Selecting a Privacy Compliance System

Today’s ever-growing array of privacy regulations has spawned a bewildering variety of products to help manage compliance. Making sense of these is easier if they are placed in a general framework of privacy theory.

The framework starts with the notion that some data are more private than others. Information that can be tied to a specific individual is more protected than information that cannot. Among individual information, details such as financial or health history are more sensitive than general information such as name or address.

The second major notion is that there are different uses for data, which again vary in the degree of privacy protection they receive. Information typically can be used freely to achieve the original purpose for which it was provided: for example, to process an order. Use may be more restricted for other purposes, such as marketing. Additional restrictions may depend on whether the user is the original collector of the data or a third party.

But the old notion of a company “owning” its customer data and having a right to use it pretty much however it pleases within its own organization is increasingly obsolete. Many regulations now limit how certain data can be used regardless of how a company acquired it.

The third element of the framework is the individual described by the data. Increasingly, this person is given rights to review the data for accuracy and to determine how it may be used.

Surrounding these elements are supporting requirements such as audit trails, authentication, encryption and review processes. These specify how rules defined within the framework are enforced. Privacy software itself also can be described in terms of the framework components.

List Acquisition and Management Process (Direct Marketing Association, 212/790-1551, is the DMA’s contribution to simplifying compliance with do-not-call list legislation. In terms of the broader privacy framework, a no-call list gives an individual a right to control use of his telephone number for marketing calls. Implementing that right requires a way to register preference (the DNC registration process itself) and a mechanism to communicate the preference to potential callers.

LAMP provides such a mechanism by combining copies of state and federal no-call lists, a place to store a company’s internally generated suppression lists and a way to tag a company’s own files with no-call flags. The real value is saving the administrative effort required to assemble current DNC lists from many sources.

Incidentally, no-call lists are a good example of a regulation that makes no distinction between data “owners” and others: The restrictions apply regardless of how a company acquired a name. Though most regulations allow calls to current customers, that loophole is based on existing business relationships, not ownership by data gatherers.

PrivoLock (Privo, 703/569-0504, provides a hosted service to manage the permission-gathering requirements imposed by the Children’s Online Privacy Protection Act. Like a no-call list, COPPA focuses on individuals’ control over data – in this case, data gathered from minors online.

PrivoLock lets a child start to register, then solicits the parental permission to proceed. It authenticates the parent’s identity by asking for a partial Social Security number, credit card or other information, which it checks against outside data sources. Parents also can view and correct the data they or their child have provided and specify how it may be used.

Privo’s main advantage is that it assumes responsibility for ensuring that the registration process is handled correctly, data are stored securely and appropriate audit trails are available. Given the substantial financial and public relations penalties for failure to meet COPPA standards, this is of considerable value.

HIPAA Fast Track (HIPAA Accelerator, 847/821-2631, helps firms comply with the complex data access rules in Health Insurance Portability and Accountability Act regulations. The system provides modules to notify individuals of their rights, to gather permissions, to let individuals view and change their data, to receive data access requests and check them against existing authorizations, and to notify individuals of data disclosures.

The modules are backed by a database to organize the required information and audit trails, document management functions to generate standard forms, and workflow management to control the various processes. Data access modules are written in Java and can be run by any Web browser or Windows PC.

Though HIPAA Fast Track makes it easier to deploy HIPAA-related processes, it does not provide default procedures or forms. Thus, organizations are still on their own to ensure they create processes that comply with HIPAA requirements.

Enterprise Privacy Authorization Language (IBM,, 800/426-4968) is a standard dialect of XML that describes privacy-related aspects of a set of data. It is part of an IBM initiative to develop a general approach to privacy management. The idea is to associate the privacy rules with the data itself, rather than a particular system or user.

Requests for data would pass through a central privacy management system, which would read the privacy rules and determine whether a particular request was acceptable. This ensures the rules are applied consistently regardless of what system asks for the data. EPAL is somewhat similar to the Privacy Preferences Protocol used to describe privacy practices at some Web sites, but the rules it allows are more sophisticated.

Whether EPAL matures into something useful remains to be seen. But it’s interesting as an extreme incarnation of the view that privacy rules apply to specific uses of specific data for specific individuals, independent of who is trying to use the data or how they acquired it. It appears that this data-centric view, rather than the traditional user-centric approach, is the wave of the future.

Related Posts