Privacy concerns and you

As governments step in to protect the privacy of information, companies and their IT departments are dealing with managing the privacy of the information in their care.

The Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act, and the European Union Data Protection Directive, are just a few examples of regulatory initiatives that affect IT.

Most data are treated and managed as a single entity, as a file or set of files. The challenge of managing privacy is that the data must be managed more granularly. The actual data in a file that must be protected for privacy issues, either regulated by government mandate or corporate policies, may be only a few fields of data in the entire file. How do you protect those specific fields, like credit card numbers and Social Security numbers, from prying eyes, while allowing access for those authorized to see that data?

Control of access to data can be handled by applications or the database. However, these techniques often protect the data by omission. For example, the data is not included on a display by the application, so the user doesn’t have access to it. The problem with this method is that the physical data is not being protected. As the data is used by other applications or is backed up, the integrity of privacy is not assured.

Taking the business-as-usual approach doesn’t work. You’ve got to develop a privacy strategy, particularly if your company must comply with regulations. And even if you’re not compelled by regulations, your customers should certainly be interested in how you are protecting their vital information. Consumers concerned about identity theft raise the issue of how their vendors are protecting their private financial and identification information. Not paying heed to managing information privacy has the potential to result in a PR nightmare for your company.

Some other issues that surface in the privacy discussion include:

* Data retention. How long is data retained? That could be an issue for employees who test positive on random drug tests.

* Use of data. Is a vendor selling my contact information to other vendors?

* Legal issues. Subpoenaed data, whether it’s corporate or personal. Data retention is a factor here as well.

* Transmission. Protection of the data as it is transmitted over communication lines, internal or external.

There are management tools, such as Tivoli’s Privacy Manager, that are designed to manage information privacy. Products such as Pretty Good Privacy, or PGP, help by encrypting e-mail between senders and their recipients. These are just some examples and are by no means an exhaustive list.

If you haven’t already, you as an IT department must start to face privacy issues. If you don’t, your friendly governmental agencies will eventually make you face the music. The reason the regulations were enacted is because the industries that they are regulating didn’t do it in the first place.