The meaning of data can be as broad as any information, from health records to a lunch order. Different kinds of data are subject to different laws with varying levels of severity. Data about a person’s health, for example, is subject to a strict set of regulations known as HIPAA. Here is some guidance on protecting your clients’ and colleagues’ data through five basic data privacy rules.
Data privacy law in the US
Data privacy rules apply to any information that can be used on its own, or in combination with other clues, information, or context, to identify, contact, or locate an individual.
Data covered by data privacy rules is any information related to a person that could be used to identify that person, either directly or indirectly.
It could be a name, photo, email address, date of birth, ethnicity, religion, financial record, medical information, or employment history. It could even be posts on social networking sites.
Different countries use different terms to describe this kind of data. In the US, it’s known as personally identifiable information (PII).
The key data principles
While specific rules on data privacy can vary by state and jurisdiction, there are some basic rules that should always be followed. You need to be aware of these because everyone in an organization is responsible for protecting the data held on employees, customers and clients.
There are four key data principles:
- Don’t collect data unless you have to
- Don’t use data for purposes other than the purpose about which you have informed the individual
- Protect data at all costs
- Destroy data when it’s no longer required
The five data privacy rules
Consent
Before disclosing any data, check if the proper consent is in place to do so. Depending on the type of data, you may need the consent of the individual concerned before passing it on.
Purpose
Before collecting any data from an individual, make sure you need it. You should only collect the exact amount of data needed and never more than is required for the purpose. Also, data should not be collected or used without approval. Don’t collect more than is needed.
Security and access
Data should always be kept and stored anonymously using the latest security and de-anonymization methods. You have a responsibility to protect data from loss, theft, unauthorized use and modification. Data should not be accessed without permission or a specific, lawful purpose.
An individual should have the means to view and correct the data held on them as provided by law.
Disclosure and accountability
Individuals will have a right to know why their data is being collected and how it will be used by law. Individuals can normally hold companies to account for the use of their data and keeping it safe and secure. Individuals may be able to sue or report companies who abuse or misuse data. Some of the fines can reach up to 4% of global annual turnover.
Destruction and disposal
Data should not be kept for any longer than is necessary. Data that is not being used, out of use, or no longer required should be destroyed. All data should have a retention period associated with it, and data should be periodically reassessed and destroyed or disposed of when no longer needed.
Top tips for keeping data safe
There are federal and state laws that set out the requirements for proper disposal of certain categories of PII such as health information. Breaching them can result in civil or even criminal penalties against you or your business. Here is some guidance on how to keep data safe:
- Store data securely and ensure it can only be accessed by authorized users
- Have clear policies in place to protect data and comply with the law
- Train all staff on data privacy and your organization’s policies
- Complete security audits regularly and insure that documents containing personal data or PII are disposed of correctly
- Report any breaches or concerns, even if you think it is small or insignificant.
VinciWorks’ online data privacy training for US-based businesses
VinciWorks’ online data privacy course, Data Privacy: Fundamentals, provides all staff with a comprehensive overview of data privacy rules, policy, and legislation in the United States. The course combines short bursts of learning with practical scenarios and real-life case studies to ensure all staff know how to safely and securely work with data. Interactive scenarios and gamified challenges test and score data privacy knowledge as users progress through the training. The course also covers The California Consumer Privacy Act (CCPA), effective January 1, 2020.