including mental health and forensic information, Linda has worked collaboratively with stakeholders to develop and deploy operational policies and procedures that govern the collection of and access to information. Linda’s practical experience in organizational privacy and confidentiality, retention, release and destruction of information has given her valuable insight into everyday practices where businesses routinely collect personal information. Linda McKarney The Barrington Consulting Company 1791 Barrington St. Halifax B3J 3K9 902.491.4462 www.barringtongrp.ca