adam's notes

Privacy Data

Privacy data refers to personally identifiable or sensitive information associated with an individual’s personal, financial, or social identity, including data that, if exposed or mishandled, could infringe upon an individual’s privacy rights.

  • e.g.,
    • names, addresses, contact information, social security numbers, medical records, financial transactions, and, generally, any other data that can be used to identify a specific person
  • similarities with confidential data:
    • require protection due to their sensitive nature
    • Unauthorized access, disclosure, or misuse can negatively affect subject
    • subject to legal and ethical considerations
  • differences with confidential data:
    • Confidential data
      • encompasses any information that requires protection due to its confidential nature
      • regardless of whether it pertains to an individual
      • primarily concerned with safeguarding information from unauthorized access, use, or disclosure
      • typically does not grant specific rights to the data subjects
      • may not require individual consent for its handling
    • Privacy data
      • specifically refers to information that can identify or impact an individual’s privacy
      • focuses on protecting personal information to preserve an individual’s privacy rights, prevent identity theft, and maintain the confidentiality of personal details
      • closely associated with the rights of individuals to control the use and disclosure of their personal information
      • requires explicit consent from the data subject

Roles and Responsibilities

  • Data Controller
    • entity or organization that determines the purposes and means of processing personal data
    • have overall control and responsibility for the processing of personal data
    • have direct legal obligations and responsibilities under data protection laws
    • accountable for
      • handling compliance
      • obtaining appropriate consent from data subjects
      • providing privacy notices
      • implementing data protection policies and procedures
      • and handling data subject requests
  • Data Processor
    • processes personal data on behalf of the Data Controller
    • act under the authority and instructions of the Data Controller
    • do not have independent decision-making power over personal data
    • have legal obligations to process personal data only for the purposes defined by the Data Controller
    • must implement appropriate security measures, maintain the confidentiality and integrity of the data, and cooperate with the Data Controller to meet their legal obligations
    • required to keep records of their processing activities
    • e.g.,
      • cloud service providers
      • payroll processing companies

Data subject is an individual that is identified by privacy data.

  • individual whose personal data is processed by an organization or other entity
  • hold certain rights and protections under data protection laws
    • right of access
      • right to request access to their personal data and obtain information about how it is being processed
      • can inquire about
        • the purposes of processing
        • the categories of data being processed
        • recipients of the data
        • and the duration of data retention
    • right to rectification
      • if personal data is inaccurate or incomplete, have the right to request its correction
    • right to request the erasure or removal
    • can request the restriction of processing their personal data
    • right to data portability
    • right to withdraw their consent for the processing of their personal data
  • exercise these rights by contacting the Data Controller

Right to Be Forgotten

The right to be forgotten grants data subjects the right to request the erasure or deletion of their personal data under certain circumstances.

  • fundamental principle outlined in GDPR
  • extends to the removal of data from
    • the organization’s systems
    • any third parties with whom the data has been shared
  • may be limited if the processing of personal data is necessary for:
    • exercising the right of freedom of expression and information
    • compliance with a legal obligation
    • or the establishment, exercise, or defense of legal claims

Ownership of Privacy Data

  • not easy to attribute traditional notions of ownership to privacy data
  • Under many data protection laws
    • emphasis is placed on the rights and protections of the data subject
    • rather than determining ownership
  • organizations that collect and process personal data are considered custodians or stewards of the data
    • rather than owners
    • have legal and ethical responsibilities to
      • handle personal data securely and lawfully
      • respect the rights of the data subjects

Data Inventories and Retention

  • privacy laws
    • require organizations to maintain a detailed record of the personal data they collect, process, and store
    • stipulate that organizations must have a lawful basis for processing personal data
    • mandate implementing robust security measures to protect personal data

Data inventory is a list of classified data or information stored or processed by a system.

  • provide a comprehensive overview of:
    • the types of data being handled
    • the purposes for processing
    • the legal basis
    • and recipients of the data to ensure transparency and accountability
  • help
    • respond to data subject requests for information and other rights
    • identify their personal data types and all associated security requirements

Data retention is the process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.

  • must retain personal data only for as long as necessary to fulfill the intended purpose or as required by law
  • Data inventories help organizations determine appropriate retention periods

Graph View

Backlinks