The records manager's guide to data privacy

Packed with guided content to accelerate your data privacy knowledge. Each section is standalone, simply navigate to the subjects that appeal most to you, and learn at your own pace.
Adam Roberts
Share on Social Media
What privacy challenges do organizations face?

The revolution is here. And organizations are under pressure.  

Citizens and consumers are newly aware of the value and criticality of their personal information. On their behalf, lawmakers and regulators are seeking to protect it against hackers and other threat actors, who are eagerly trying to harvest sensitive data and sell to the highest bidder.  

Half of all organizations surveyed had suffered a data breach in the last two years

Organizations are stuck in the middle.  

Their business models often depend on or involve the collection and use of people's data, so they need to fulfill their responsibilities in protecting it to comply with privacy regulations. If they operate across borders, they must understand their regulatory requirements to customers in different states or countries.  

They fear they'll become the next hacking victim and find their customer data posted on the dark web and the security procedures in question. Such fears are justified. Data breaches aren’t going anywhere.

Let's review the biggest challenges for organizations operating in the modern era, then discuss whether records management has a role to play in overcoming them.

Data breaches become routine

There is a growing feeling of inevitability when it comes to data breaches, as they happen with increasing regularity and severity.

Last year in the United States, 1,802 data compromises affected 422.1 million victims, according to the Identity Theft Resource Center's 2022 Annual Data Breach Report, just 60 short of the all-time high set in 2021.

In Australia, there were 497 breaches notified in the second half of 2022, a 26% increase from the previous six months, according to the Office of the Australian Information Commissioner (OAIC). Five of these were classified as major breaches affecting more than one million Australians, including the infamous Medibank and Optus hacks.

These breaches are costly for organizations. According to IBM's annual Cost of a Data Breach Report, at all-time high, the average total cost of a data breach is US $4.35 million, or $164/record. This does not include the significant reputational damage that can come from a data breach, which of course can scare off customers, impact market confidence, spook investors, and lower the share price.

United States (US) data compromises and Australian (AUS) data breaches in 2022

Boards take notice

Traditionally seen as niche IT issues, cybersecurity and data privacy are now a focus of the executive and the board, even those in roles outside the Chief Information Officer (CIO), Chief Technology Officer (CTO), and Chief Information Security Officer (CISO) roles.

A survey across the Americas by Ernst & Young had board directors putting cybersecurity and data privacy in the top five priorities for 2023, with factors including the war in Ukraine, ongoing digital transformation, and the impact of flexible working raising data privacy risks. The same was felt in Asia-Pacific, with a focus there on cyber threats, new regulations, and the growth of Artificial Intelligence (AI). The advice from EY?

Directors must continue to emphasize the importance of managing cybersecurity as an enterprise risk

On the other hand, another report from professional IT governance association ISACA suggests that data privacy concerns can get crowded out by a focus on cybersecurity. This can result in understaffed technical privacy and legal/compliance teams, underfunding for enterprise privacy budgets, and significant skills gaps. By focusing on cybersecurity, leadership may remain vulnerable to regulatory penalties.

Regulation brings consequences

The growth in privacy laws continues apace. By 2024, Gartner predicts that 75% of the global population will have its personal data covered under modern privacy regulations, with a lot of momentum in the United States at the state level, in particular. Other jurisdictions, like Australia, are busy modernizing existing laws to meet the new challenges of the digital age.

Consumers and citizens are empowered with the right to request access to and removal of their personal information, putting pressure on organizations to respond in a compliant manner.

To succeed in this new world, organizations need help to demonstrate regulatory compliance. They need people who understand data privacy, how it impacts their roles and responsibilities, the regulatory frameworks to which they must comply, and how they can influence change.

As you can see, these issues are all interconnected, so a helpful place to start when learning about data privacy is disentangling it from data security.

Go Back to Top

What is the difference between data security and data privacy?

You may have noticed that, as a society, we’re dealing with a bit of a data privacy crisis. Why are we talking about data privacy so much? Simply put, data breaches keep on occurring at organizations big and small, and when they do they expose poor data privacy practices. We often misdiagnose this issue as a data security problem. But poor data management is making the situation worse, and is arguably a bigger culprit.

To avoid joining the ranks of companies that have let their customers down in this way, it is essential to recognize the relationship between data privacy and records/information governance, particularly in the context of preventing and mitigating the impact of data breaches.

Before we discuss that, let’s make sure we have a shared vocabulary, and understand what we mean when we say, 'data privacy’.

What is data privacy? How does it differ from data security?

The term “data privacy” mostly comes up when data is under threat, whether because of privacy breaches by malicious actors or government overreach. As such, it tends to get conflated with “data security” in the eyes of the public and organizations. While the two are related, they are distinct concepts. Let’s disentangle the two concepts:

Data privacy definition:
Data privacy refers to giving individuals control over how their personal information is collected and used. It involves organizations setting data collection and use policies, usually based on regulatory requirements.

Data security definition:
Data security refers to protecting personal data from attack, and involves tactics like malware prevention and encryption. It is an element of data privacy, but they are not the same concept.

You can have security without privacy, but it is impossible to have privacy without security. The idea is easier to understand if you use a physical example, in this case, a passport. Your passport number must be kept private to prevent your identity from being stolen. You can achieve this using a variety of measures:

Regulating who can use it by only entering its details in trusted travel services and websites, and not using it for purposes such as age verification (access management).
Ensuring it is disposed of when it expires (disposal/data minimization).
Keeping it home and locking your front door (data security).

If you focused solely on the last measure (locking your door), you could still have your identity stolen if you then entered your passport details on the wrong website.

What is the relationship between data privacy and records/information governance?

As a records manager, you are already a custodian of your organization’s data and are at the forefront of its information governance efforts. You are probably doing many things that would improve data privacy—retention and disposal, chief among them. Data privacy may be a side-effect of your initiatives, not a goal.

But it’s time to expand your view of records management to encompass data privacy to more accurately reflect your value. Strong records management is essential to a robust data privacy posture.

To illustrate this point, let’s delve into a few recent examples of data breaches to see how proper records/information governance may have decreased the likelihood and severity of these breaches.

Latitude Financial, 2023

The recent Latitude Financial breach offers a particularly vivid example of how poor data management can exacerbate the impact of a data breach.

The company was hit by a cyberattack in March, when attackers accessed an employee’s log-in credentials and stole customer information from two service providers. The breach was initially thought to only include about 100,000 identification documents and 225,000 customer records. But following the initial announcement of the breach, it emerged that the incident had affected 14 million customers, and it was not just current customers whose data was impacted.

In fact, some of the data accessed was initially acquired in 2005, 18 years earlier, following the acquisition of finance brand GE Money, which as well as providing personal financing for purchases with its GE Consumer Finance, had a partnership with Coles to offer credit cards with Coles and Myer.

What happened to this stagnant data in the intervening years? Why was it not removed? Eighteen years is a long time to hold onto data, and it is hard to believe some of the data accessed had been forgotten about. Someone at the company should have been responsible for managing the data and removing it once it was no longer relevant to the company’s business.

With the announcement of a joint investigation into the breach, with a focus not only on how the company protected sensitive data, but whether Latitude took steps to destroy and de-identify personal information once it was no longer required, it seems like the authorities are taking notice.

And with Optus and Medibank, which each suffered high-profile data breaches last year (more on those below), both hit by class-action lawsuits on behalf of their customers and former customers impacted by the breaches, it’s clear customers and those representing them will not accept such treatment of their sensitive data.
Optus, 2022

Australia’s second-largest telecommunications company, Optus, suffered a significant data breach on 22 September 2022. The personal information of 9.8 million current and former customers was compromised by a malicious cyber-attack.

The compromised data included names, phone numbers, email addresses, and in some cases, home addresses, drivers’ licenses, and passport numbers.

Here are again poor data management played a role in the breach, most notably through a lack of data removal and poor access management decisions:

The breach occurred through an unprotected and publicly exposed Application Programming Interface (API) that did not require user authentication and allowed access to highly sensitive data. The company’s use of incrementing customer identifiers, so each customer ID differed by one digit, also exacerbated these flaws.

The attackers demanded a ransom of US$1 million in cryptocurrency but later withdrew it and claimed to have deleted the data. A 19-year-old man was arrested for threatening some of the affected customers with financial crimes.
Medibank, 2022

Medibank, one of the largest Australian private health insurance providers was hit with a data breach on September 30, 2022. This impacted 9.7 million current and former Medibank and ahm customers, as well as international student account holders.

The compromised data included current and former customers’ names, dates of birth, addresses, phone numbers and emails, some Medicare card numbers, some passport numbers and health claim data, some next of kin contact details for My Home Hospital patients and health provider details, including names, provider numbers and addresses.

The breach was caused by a ransomware attack that encrypted files on Medibank’s servers. The hackers, located in Russia and with connections to the REvil ransomware group, demanded a ransom payment in exchange for the decryption key.

After the company initially stated there was no evidence of compromised customer data, the hacker posted a sample of 100 customer records. Medibank said this data came from their ahm and international student systems, not their direct Medibank customer base.

After the hacker posted more such “drops” of personal data on the dark web, while waiting for Medibank’s response, eventually Medibank released a statement accepting customer data had been impacted. When Medibank refused to pay the ransom, the hackers posted the remaining data, announcing “case closed”. The breach was made possible thanks to the theft of credentials from an individual with privileged system access. A policy of “least privileged access”, where employees have access to the minimum level of information required to do their tasks, as well as a network segmentation strategy may have reduced the likelihood or damage of the breach.

The delay in communicating the extent of the breach, and that customer data had been compromised, suggests Medibank did not initially understand the extent of the breach, indicative of poor data management practices.
T-Mobile, 2022

T-Mobile, one of the US's largest mobile carriers, has a particularly spotty history of data security, with five data breaches in the last five years. The most recent of these was disclosed in January 2023, when the carrier announced it had suffered a data breach in November, 2022 that impacted 37 million current customers.

In a US Securities and Exchange Commission filing, the company said an attacker manipulated one of its APIs to steal customers' names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details.

The tip of the data breach iceberg

These are just the most recent data breaches where poor information governance played a part. It’s clear this is a societal issue. We could have chosen another dozen data breaches at random and drawn similar conclusions. All organizations, no matter their industry and size, need to understand how improved information governance can play a role in maintaining a robust data privacy posture.

What difficulties do organizations encounter when protecting user privacy?

Organizations face many challenges when addressing data privacy. The first is a lack of understanding over the sensitive customer data they possess. As organizations adopt more business systems such as customer relationship management (CRM) platforms or real-time chat, employees begin to interact with them in unpredictable ways. Customer data inevitably makes its way into these platforms, and those in the organization responsible for managing data privacy and data security lose visibility and therefore control over sensitive data. Organizations cannot ensure the most sensitive data is security stored.

A related challenge is the complexity of data privacy laws, which are difficult for the typical organization to interpret. This makes it hard for organizations to determine their legal obligations.

Organizations need to understand what type of data they hold, where it's located, and what the legal implications are if the data is shared with unauthorized parties or accessed by malicious actors

Organizations need records managers to help overcome data privacy challenges

Records management is a field primarily concerned with the organization, storage, retrieval, retention, and disposition of records. While these activities intersect with activities required to improve data privacy, organizations sometimes fail to recognize this overlap.

An organization with a strong records management program will be better prepared to discover its data, deeply understand it, and take proper action to remove it once its retention period ends. These activities help ensure the security of customer data and help protect their customers’ right to privacy.

When it comes to preparing for and responding to a data breach, records management allows companies to understand what data they possess, where it is stored, and the implications if it is exposed. This allows companies to prioritize the protection of more sensitive data, so critical records are secured. Such an understanding allows for appropriate access management, limiting access to those who truly need it. A strong records management program also helps remove data once it is no longer required, by ensuring retention schedules are met and data is disposed once no longer required.

Records management platform dashboard showing documents with PII and PCI

The need for a cohesive approach to data privacy

It is essential that records management personnel have an understanding of the regulatory requirements of their jurisdiction, including data privacy regulations. This helps avoid a situation where the requirements of data privacy and records management are in conflict with each other.

Many companies save their data for too long, erring on the side of caution and deciding they should keep data "just in case". Such an approach means companies collect too much data on current and even former customers, which runs counter to many regulations and means more people may be impacted by a data breach.

By properly integrating privacy into their records management policies, records managers can then ensure that all records are managed in accordance with applicable data privacy laws.

But organizations don't always recognize the value of records management when it comes to data privacy, and data privacy is not always incorporated into a company's records management strategy. Records managers, too, often lack a familiarity with data privacy concepts and terminology, and so are unaware of how they can impact data privacy. Both sides need to come together to address this challenge.

The first step? Speaking the same language. The next part of this data privacy guide is aimed at changing this, with a focus on data privacy concepts and terminology for records managers.

Go Back to Top

Data privacy concepts and terminology for records managers

Like many other highly specialized and technical industries that intersect with both the law and technology, data privacy comes with a whole collection of terms and concepts to learn. If you wish to improve your organization’s data privacy, it helps to speak the language. Let’s review essential terminology anyone who works with data privacy should learn.

How privacy regulations define data types

A good place to start is with the actual types of data we are concerned with. Since each data privacy law has its own definitions, this is more difficult than you might expect. This overview should give you an idea of the differences, including which regulation the term is pulled from:

Personal Data

This term is defined by the General Data Protection Regulation (GDPR) as:

“...any information relating to an identified or identifiable natural person (‘data subject’). It is broad in scope, with a wide variety of categories. These include race and ethnicity, political views, religion, spiritual or philosophical beliefs, all the way to biometric data for ID purposes, health data, or genomic information."

Personal Data examples:

• Name, address, telephone number or email address

• IP addresses, browser type and version

• Location data

• Identity documents such as passport numbers

• Photos and videos of an individual or their property

• Genetic information (e.g., DNA samples)

• Political opinions or beliefs

• Health records (e.g., medical history)

• Financial information.

Personal Information (PI)

This term is present in a variety of regulations including the California Consumer Privacy Act (CCPA), where it is defined as:

“... information that identifies, relates to, or could reasonably be linked with you or your household.“

Examples cited include: name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

The Australian Privacy Act 1988 defines it slightly differently:

“... [PI] is information or an opinion about an identified individual, or an individual who is reasonably identifiable.”  

In the Australian context, examples of PI include sensitive information (information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record), health information - which is also ‘sensitive information’, and credit information.

According to the CCPA, types of PI include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

Personally Identifiable Information (PII)

This term is commonly used in a business context, and defined by some legislation and privacy standards such as National Institute of Standards and Technology (NIST).  

PII refers to (as per NIST):

“...information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.”  

Examples of PII include: name, social security number, and biometric data records—either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.

All PII is PI but not all PI is PII.

Sensitive personal information (SPI)

Sensitive information is a subset of these other categories. Most jurisdictions believe it should be treated with a higher standard of care, as unlike some general PI, sensitive information may result in discrimination or harm if it is mishandled.

The CCPA defines SPI as a specific subset of personal information that includes certain government identifiers (such as social security numbers).

Other examples provided include:  

  • an account log-in,  
  • financial account,  
  • debit or credit card number with any required security code,  
  • password, or credentials allowing access to an account;
  • precise geolocation; contents of mail, email, and text messages;  
  • genetic data; biometric information processed to identify a consumer;  
  • information concerning a consumer’s health, sex life, or sexual orientation;  
  • or information about racial or ethnic origin, religious or philosophical beliefs, or union membership.

We now know what data privacy is, its connection to data security, and the various definitions for the types of data we are protecting. At this point, you may be wondering: “wait, where do I fit in?”

Important concepts in privacy regulation

While every privacy regulation is specific to its country or region, some features are common across most modern privacy regulations. Elsewhere in this guide we will dive into specific regulations, let’s take a moment to understand some key concepts and terminology.

Data Subject Access Requests (AKA Right of Access)

Many privacy regulations, including the GDPR, give individuals the right to contact an organization to request information on the personal data the organization is processing about them. Such a request is called a Data Subject Access Request (DSAR). Depending on the regulation, individuals can also request information on subjects like:

  • The purposes of the processing.
  • The categories of personal data that has been collected.
  • Who the data will be shared with.
  • The period for which the data will be stored.

There is no required formatted in a certain way or include specific information. It could be as simple as an individual emailing to say, “I would like to know all the personal information you currently have stored about me.” Because this is so open-ended, some organizations have created templates (such as this one from Postbank) for their customers or stakeholders, to simplify the task of responding to a DSAR request.

The right to erasure | the right to be forgotten

The GDPR and other regulations give individuals the right to request organizations to delete their personal data. The idea here is that control of the data should rest with the individual who owns it. If that person no longer consents to their data being processed, or there are errors in the data, or they think it is being stored unnecessarily, they should be empowered to request it be deleted.

This is not an absolute right, and there are many circumstances in which the organization’s right to process the data overrides the right to be forgotten, for example, if the data is required to comply with a legal request, or the data serves the public interest.

Data minimization

The more data you have, the higher the risk of it being accessed by unauthorized parties. Yet many organizations retain data for much longer than they should. When the inevitable breach happens, the blast radius is much larger, with both current and former customers impacted.

Most jurisdictions with privacy regulations include a provision that organizations collect only the data they require, and limit how long this can be kept before it must be removed. This concept and practice is referred to as data minimization RecordPoint offers a specific data minimization solution.

Data Protection Officer (DPO)

Certain privacy regulations mandate that companies appoint a Data Protection Officer (DPO), to be responsible for assessing the way a company stores and uses personal data.

What is a DPO?

A Data Protection Officer (DPO) is a professional responsible for overseeing data protection strategy and implementation to ensure compliance with relevant privacy regulations such as the General Data Protection Regulation (GDPR). A DPO is typically an experienced IT/data security expert or an attorney who specializes in privacy law.

What does a DPO do?

The DPO acts as a bridge between the organization’s leadership and its employees, customers, and other stakeholders by providing guidance on data privacy and security policies and procedures. They also develop processes to ensure that customer, employee, and other personal data is collected, stored, used, transferred, or disposed of properly.

Do you need a DPO?

If you are subject to the GDPR, your organization must hire a DPO if it meets one of three criteria:

  1. Public authority — Your organization is a public body or public authorities. Exemptions are granted to courts and other independent judicial authorities.
  1. Large scale, regular monitoring — Your organization regularly and systematically observes citizens or residents of the EU on a large scale, processing personal data as a core activity,
  1. Large-scale special data categories — Your organization processes specific “special” data categories (as defined by the GDPR) as a core activity and and at a large scale.

Even if your organization doesn't meet these criteria, or is not subject to the GDPR, there are advantages in creating a role dedicated to understanding applicable privacy regulations and applying them to your organization's data practices. Better still if this individual is independent from the rest of the organization, lowering the chance of conflicts of interest or low motivation to improve privacy.

Perhaps this is another area records management professionals can provide value.

Go Back to Top

A deep dive into data privacy regulation around the world

By 2024, Gartner predicts that 75% of the global population will have its personal data covered under modern privacy regulations. With that in mind, organizations must ensure they dedicate resources to their privacy program. Custodians of organizational data such as records and information managers are key here. They need to understand their responsibilities under relevant privacy regulations to ensure they can take steps to improve their organization’s compliance.

Let's take a world tour to review major privacy regulations, their main approaches, and some of their more notable breaches and fines.

Privacy regulations in Europe - GDPR

Privacy regulations in Europe

The General Data Protection Regulation (GDPR)

When the General Data Protection Regulation (GDPR) came into effect in 2018, it placed strict obligations on companies in the European Union (EU) regarding managing sensitive personal data. The GDPR replaced the 1995 Data Protection Directive. The GDPR applies to any company that processes the personal data of EU citizens and gives individuals more control over their personal data.

A rights-based approach to data privacy

The GDPR differs from earlier privacy regulations which focused on “harm minimization” in specific sectors, instead adopting a philosophy of putting the individual in control of their data in what is referred to as a “rights-based” framework. Other privacy regulations like the CCPA have since adopted this approach.

Data controllers and data processors

The GDPR recognizes that not all organizations involved in processing personal data have the same level of responsibility. The regulation formalizes this through the concept of data controllers and data processors.

  • A data controller is a legal or natural person, an agency, a public authority of any other body who—alone or with others—determines the purposes of any personal data and the means of processing it.
  • A data processor is a legal or natural person, an agency, a public authority of any other body who processes personal data on behalf of the data controller.

To illustrate the concept, consider a business using a tool like Google Analytics or contracting a market research company. The business determining why and how the personal information is processed is the data controller, while the tool or agency contracted would be classed as the data processor.

What do companies need to do to comply with the GDPR?

The regulation requires companies to obtain informed consent from individuals before collecting, using, or sharing their data. They must also have policies and procedures in place to demonstrate and review consideration for all points of data interaction.

The GDPR was developed using seven principles

Lawfulness, fairness, and transparency: data needs to be disclosed clearly and efficiently in a way that allows the data subject to understand precisely how their information is being collected and processed and to consent to the processing.
Purpose limitation: data cannot be stored or repurposed for means other than its original purpose.
Minimization of data: use only the information necessary to fulfill your purpose.
Accuracy: data must be accurate and, where necessary, kept up to date. Anything inaccurate should be erased or corrected immediately.
Storage limitation: Explain to your customers how long you will store their data and ensure that you properly destroy it after its intended use.
Integrity and confidentiality: Process your clients’ data using appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. Keeping your customers' privacy at the forefront of your business practices, as well as using data discreetly and respectfully, is what defines confidentiality.
Accountability: Only individuals who require access to personal data should be able to access it.

Breaches and penalties

EU GDPR violations result in fines of 4% of a company’s global annual revenue, or €20 million (about $22.4 million), whichever is greater.  

So far, the most significant GDPR fine has been handed down to Amazon, which received a €746 million ($888 million) fine relating to its company’s advertising targeting system. This resulted from a complaint filed by 10,000 people against Amazon in May 2018 through French privacy rights La Quadrature du Net.

The UK GDPR – 2018

Following Brexit, the United Kingdom enacted its own UK-specific form of the GDPR, which is virtually identical to the EU version of the law, though enforced by UK data protection agencies, and does not influence EU authorities.

Privacy regulations in North America - CCPA, CPRA and PIPEDA

Privacy regulations in North America

The California Consumer Privacy Act (CCPA) – 2020

The California Consumer Privacy Act (CCPA) is a data privacy law affecting organizations that collect or process the personal data of California residents. The CCPA passed in early 2018, going into effect in 2020 and affecting organizations in California that collect California residents’ personal information.

The law was inspired by the GDPR and was motivated by concerns about how companies collected and used consumer data. The law also gives Californians the right to sue companies that violate their privacy rights.

The CCPA applies to all businesses that collect, process or sell the personal information of California consumers. The three categories subject to the CCPA are:  

  • Businesses with annual gross revenues above $25 million  
  • Companies that derive 50% or more of their annual revenues from selling or sharing consumers’ personal information  
  • Businesses with personal information of 100,000 or more consumers, households, or devices.

What do companies need to do to comply with the CCPA?

Similar to the GDPR, the CCPA requires businesses to provide notice of consumer rights, honor those rights, fulfill disclosure and retention obligations, facilitate consumer requests and implement security safeguards.

Breaches and fines

So far, the most significant fines under the CCPA have been against Google and Facebook. Google received a $170 million penalty for violating children's privacy using its YouTube platform. Facebook paid $4.9 billion after Cambridge Analytica accessed the personal data of 87 million users without their consent.

The California Privacy Rights Act (CPRA) – 2023

CPRA, also known as Proposition 24, is a ballot measure that amends and expands the CCPA. While CPRA officially took effect on Dec 16, 2020, most of the provisions revising the CCPA became operation on Jan 1, 2023. The full list of changes brought by CPRA:

  • Established the California Privacy Protection Agency (CPPA) to enforce the new data privacy laws.
  • Established a new category of data, “sensitive personal information” which must be protected.
  • Established new rights for consumers, who now have the right to correct their information, limit the use of sensitive data, access information about automated decision-making, and opt out of automated decision-making technology
  • Modified the thresholds that companies must meet to be governed by the regulation. The categories outlined above are updated to take this into account.
  • Established the concept of sharing data, where businesses and third parties exchange data but not necessarily for monetary purposes.
  • Incorporated GDPR-based principles for data minimization, purpose limitations, and storage limitations.
  • Established a new right for consumers to pursue legal action against companies that expose their login credentials in a data breach.

Personal Information Protection and Electronic Documents Act (PIPEDA) – 2001

Canada’s privacy laws protect individuals’ personal information collected by organizations. While each province has its own law, there are also two federal laws, each governing private and public sector organizations respectively.

The first of these, PIPEDA, governs private sector organizations that collect, use or disclose personal information in the course of commercial activity.

Under the law, “commercial activity” is defined as “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).

Federally regulated organizations that conduct business in Canada, such as airports, banks and telecommunications companies, are also subject to PIPEDA.

What do companies need to do to comply with PIPEDA?  

To comply with PIPEDA, companies must follow 10 fair information principles:

  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosure, and Retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging Compliance

Like other privacy laws, companies subject to PIPEDA must:

  • Obtain informed consent from individuals at or before the time of collection.
  • Collect data only for a legitimate purpose.
  • Limit collection, use, disclosure and retention.
  • Make information related to the data handling policies available.
  • Implement safeguards to protect the data.
  • Ensure accuracy of the data.
  • Allow individuals to access their data.

Canadian Federal Privacy Act – 1983

Alongside PIPEDA, the Privacy Act governs the collection, use, and disclosure of personal information by federal government institutions. 

What do government institutions need to do to comply with the Privacy Act?

To comply with the Privacy Act, institutions must:

  • Only collect personal information if in direct relation to one of its programs or activities.
  • Inform individuals about why it is being collected.
  • Use personal information in line with the stated purpose.
  • Retain data for at least two years unless the individual consents to its disposal.
  • Only disclose personal information with the individual’s consent (with some exceptions).

Like other privacy laws, the Privacy Act allows individuals to request access to their information, with a 30-day deadline for responses.

For more on Canada’s data protection and privacy laws, read our blog post on the subject.

Australia's Privacy Act 1988

Australia’s Privacy Act – 1988

When dealing with sensitive personal data collected in Australia, companies who collect data must follow the Privacy Act of 1988.

The Privacy Act came into effect on December 21, 1988. It has since governed Australian privacy law, regulating the handling of ‘personal information by both Commonwealth and private sector organizations. Organizations subject to the Privacy Act must comply with thirteen Australian Privacy Principles (APPs), which govern how personal information must be collected, used, disclosed, and stored.

The Privacy Act introduced the 13 Australian Privacy Principles (APPs).

  • Open and transparent management of personal information
  • Anonymity and pseudonymity
  • Collection of solicited personal information
  • Dealing with unsolicited personal information
  • Notification of the collection of personal information
  • Use and disclosure of personal information
  • Direct marketing
  • Disclosing Personal information overseas
  • Adoption, use, or disclosure of government-related identifiers
  • Quality of personal information
  • Security of personal information
  • Access to personal information
  • Correction of personal information

The APPs apply to government agencies and large private-sector organizations. Principle-based, they protect privacy without burdening agencies and organizations. Most notably, the Act created a new obligation for companies to notify users of data breaches with risks of critical harm.

Breaches and penalties

Under the Privacy Act, organizations which breach the act are subject to the greater of the following penalties:

  • $50 million;
  • three times the value of any benefit obtained through the misuse of information; or
  • 30 per cent of a company's adjusted turnover in the relevant period.

Privacy Act reform

The Australian Attorney-General's Department is undertaking a review of the Privacy Act, with a goal to modernize the framework to "support digital innovation and enhance Australia’s reputation as a trusted trading partner”. In February, 2023, the department released The Privacy Act Review Report featuring 116 recommendations. Proposed changes include:

  • The abolishment of an exception for small businesses,
  • A positive obligation that personal information handling is fair and reasonable,
  • Implementing new limits on targeted advertising — particularly ads aimed at children,
  • Adding individual privacy rights like the "right of erasure."

The Office of the Australian Information Commissioner (OAIC) welcomed the final report, with Australian Information Commissioner and Privacy Commissioner Angelene Falk saying privacy laws need to adapt to ensure that personal information is protected and handled fairly.

She highlighted the positive obligation on businesses to ensure personal information handling is fair and reasonable. Such an obligation would shift the privacy burden from individuals to the organizations who collect and use personal information, who would be required to ensure that their practices are fair and reasonable in the first place, she said.

Such a reform would therefore place more responsibility on records managers and those responsible for information governance to ensure their organization’s privacy practices are robust.

Now we understand some of the major regulations organizations must comply with, let's explore some practical ways records managers can impact data privacy for their organization, by starting with a review of the data lifecycle.

Go Back to Top

Managing data privacy through the data lifecycle

Many organizations only consider data privacy in the context of preventing or recovering from a data breach. By treating privacy as an isolated issue, rather than as a core element of a broader information management program, they make it difficult to make good privacy decisions. When the inevitable data breach occurs, the impact on the company and its customers is far more damaging.

As custodians of an organization's data, you have a key role to play in embedding data privacy into every stage of the data lifecycle.

Let's look at a simple model of the data lifecycle to see where data privacy fits in at each stage. We will revisit this later to see how you can contribute to improving your organization's data privacy.

The full data management lifecycle

Capture

Data privacy must be considered the moment data is obtained from an individual. When someone signs up to a service or purchases a product, they trust the provider to treat their data carefully. The best way to live up to this standard? Don't collect it in the first place. Many privacy laws require organizations to collect as little data as is required to provide the product or service.  

Remember, personal data belongs to the individual, so they should understand the trade-off they make when they provide it to your organization.

When you collect data, most privacy regulations require organizations to present them with an explanation of how the data will be use, and how it will be shared.  

Control

Once the data is captured from the individual, it needs to be made visible, classified according to sensitivity, and controls for security and access applied.

Data inventory

You cannot ensure individuals' privacy is protected unless you understand the data you posess. The primary way organizations can do this is to create a ‘data inventory’ recording each piece of data, how it is being used and stored, and its privacy risks. A robust data inventory reduces the proportion of dark data: data you don't know you have.

While traditionally created using organizational surveys of the types of data departments and teams keep and where they keep it, this approach is no longer sufficient.

A modern data inventory must encompass all an organization's data sources and be constantly updated as new data is added.

This includes unstructured data sources like Microsoft Teams, SharePoint Online and Box, as well as structured data sources like Salesforce and finance systems.  

Data management AKA records management

Establishing a records management program enables your organization to manage data, including sensitive data better, and make defensible decisions about its use, storage, retention and disposal.

Scalable, consistent, and accurate governance enables teams to solve data privacy challenges

Data access

Access controls are crucial to ensure data is used in line with appropriate privacy regulations, which have strict provisions about how data is used. Many data breaches occur as a result of elevated access privileges for a particular employee. In such cases, all it takes is for that employee to have their account compromised, often through a phishing attack, for a large number of customers to have their details accessed.

According to the principle of ‘least-privilege’, employees in an organization should have the minimum permissions to perform their functions.

Retain

This stage will be familiar to records managers. All sensitive data must be retained for periods specified in applicable compliance and privacy regulations. Too often, organizations hold onto data “just in case”, but retention schedules should be followed to minimize risk and ensure compliance. 

Destroy

Once the retention period of a given piece of data is reached, it must be destroyed.

Remember earlier when we discussed how the safest way to guarantee privacy was to not collect data in the first place? Consider this the flipside of the argument: there is no exposure risk for data you do not possess.

Any records manager will understand the concept of retention and disposition. But too often, organizations forget this, and it is increasingly common for a data breach to include the data of former customers whose data should have been removed. In data privacy circles this process of removing data is referred to as data minimization.

Go Back to Top

Improving your organization's data privacy

Organizations with strong information governance practices and robust records management programs manage and safeguard their customers’ data privacy, and are better placed to handle a data breach.  

When you have a deep understanding of your data, you can make better decisions about access management, security, and retention.

In the event of a breach, organizations that have done this work can immediately identify what data has been accessed by the attackers, and its sensitivity, meaning that it can take appropriate steps to respond, notify affected customers and respond to their questions with speed and accuracy.

Let’s take a look at practical ways records managers can improve your organization’s privacy practices, as well as larger organizational shifts you can influence.

Data inventory

Remember, the first step in protecting your data is knowing what you have. A data inventory that truly covers your entire data corpus—all your data sources, including messaging platforms and other collaboration tools—is a pre-condition for access management and moving the most sensitive data to secure locations. Does your organization's records management team have such an inventory established?

Data lifecycle: Data inventory

Data classification

Once you have an accurate picture of your data corpus, the next step is to understand it, by classifying the data according to its sensitivity. Once you’ve done this, you will be able to better understand how to manage access and assign security policies. Rather than making all your data impregnable (an impossible standard), you can dedicate your energies to securing the most sensitive information.

Data lifecycle: Data classification

Data minimization (retention and disposition)

There are no shortage of stories of data breaches affecting an organization's current and former customers, whose data was kept longer than it should have been. In the recent Latitude Financial breach, some data had been kept for 18 years.

Such a scenario would have been impossible were these organizations practicing good data minimization approaches.

In minimizing data, you will not only improve your data privacy posture, you will reduce the ongoing storage costs and save your team time when they are looking for data they need to do their jobs.  

Learn more about the value of data minimization for records managers.

Data lifecycle: Data minimization

Invest in data privacy automation tools

Rather than relying on manual effort to discover, classify, and assign retention labels, a platform like RecordPoint allows you to offload these tasks to automation. With an automated system, you can automatically apply record policies at scale as content is created and throughout its lifecycle, and without manual effort, specialist skills, or ongoing maintenance.  

By eliminating tedious records management tasks, you’ll increase classification accuracy and organizational efficiency.

RecordPoint offers tools that allow you to identify PII, via data inventorying. Once you have identified this PII, you can take appropriate actions to comply with privacy regulation. For example, RecordPoint can help identify individuals who need their private information destroyed to comply with data minimization requirements.

Advocate for cultural and systematic data privacy change

As well as these practical ways records managers can improve data privacy, it is also worth reviewing larger cultural and structural approaches that many organizations adopt. These require the buy-in of others in your organization, but as a custodian of your organization’s data, you should be well-placed to advocate for and lead their introduction.

Shifting data privacy left

There has been a growing emphasis lately on approaching data privacy in a proactive manner, rather than focusing on what happens during a breach. This movement is known as “shifting left”.

Shifting left means focusing on avoiding problems before they occur— being proactive rather than reactive and addressing the risks and problems before they happen. Weaving privacy into the organization’s core values means having it as a core requirement in a company’s development process. This will also include redacting, pruning and removal of privacy data via automation and reducing the co-mingling of data in repositories.

Privacy by Design  

A related concept, Privacy by Design is an approach to systems design that where privacy is built into systems, technologies, policies, and processes. A key aspect of this approach is understanding the sensitive data you have. This approach has seven principles:

Proactive not reactive; preventive not remedial
Privacy as the default setting
Privacy embedded into design
Full functionality – positive-sum, not zero-sum
End-to-end security – full lifecycle protection
Visibility and transparency – keep it open
Respect for user privacy – keep it user-centric

In following these principles, you will embed privacy throughout your organization, making you much better prepared for a data breach.

Partner up and stay relevant

This is important work; you needn’t do it alone.

The data privacy practices and larger organizational shifts we’ve discussed will progress much smoother when you build relationships with likeminded people in your organization, and the industry at large.

Partner with others in your organization, like your colleagues in risk, IT and security teams, as well as those in leadership roles who can advocate on your behalf.

Executives and boards are now focused on cybersecurity and data privacy and will be judged by how their organization responds to these challenges. It’s in their interest to make your privacy work easier. You should make sure they are aware of these data privacy initiatives and how they can help.

You can also seek out partnerships outside your organization. Establish relationships with your contemporaries in other businesses, government and regulatory agencies, to enhance your profile and expose yourself to new ideas and opportunities. Consider joining an industry association like the International Association of Privacy Professionals (IAPP).

Grow your influence

When you can make yourself more relevant, both internally in your organization and externally in the market, you make it easier to have your voice heard.

Now you know the arguments for and approaches to achieve strong data privacy, you can begin to advocate for them with a stronger voice.

In doing so, you will prepare yourself and your organization for a possible data breach, for the next privacy regulation, and for the growing demands of customers and citizens. The privacy revolution is here to stay; now, you will be ready for whatever comes your way.

Go Back to Top