Privacy is a crucial part of records and information management.
Privacy, however, can be a puzzling topic to approach. Formal RIM texts frequently contain little privacy. And a RIM professional’s first experience many times involves jumping headlong into some involved issues, and without much exposure to the foundations. This can be like being handed a pair of scrubs and pulled into the operating room without completing a surgical residency, let alone medical school.
In the U.S., federal privacy laws are a potpourri of requirements that apply based on the market sector, type of entity, or type of data you’re involved with. Bringing in knowledgeable legal counsel is often essential to help navigate RIM-privacy issues. But it’s also helpful to step back and gain a greater understanding of privacy’s rich backdrop to bring your issues into sharper focus. More privacy fluency will lead to better conversations with your legal team and the departments whose records you oversee. Further, it will boost your ability to spot privacy issues in the first place.
With the right knowledge (and with a knowledgeable team), RIM-privacy issues can be one of the more rewarding parts of managing a records program. With this in mind, below we’ll explore some privacy fundamentals for RIM professionals.
So What is Privacy, Anyway?
Information privacy is the rules around the collection, use, and disposal of personal information. It’s the degree of control a person has over information about them, and thus, another’s obligations with that information.
There are a handful of types of privacy. These include special—often called territorial—privacy (think keeping the inside of your home free from prying eyes) or communications privacy (no eavesdropping on telephone conversations). But overwhelmingly, it is information privacy—also called data privacy—that concerns the RIM profession. Still, defining privacy only gets you part of the way there. The bigger challenge is recognizing what information must be treated as personal information.
So what is Personal Information?
What’s considered personal information is very broad. Generally, it’s any information that can be used to identify a specific person. There are the most apparent pieces of personal information, such as an individual’s name, telephone number, or physical or email address. Audio, photos, and video of a person also often constitute their personal information. These are examples of a single data piece that directly identifies a person (a direct identifier). Personal information, however, also includes multiple data pieces that individually don’t identify a person, but taken together, can reveal much about a person. This is referred to as an indirect identifier.
Many indirect identifiers will fall into another category of personal information known as sensitive personal information. Examples include religious or racial information, political beliefs, health information, genetic information, or sexual orientation. Privacy laws guard sensitive personal information much more closely. Public expectations on how sensitive personal information is collected, handled, and shared are equally strict.
Information’s status as personal information doesn’t have to be static. Personal information ceases to be such if it has been sanitized to no longer be able to identify an individual. There are a variety of techniques to achieve this. Information is anonymized if the process is irreversible—i.e., an individual can never again be identified using it. In contrast, deidentified data has only had the known direct and indirect identifiers removed. And pseudonymized data has had only the direct identifiers removed. For deidentified and pseudonymized data, the process isn’t permanent, so it should be treated accordingly. True anonymization is difficult to achieve, and information should never be presumed to be anonymized.
Information Privacy Has Been Around For a Long Time
Information privacy is a hot topic right now, which can make it seem like a relatively new concept. A privacy expert of 20 years might seem like an elder statesman in many circles.
In reality, information privacy has been around for a long time. Notions of information privacy show up in Aristotle’s writings in the 4th century BC.[1] The Bill of Rights completed all the way back in 1791, enshrines certain information privacy rights guaranteed by the government.
And it was in 1890 that a young lawyer named Louis Brandeis—still decades away from becoming one of the nation’s most influential Supreme Court justices—prophetically helped write that “Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”[2]
To put information privacy’s age in further perspective, the Privacy Act of 1974, which broadly regulates the federal government’s use of personal information, is nearing its 50th birthday. It’s the technological advances of the last few decades, though, that have made privacy a top concern. Recent technological change has drastically increased the sophistication with which personal information is collected in our digital world and the degree to which information is used to influence human behavior.
Where Did Modern Privacy Laws Come From?—FIPs
Fair Information Practices (FIPs)—Also called Fair Information Principles, or Fair Information Privacy Principles (FIPPs)—are sets of principles on the collection and use of personal information. FIPs are not laws, but often form the backbone of information privacy laws. Many government agencies and intergovernmental organizations developed their own FIPs during the last half-century. FIPs attempt to capture consensus on the rights and obligations surrounding personal information.
One consistency in all FIPs is that a person retains a level of ownership of the information about them, even though they may have chosen to expose their information to another. When managing your records program, the best way to think about personal information is that you are merely a custodian—and have a limited right to use it, along with certain obligations that go along with that use.
FIPs’ incorporation into information privacy laws has given these laws many common elements; nonetheless, not all data privacy laws operate the same way. There are two basic but competing approaches to information privacy laws—the comprehensive approach and the sectoral approach; both of these are described in more detail below.
The Comprehensive Approach
The European Union’s Global Data Protection Regulation (GDPR) (2018) is the most well-known example of comprehensive privacy law; it declares information privacy a fundamental human right. Under the GDPR’s comprehensive approach, the same privacy rules apply across commerce. It doesn’t matter what industry or market you’re in, or what type of personal data you’re handling (whether it’s personal health data or financial information) a comprehensive privacy law imposes a baseline set of rules.
The GDPR applies to organizations in the EU; but it also operates as an ‘extra-territorial’ law—in other words, you don’t have to be in the EU for the law to govern your collection and use of EU personal information. If a commercial organization targets individuals in the EU—such as marketing to them through a website in the U.S. or monitoring their behavior through cookies—the organization is subject to the GDPR with respect to that personal information. The GDPR also regulates the transfer of personal information outside of the EU, meaning certain conditions must be met if your U.S. organization receives the personal information of people in the EU.
The Sectoral Approach and U.S. Privacy Laws
Unlike comprehensive laws, federal privacy laws in the U.S. are specific to different market sectors, entities, or data types. The following are five frequently encountered sectoral U.S. privacy laws:
HIPAA: Rules under the Health Insurance Portability and Accountability Act require that ‘covered entities (health insurance companies, most healthcare providers, and healthcare clearinghouses), must comply with a baseline set of privacy and security rules concerning personal health information. These rules also mandate that ‘business associates’ (e.g., a contractor handling personal health information for a ‘covered entity’) agree to certain privacy and security requirements.
Contrary to some popular perceptions, HIPAA regulates health information based on who possesses it (like your doctor’s office), and not across the board. As a result, while HIPAA requires your doctor’s office to safeguard your personal health information, it does not prevent a restaurant from requiring proof of your COVID vaccine and does not regulate your health data stored in a favorite health tracking app, like Fitbit.
FCRA: The Fair Credit Reporting Act regulates consumer reports like the credit report created when you applied for a loan, or the background check your employer ordered when you were hired. Under FCRA, your data in a consumer report must be accurate and relevant, and you have certain rights to access and correct this information.
GLBA: The Gramm-Leach-Bliley Act requires financial institutions to safeguard your financial information. It also requires financial institutions to notify you of their privacy policies, including what information is collected about you, with whom it is shared, and how an institution uses and disposes of it.
CAN-SPAM: This law with a stemwinder of a title (the Control the Assault of Non-Solicited Pornography and Marketing Act of 2003) regulates commercial email. The law requires senders of commercial emails to clearly and conspicuously inform you of how to opt-out of future messages and prohibits the sender from charging a fee for exercising this right. The law also regulates to a lesser degree commercial text messaging.
A blunt critique of the U.S.’s sectoral approach is it’s a “cluttered mess of different rules.”[1] Efforts have been underway for some time to enact a comprehensive U.S. information privacy law. The political challenges have been steep. While Congress this year has come closer than ever to passing a comprehensive privacy law, passage is still viewed by most as a long way off. Until a comprehensive privacy law happens, the nearest thing in the U.S. is the Federal Trade Commission Act (FTCA).
FTCA: This law broadly prohibits unfair and deceptive commercial practices, including practices related to information privacy and security. The FTCA applies to a range of entities, from retailers to technology companies to pharmaceuticals, and even social media companies. The Act can be applied to any kind of personal information if the business entity collecting or using it is doing so in an unfair or deceptive way. The Federal Trade Commission (FTC) is the main enforcer under the FTCA, as well as a handful of other sectoral privacy laws, such as COPPA. The FTC maintains a website of its legal filings about conduct it considers unfair and deceptive. Regularly reviewing the FTC’s complaints and orders concerning other companies’ information privacy and security practices can be a good way to stay informed about what not to do with personal information in your organization.
State Comprehensive Privacy Laws
Absent a comprehensive U.S. information privacy law, an increasing number of states—which currently include California, Colorado, Connecticut, Virginia, and Utah—have since 2018 enacted their own comprehensive laws. The most notable is the California Consumer Privacy Rights Act (CCPA). In 2020, California voters passed a referendum amending the CCPA known as the California Privacy Rights Act (CPRA), which will become enforceable in 2023.
Like the GDPR, the CCPA/CCPRA has an ‘extraterritorial’ effect, meaning non-California businesses with sufficient ties to California consumers are subject to it. The CPRA also requires businesses subject to the law to require their contractors and service providers handling personal information—even those not otherwise subject to the law—to follow a number of information privacy and security practices.
The CPRA brings California’s privacy framework closer to the GDPR’s; however, there are still numerous differences between them—as well as among all data privacy laws. Accordingly, compliance with one should never be presumed to be compliance with another, and each deserves detailed scrutiny before deciding on a compliance strategy.
The Bottom Line for RIM Professionals
If you’ve read this far you know there’s a lot to just scratch the surface on information privacy. Yet, despite an ever-changing privacy landscape, a few faithful takeaways exist to help you better incorporate privacy into your RIM practices:
- Neither the GDPR, the CCPA/CPRA, nor any other major privacy law set a retention period for personal information. Instead, these laws require your organization keep personal information only as long as necessary to accomplish the purpose for which it was collected it. This principle creates conflict with records retention laws that can set lengthy minimum retention periods. It also conflicts with many organizations’ habits of wanting to hold on to a lot of information, sometimes indefinitely. Ultimately, you must balance the need to preserve records with the need to delete personal information within the record.
- Define personal information in your organization broadly. When defining what personal information your organization possesses, remember that there are often numerous ways to combine data that would cause it to be able to identify someone. The safer approach—and often the legally required approach—is to generally define personal information broadly.
- Privacy requires a mindset change about what constitutes a record. With privacy as part of a records program, you must avoid thinking about records narrowly. It can be helpful to think of any information with more than a transient value as a record. Focus on managing all information rather than just documents.
- Privacy involves taking some educated risks. Many privacy laws have been on the books for decades; others, like the GDPR and the CCPA/CPRA, have sprung like a geyser in the past five years—and what they require remains uncertain in a number of contexts. For records programs, setting retention periods and handling requirements to records series can sometimes be done with a cut-and-dried approach. Accounting for privacy requirements, though, involves being comfortable with more legal ambiguities—a prime example of this often includes determining how long is no longer than necessary to retain personal information. This means setting a risk tolerance and being more comfortable with operating in gray areas.
- Inventory (‘Map’) your personal information. To have any hope of having a privacy-compliant RIM program, it’s essential to know what kinds of personal information you have and where it resides in your different electronic databases, paper files, records series, and elsewhere. It also means being able to access that personal information should a data owner exercise a right—such as the right to correction or deletion—under an applicable data privacy law.
- Isolate personal information as best you can. Keeping personal information in known, centralized databases wherever practicable is a good practice. Avoid creating unnecessary duplicates of this information. Restrict access to personal information to those whose job requires it. And where possible, keep personal information from being included in your records in the first place.
- Security. Security is fundamental to privacy, and you must keep security in the front of your mind when making any RIM-privacy decision. Data privacy laws generally require security appropriate to the records and the risks. However, there is no base security program spelled out in privacy laws, nor is there one appropriate to all situations. You must determine what appropriate security means in each situation.
- Keep Learning About Privacy. Data privacy laws will continue to grow and impact records and information management. How your organization gathers and uses personal information will also change. Accordingly, RIM managers will need to grow their privacy fluency in step to make sure legal requirements, not to mention public expectations, are properly reflected. But privacy can be enjoyable, and again, with the right knowledge and an informed team, will be one of the most rewarding aspects of RIM.
[1] See Swanson, Judith A. The Public and Private in Aristotle’s Political Philosophy (1992 Cornell University Press).
[2] The Right to Privacy, Samuel D. Warren; Louis D. Brandeis, Harvard Law Review, Vol. 4, No. 5 (Dec. 15, 1890).
[3] The State of Consumer Data Privacy Laws in the US (And Why It Matters), Thorin Klosowski, NY Times (published Sept. 6, 2021).
Zasio is an information governance software, SaaS, and consulting company based in Boise, Idaho. Zasio is not a law firm and does not provide legal advice or services. This material is for informational purposes only and not for the purpose of providing legal or other professional advice.