Protecting personal privacy in the global business environment: in the electronic world, protecting personally identifiable information is a critical challenge for all companies and governments.

Because records of individual customers or potential customers often have high market value, personally identifiable information has been described as the world's new currency. With the global reach of the Internet, which makes sending personal data from one continent to another nearly instantaneous, privacy is an issue of high international concern. Via the Internet, a company located in one country with one set of privacy rules can send personal data about an individual, or a database containing millions of individual records, to another country with a different set of privacy rules.

This situation is particularly worrisome because of the globalization of business operations. When companies export their business operations abroad, they may also send sensitive customer data overseas. Once sent abroad, the company may be at liberty to market or otherwise disseminate the personal data with impunity. In countries where no laws to protect personal data exist, sensitive data relating to individuals can be sold to other parties without their consent, or it may be exposed to the risks of identity theft.

The European Union (EU) has adopted strict rules, with mechanisms for global enforcement, to mitigate these risks. Europe has the world's most stringent set of rules governing how companies and governments must manage personal data such as age, marital status, buying patterns, and similar information. In Europe, privacy is generally viewed as a basic human right, enforceable by stringent legal protections, and the Europeans have become global leaders in setting the standards for privacy and attempting to promote them throughout the world.

In the United States (with the singular exception of California), such protections are considerably less stringent, as business interests have generally opposed any legislation or regulations that restrict their ability to collect and use or even sell or exchange personal information at their discretion, without government interference.

The EU's privacy laws require retailers to obtain permission to collect data, trade it to partners, sell it, or even use it for their own marketing--all common practices in the United States. European companies are required to grant individuals open access to records and data about them and correct any inaccuracies. The EU restricts how much information companies can collect on customers and employees and how long they are permitted to retain it. Video surveillance tapes, for example, must be erased after a short period of retention.

With its high global standard of tight restrictions on personal data, the EU has been quite successful in influencing the adoption of privacy laws throughout the world. EU-inspired privacy laws are now the norm in Canada, Australia, New Zealand, and parts of Asia and Latin America. The EU influence is also being felt in the United States.

The EU's Data Protection Directive

In 1998, the EU issued its Directive on Data Protection (95/46/EC). The directive was devised because some EU member states did not have privacy protection for individual citizens, while other countries had incompatible laws. To address this problem, the EU's parliament issued its directive on data protection, which was intended to harmonize European privacy laws and afford a continent-wide standard of protection for all European citizens.

The directive's most significant feature is that "data subjects"--persons from or about whom data is collected--must unambiguously grant their consent before such data is collected, after having been informed about the purpose(s) for which the data will be used. The directive applies to the collection, transmission, and processing of personal data, which is defined as "any information relating to an identified or identifiable natural person" residing within a member state of the EU. The directive applies to data that directly or indirectly identifies an individual, which includes a person's name, as well as other personal data about the person, such as address, telephone number, or other information of a personal nature. However, the directive expressly forbids the collection of personal information that could be characterized as sensitive, which is defined as a person's racial or ethnic origin, political opinions, religious beliefs, or sexual preferences.

The directive consists of regulations relating to the collecting, processing, and handling of personal data maintained within the EU, as well as personal data transferred from the EU to other countries. The directive requires that personal data be managed such that it is

* Collected for specified and legitimate purposes and not processed further

* Relevant and not excessive for the purpose collected

* Accurate and updated as necessary

* Kept in a form that permits identification of data subjects for no longer than necessary

Privacy in the United States

In sharp contrast to the situation in Europe, the United States does not have a comprehensive privacy law and, generally, has promoted industry self-regulation rather than legislation as the best means of balancing privacy interests against the demands of electronic commerce.

The Privacy Act of 1974 protects personal information about U.S. citizens captured in records maintained by agencies of the federal government, but the law has no applicability outside the federal sector. However, specific laws and regulations do apply to personal records and information--such as credit history and other financial records, telephone records, educational records, and patient medical records--maintained by certain types of businesses. For example:

* Health Information--The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule of 2001 impose privacy restrictions applicable to health information, typically in the form of patient-specific medical records. Regulations promulgated under the Act and Privacy Rule require regulated parties (i.e., health plans, healthcare clearinghouses, and certain healthcare providers) to implement a variety of privacy measures for patients, insured parties, or other individuals subject to protection under the rules. These include rules governing access to patient medical records, requirements for patient consent to permit the sharing or disclosure of such records, patient recourse for privacy violations, and other restrictions.

* Financial Information--The Granma-Leach-Bliley Act of 1999 requires financial services companies to establish privacy policies and governs how customer financial data can be shared within and between institutions. Title V of the Act contains provisions pertaining to the privacy of customer-specific financial records by banks and other financial institutions. As of July 2001, financial institutions are required to provide notice and an opportunity for customers to opt out of disclosures of nonpublic personal information to nonaffiliated third parties.

The U.S. Safe Harbor Agreement

One of the main features of the EU privacy directive is that it is designed to ensure that corporations, including U.S. multinational companies doing business in Europe, do not circumvent the EU's data protection requirements by exporting personal data to countries that are not subject to the EU's privacy rules. The directive prohibits data transfers to non-EU countries, including the United States, unless those countries provide adequate protection for the data.

Through this mechanism, Europe is attempting to make its data protection rules the enforceable global standard for privacy. At the time of this writing, the U.S. has not been deemed to provide adequate protection of personal data. During the past several years, negotiations have been continuous, often contentious, between Europe and the United States to seek an acceptable compromise. To date, this has taken the form of "safe harbor" data protections.

The U.S. Department of Commerce, in consultation with the European Commission, developed the Safe Harbor Agreement by which U.S. companies can avoid sanctions imposed by the EU if they voluntarily embrace a somewhat less stringent version of the EU privacy directive. Under the agreement, before personal data about European citizens may be transferred to the United States, American companies must promise to handle data about EU citizens in accordance with the EU's standards while the data is maintained in the United States. However, detailed provisions, including enforcement, have yet to be worked out between the United States and the EU.

California: Leading the U.S. in Privacy

In the United States, the State of California has positioned itself at the forefront of the privacy movement. On July 1, 2004, the first online privacy law ever enacted in the United States--California's Online Privacy and Disclosure Act of 2003--went into effect. The new law requires all commercial entities operating in the state that collect personal information online to clearly post a privacy policy to inform citizens concerning the collection and use of data about them. In recent years, California has enacted a plethora of new privacy laws. In brief, these laws:

* Require businesses to inform customers when personal data is shared with other parties

* Require businesses to notify customers when their personal data has been exposed to a security breach

* Restrict the use of Social Security numbers as a means of identification

* Prohibit unsolicited advertising by means of fax and e-mail

* Prohibit the sending of text messaging advertising to cell phones and pagers

* Require financial institutions to obtain permission before sharing personal information with nonaffiliated companies or parties

* Prohibit businesses from obtaining medical information about individuals for marketing purposes without their consent

These California legislative initiatives are expected to be the benchmark for consideration of privacy initiatives by other U.S. states in the coming years.

Canada's Privacy Law

Elsewhere in North America, privacy in Canada is much more in line with the European model than is the case in the United States. According to a recent study, Canadian businesses tend to view privacy practices positively - as an opportunity to improve relations with customers--while U.S. firms see privacy measures more in the context of burdensome government compliance.

Canada's privacy law is much more similar to the EU data protection model than anything in the United States. Canada's federal privacy law (the Personal Information Protection and Electronic Documents Act), which became fully effective in 2004, extends privacy protection to all personal data collected by companies on Canadian citizens, regardless of when the data was collected. Companies doing business in Canada must now review how they handle personal data previously collected. The law applies to all commercial activities in Canada, as defined in the trade and commerce section of the Canadian constitution. The law requires that personal information be used only for identified purposes, that disclosure be limited except where prior consent is obtained, and that data must be properly destroyed when no longer needed.

RIM Implications

Records and information management (RIM) professionals can and should play a key role in organizational privacy initiatives because privacy protection requires that organizations adopt recordkeeping practices consistent with information protection and disclosure policies, as well as relevant national and international statutes, regulations, and directives. Organizations subject to privacy or data protection issues will have to implement carefully considered RIM initiatives to comply with global standards and to minimize their legal liabilities at the same time. Recommendations for RIM compliance with privacy laws are presented on page 58.

Records managers should work with their organization's chief privacy officer, or with other managers having responsibility for information protection and security, to ascertain the privacy status of the organization and how to comply with whatever requirements are applicable to it.

Records Management: Making the Transition from Paper to Electronic is available for purchase at www.arma.org/bookstore.

At the Core

This article

* Describes privacy legislation in the U.S, Canada, and the EU

* Explains the U.S. "Safe Harbor" Agreement

* Provides guidelines for protecting personal data

Editor's Note: The following is an excerpt from David O. Stephens' Records Management: Making the Transition from Paper to Electronic, published earlier this year by ARMA International

Guidelines for RIM Privacy Compliance

* Organizations should prepare a privacy policy of enterprise-wide coverage that places appropriate restrictions on the collection, use, dissemination and disclosure, and retention of personal information.

--Such policies should state categorically that no unauthorized use will be made of the information that conflicts with the policy in any way.

--Breach of the organization's privacy policies should be a disciplinary offense.

--Deliberate breaches should be considered gross misconduct, with appropriate remedies.

* Organizations maintaining personal data should consider encryption as one means of enhancing the security of the data.

--Encrypt records containing names, Social Security numbers, credit card numbers, and other personal data whenever possible to reduce the risk of breaches.

* All recordkeeping systems containing personal information should be systematically audited to determine the adequacy of the management controls.

--All records eligible for disposal should be properly destroyed.

* RIM staff should determine exactly how many recordkeeping systems that contain personal data on individuals are maintained, where those files are kept, what they contain, and how the information is used, distributed, and disclosed.

--Conduct a comprehensive and detailed inventory of all records and files containing information concerning individual employees, customers, or other persons.

* Records managers should carefully reexamine their records retention practices.

--Retain only factual data concerning individuals and retain all such records for the minimum periods of time required to meet business needs and comply with the law.

--Destroy all other records--particularly those containing opinions about individuals--under an approved records retention policy.

References

Clayton, Gary. "Safeguarding the World's New Currency." The Information Management Journal 36, no. 3, 2002.

Duff, Wendy, Wally Smieliauskas, and Holly Yoos, "Protecting Privacy." The Information Management Journal 35, no. 4, 2001.

Fjetland, Michael. "Global Commerce and the Privacy Clash," The Information Management Journal 36, no. 1, 2002.

Hailer, Susan. "Privacy: What Every Manager Should Know" The Information Management Journal 36, no. 3, 2002.

Holmes, Allan. "Riding the California Privacy Wave." CIO, 15 January 2005.

Swartz, Nikki. "Offshoring Privacy," The Information Management Journal 38, no. 5, 2004.

--, editor. "U.S., Canadian Firms Have Different Views of Privacy." The Information Management Journal 38, no. 5, 2004.

Worlton, Amy. "Overview of the EU Privacy Directive." Wiley Rein & Fielding LLP, 2002.

David O. Stephens, CRM, FAI, CMC

David O. Stephens, CRM, FAI, CIVIC, is Director of the Records Management Consulting Division at Zasio Enterprises Inc., a records management software and consulting firm based in Boise, Idaho, where he directs records and information consulting studies and projects for clients in government and industry throughout the United States and in other countries. Stephens is an internationally recognized author, speaker, and consultant. He may be contacted at dostephens@zasio.com.