How an organization handles data matters. While records management covers many tenets of data collection, one particular area deserves exploration–privacy: what is it? How is it different from confidentiality? And why does this distinction matter?
While privacy and confidentiality may seem interchangeable, both terms refer to different points in the data lifecycle. Let’s start with how these concepts overlap. Both privacy and confidentiality pertain to how, when, and why information is stored or collected. However, privacy allows an individual to control what of their personal information an organization may collect, maintain, and share.[i] Confidentiality on the other hand protects personal and sensitive information, once collected, from unauthorized use, access, or disclosure.[ii] This means, to maintain confidentiality for both client and employee information, a business must identify both the information it needs to carry out certain tasks, as well as what it will do with that information once collected.
Implementing privacy control measures requires a company to be very intentional about the data it collects, and ultimately, how it integrates that data into the records it retains. A company should have a clear, articulated purpose for each bit of data it collects, and appropriate permissions from the data’s owner to carry out how it is used.[iii] Legislation in the United States governing personal data has become more common, following the data privacy trend set by the European Union’s General Data Protection Regulation (GDPR).[iv] While a federal general privacy law has not been enacted in the United States, various industry-specific federal laws contain privacy principles that apply to personal data. Privacy-specific laws are a growing trend, with many states seeing bill proposals at various stages of the legislative cycle (such as recent enactments in California and Virginia)[v].
A solid institutional plan for what data an organization collects, as well as how and why it uses that data, are all great first steps towards operationalizing good data management.
Once privacy boundaries are established by controlling what data an organization collects and why, that data must be managed and protected. This is where confidentiality comes in. One of the most common examples of a confidentiality law is the Health Insurance Portability and Accounting Act (HIPAA), which governs, for example, personal health information (PHI). Looking at HIPAA, confidentiality can be achieved when a business limits access to a patient’s hospital records to only those employees or data processors with a legitimate business need to access this information. This happens through a variety of different recording mechanisms, including access permissions, handling requirements, and retention requirements. For example, a records handling requirement may state geographically where the records containing PHI will be stored (at a principal place of business, perhaps), or what format the records will be stored in (electronic files or hard copy). Additionally, security measures are necessary (and increasingly, are legally and contractually required) to prevent damage, theft, or unauthorized access of a business’s records. All of these various measures, when implemented correctly and thoughtfully, protect data confidentiality and help insulate a business from expensive risks such as litigation, monetary penalties, and reputational damage.
Privacy and Confidentiality is Not the End of the Records Management Journey
Once data is collected and procedures are put in place to protect it, privacy and confidentiality requirements are not over. After a business has gathered the data and determined that it has a business or legal value, it then often gets preserved in a record. These records are subject to a variety of regulations and laws, as well as principles of records and information management (RIM). Sometimes, depending on the record type and jurisdiction, certain records must be destroyed in a certain way (for example, by shredding). How a record must be destroyed though, doesn’t paint the whole picture of a record’s retention lifecycle. A mandatory destruction requirement typically states the maximum time period the record should be kept before destroying it. This handling requirement represents a ceiling, as the record can be destroyed at any point before the maximum period. Retention requirements can also create the opposite, as a floor or bare minimum time period a record must be retained for before destruction can even be considered. For example, a regulation may require a business to maintain a given record for a minimum of three years after a triggering event. How a record is handled, and for how long it is retained, protects the data that is preserved in that record.
Proper RIM procedures and schedules create enormous value for a business. Data management and records retention policies, when implemented correctly and thoughtfully, protect the confidentiality of retained data and insulate a business from expensive risks such as litigation, monetary penalties, or even a damaged reputation in its industry. Having a records retention schedule tailored to individual business needs that recognizes the relationship between data and records takes the guesswork out of information governance and reduces a host of risks caused by improper data management and collection.
Data is an incredibly valuable asset to any business. When a business knows what data it collects and why it’s needed, and then applies good RIM policies and procedures to that data, it will achieve better business outcomes. Information governance can ensure privacy and confidentiality when a records retention schedule is built in a way that treats records as consolidated collections of granular data points. If your organization is ready to create a record retention schedule, contact Zasio today to see how our innovative products and services can help meet your record-keeping and information governance needs.
[i] Mike Chapple, Security, Privacy and Confidentiality: What’s the Difference?, EdTech (Oct. 10, 2019), https://edtechmagazine.com/higher/article/2019/10/security-privacy-and-confidentiality-whats-difference#:~:text=Confidentiality%20controls%20protect%20against%20the,maintains%20and%20shares%20with%20others.
[iii] Mary T. Costigan, CPRA Series: The Importance of Data Retention Schedules and Records Management, The National Law Review, Dec. 29, 2020. https://www.natlawreview.com/article/cpra-series-importance-data-retention-schedules-and-records-management-policies.
[iv] See generally id. The California Privacy Rights Act of 2020 (CPRA) implements the GDPR’s storage limitation principle, as in, data must be stored only as long as necessary to achieve it’s stated purpose for being collected in the first place.
[v] Sarah Rippy, US State Privacy Legislation Tracker, IAPP (last updated May 26, 2021), https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.