Major public and private organizations often assume that using legal compliance checklists will ensure that their privacy and security obligations are met. However, in an environment of increased institutional complexity, each organization’s unique context is relevant in determining legal and policy requirements, building a privacy and security program, and implementing risk mitigation practices.
For major public and private sector organizations, ensuring compliance with privacy and security regulations would seem to follow a logical process. First, applicable legal and policy requirements must be determined. Second, structures must be established to implement and monitor compliance with these requirements. Third, tools must be developed or adopted to ensure compliance and to mitigate privacy risks. However, organizations often believe that they can skip straight to the third step by adopting tools developed by other organizations, by consultants, or by regulators – most commonly, these are checklists.
While checklists are often useful, implementing them cannot be assumed to ensure legal compliance, let alone privacy and security best practices. To understand why this is, we need to examine a few of the challenges in each phase of the development of a privacy and security program:
Determining Legal and Policy Requirements
Laws and government policies are usually fairly clear in outlining requirements for specific types of organizations, such as hospitals, banks, and universities. However, in recent years it is rare for information to remain contained within a single organization: for instance, a hospital which contributes clinical data to a health database may be sharing large volumes of data with university researchers, public health personnel, and other hospitals, all of whom are obligated to demonstrate legal compliance. Such hybrid structures often raise conflicts between different legislation, as well as uncovering gaps in legislation. Simply amalgamating the policies of participating organizations quickly becomes complicated and unwieldy. Initiatives that cross organizational boundaries require a re-examination of legislative obligations before privacy and security policies can be established.
Building a Privacy and Security Program
Developing a privacy and security program involves creating an organizational structure with designated functions to fulfill responsibilities related to privacy and security. This essentially means defining relationships between people, processes, and technologies by answering a few basic questions: What are the responsibilities and accountabilities of various roles? How will the implementation of privacy and security practices be governed and monitored? How will these practices be integrated into the business process? What technologies and information systems will be used, and by whom? Without the structure of such a program, privacy and security implementation is likely to have major gaps.
We have deliberately referred in this article to a single program for privacy and security. This is because their consolidation is important: legislation concerns only privacy, while security exists only as a means of protecting privacy. Given their interdependence, developing privacy and security within a single program leads to more practical and efficient solutions.
This is where checklists can be effectively used to guide compliance with legislation by specifying necessary documentation and actions. However, even here they are not sufficient. The laws which checklists are designed to implement do not distinguish between types of personal data which may, in fact, require very different levels of protection; clearly, data such as gender and age is less likely to threaten a patient’s privacy than a full postal code or rare medical diagnosis. A risk-based approach analyzes the objective privacy risk posed by different types of data, and helps to guide appropriate levels of investment in protective measures.
Conclusion and Resources
Ensuring privacy and security compliance is a process in which an organization’s unique context and structure ideally guide the determination of legal and policy requirements, the building of a privacy and security program, and the development of implementation tools. Nonetheless, there are common steps in this process, and common components to effective privacy and security programs. On our website we have published free resources describing our approach to the development of privacy and security programs:
Policy Guidance: Electronic Health Records
A Guide to Enterprise Privacy Program Development