Wednesday, October 06, 2010
Top 10 Tips to Managing Privacy
Top 10 Tips to Managing Privacy
By Victor Chapela
Managing privacy is managing trust. The following are important to keep in mind when working toward managing privacy:
1.To correctly manage privacy, you need to recognize each person as the owner of his/her personal data. Therefore, you need to communicate to and ask permission from each individual data owner before using his/her data.
2.Each person should be able to determine and limit the storage, processing and usage of data in which he/she is personally identifiable.
3.Different countries have different approaches to enforcing privacy. But, in most cases, sensitive information is defined as that which may be used for discrimination. Examples of this are racial or ethnic origin; health records; religious, philosophical or moral beliefs; political affiliation; and sexual preferences.
4.Intimacy data, such as the examples just mentioned, are, in general, well regulated. However, identity data are not as closely guarded by regulation and may have similar or even greater risk for companies and individuals alike. Identity data include government-issued identification numbers, logins and passwords, and credit and debit card numbers.
5.Identity data are highly valued and actively sought by organized crime to commit fraud. This type of data should be classified based on the threat level (i.e., the value of the data for criminals or competition) and not based on the internal value of the information (which could be, in some cases, almost zero).
6.By managing data privacy correctly, information security requirements may also be solved. Both security and privacy can be better handled by classifying and managing data based on risk levels.
7.Classification should take into account two very different aspects: a privacy impact analysis (compliance with applicable laws and regulations) and a data threat analysis (determining risk levels based on the data’s external value).
8.For each risk classification level, the full data life cycle must be analyzed from reception or generation of the data through the destruction process. A privacy policy and standards for each data risk level’s life cycle must be defined based on the analysis.
9.Legal, organizational and technical controls must be considered for each classification level and then implemented based on information assets and groups.
10.Privacy is not only about compliance. Through privacy, you guarantee each person’s rights and, by doing so, you increase your stakeholder’s trust.
By Victor Chapela
Managing privacy is managing trust. The following are important to keep in mind when working toward managing privacy:
1.To correctly manage privacy, you need to recognize each person as the owner of his/her personal data. Therefore, you need to communicate to and ask permission from each individual data owner before using his/her data.
2.Each person should be able to determine and limit the storage, processing and usage of data in which he/she is personally identifiable.
3.Different countries have different approaches to enforcing privacy. But, in most cases, sensitive information is defined as that which may be used for discrimination. Examples of this are racial or ethnic origin; health records; religious, philosophical or moral beliefs; political affiliation; and sexual preferences.
4.Intimacy data, such as the examples just mentioned, are, in general, well regulated. However, identity data are not as closely guarded by regulation and may have similar or even greater risk for companies and individuals alike. Identity data include government-issued identification numbers, logins and passwords, and credit and debit card numbers.
5.Identity data are highly valued and actively sought by organized crime to commit fraud. This type of data should be classified based on the threat level (i.e., the value of the data for criminals or competition) and not based on the internal value of the information (which could be, in some cases, almost zero).
6.By managing data privacy correctly, information security requirements may also be solved. Both security and privacy can be better handled by classifying and managing data based on risk levels.
7.Classification should take into account two very different aspects: a privacy impact analysis (compliance with applicable laws and regulations) and a data threat analysis (determining risk levels based on the data’s external value).
8.For each risk classification level, the full data life cycle must be analyzed from reception or generation of the data through the destruction process. A privacy policy and standards for each data risk level’s life cycle must be defined based on the analysis.
9.Legal, organizational and technical controls must be considered for each classification level and then implemented based on information assets and groups.
10.Privacy is not only about compliance. Through privacy, you guarantee each person’s rights and, by doing so, you increase your stakeholder’s trust.
# posted by raveneye @ 9:50 AM 
