The pandemic has created a new world of forms that track: daily symptoms for in-person environments, body temperature and contact tracing. The collection of all this sensitive health information has brought privacy to the forefront of everyone’s mind. Both the people submitting the information and those collecting the information are concerned about privacy protection and compliance. Now more than ever, it is important for organizations to demonstrate their privacy commitment. In this article, we will explore some of the considerations for privacy-related ethics, why ethics matter, and how to integrate privacy ethics into your organization.
Connecting Ethics to Your Privacy Program
Whether you have an existing privacy program or are looking to establish one, now is a good time to review how your organization handles sensitive information. Protecting personal information from your clients and employees is both legally required and the right thing to do.
Records that include personal information have specific privacy control requirements for each stage of the records lifecycle. These controls within the privacy program, at each record lifecycle stage, also have an ethical component.
Accuracy is Essential
Creation or receipt, when aligned with collection, should control several elements of the effort to ensure accuracy such as how the information is gathered, who/where it is gathered from, and more. Information should be gathered directly from the individual it pertains to. The exception to this would be when information is given: on behalf of a minor, by someone’s designated caregiver, or relevant to an investigation. Accuracy must be considered during collection to ensure decisions made about an individual have valid support. Authentication methods can include asking the person to verify the information collected or to verify the reliability of the primary source. Ensuring accurate collection is an ethical obligation. Failure to do so can result in an individual not being able to receive goods, receive service, or perhaps not receive a benefit they should otherwise be entitled to.
Notification is Necessary
Notice of information collection should also be a consideration in every privacy program. Individuals have a right (and an expectation) to be told about information being collected about them. There are very few exceptions to this rule and in some areas, it is even a legal obligation related to privacy laws such as GDPR, CCPA and HIPAA. Ethically speaking, not giving someone notice about collecting their personal information will be perceived as deceptive regardless of the intention. Unless an individual is under some sort of authorized surveillance, they should always be informed that their information is being collected and, in fact, they should also be told why it’s being collected and who they can contact with any questions about the collection.
The use and disclosure of a record also has privacy-related considerations. Personal information should only be used for the purpose for which it was collected. Disclosure should only be made to individuals who have a need to see the information to provide goods, services, or a benefit. Your privacy program should have specific parameters about what can be shared and with whom. It can be far too easy to consider sharing information with a new department or partner organization for reasons of efficiency. This can lead to disclosing personal information without an individual’s permission and is likely to be non-compliant with most privacy laws.
When storing personal information, it’s important to have strict controls in place to protect the information from unauthorized access. Using active security controls is another way for organizations to be compliant with regulations. Security protocols that are engrained in the systems used to manage your information are the most effective. For example, a person with secure access to information should not have to think about if they can send a sensitive document to another person. Rather, the system should allow or deny sharing based upon established privacy standards.
In the case of physical files this means ensuring that files are locked and are only handled by personnel with proper clearance. Everyone should receive regular training on how to handle sensitive information. If you are utilizing an off-site storage facility you will need to ensure that the facility maintains protocols to protect sensitive information. Maintaining the highest standards for information security demonstrates your ethical commitment to collaborators inside and outside of your organization.
Retention and Destruction
How long you store or retain personal information should depend on regulation and the need for the information to supply goods, services, or benefits. Over-retention may contravene regulations and could expose the information to more risk of inappropriate access. The ethical choice is to actively work to ensure that personal information only remains in the organization as long as is necessary. In some cases, this may also mean quickly and completely responding to an individual’s request for being forgotten and removing their information from all of the organization’s storage locations (physical and electronic).
During the disposition stage of a record, it’s critically important to ensure that personal information is not exposed to parties who should not have access. With many organizations using a vendor for record destruction, it’s critical that organizations conduct due diligence with their vendor to ensure controls are in place that prevent unauthorized access. Anything less would be unethical.
Training and communication need to be on-going. Your organization’s privacy policies should be shared internally and with business partners. Training for internal stakeholders should be executed on a regular cadence. Privacy requirements for business partners should be communicated explicitly via your contract.
Contract renewals are a good time to review stated requirements for any amendments that may be required due to industry or legislative changes.
Doing Well by Doing Right
There are plenty of consequences for organizations that don’t make ethical choices about handling personal information. There are the direct and explicit impacts from regulators that could include serious financial penalties (up to $25,000,000 in one Canadian jurisdiction! Up to 10% of gross revenue in the EU), orders or directives for changes to operations, temporary stop work orders, orders that could shut down a company by effect, and even expensive litigation costs.
All legal consequences are important but maintaining and upholding privacy standards are more than just the law. Executive leadership should show support for privacy protection initiatives and the overall privacy program. Protecting clients from accidental exposure is ethically and morally the right thing to do. An organization that is committed to protecting clients from potential privacy breaches can ensure that their reputation stays intact while attracting better quality employees as well. This can also lead to better credibility overall within your industry and community.
Privacy Program Components
The privacy program should include the following components:
- An appointed role to guide departments and individuals in program implementation and with enough authority to enforce program requirements
- A strong suite of governance policies and procedures
- A complete set of privacy principles covering: accountability, identifying purposes, consent, limiting collection, accuracy, limiting use/disclosure/retention, safeguards, openness, individual access, challenging compliance
- Training as part of the onboarding process
- Annual refresher training
- Clear and published process for individuals to question how their information is being handled or requesting to be forgotten.
- Regular audits or practice reviews
Just having a privacy program is not enough, though. Privacy topics and related policies should be regularly communicated in company newsletters and at group meetings. Reminders about why privacy protection is important and how individuals can support positive privacy outcomes should be reinforced by leaders at all levels.
Whenever possible it should not be left up to individual employees to enforce policy. Rather, the privacy principles should be built into operational processes that involve the collection, use, disclosure, protection and retention of personal information. This practice is a philosophy called “privacy by design.” It means that employees can focus on their core business functions, confident that privacy has been built into their everyday workflow.
Investing in Privacy Pays Dividends
Privacy protection is not a new concept, but it is getting more attention due to increased collection of sensitive health information and increased legislation. Maintaining privacy is important to most individuals and should be important to every organization handling personal information.
Many issues could arise from ignoring the ethical duty to protect personal information but most of those can be mitigated with a committed privacy program in place. Such a program can save organizations from regulatory compliance issues as well as help them avoid damage to the organization’s reputation.
More importantly, an ethical commitment to protecting personal information will pay dividends to the companies willing to make the investment.
For more, check out our recorded Webcast: Connecting Privacy & Ethics to Business Value – Doing Well by Doing Right