Principles for protecting information privacy.

• Author: Gable, Julie
• Position: THE PRINCIPLES: GENERALLY ACCEPTED RECORDKEEPING PRINCIPLES[R]

When it's done well, information privacy protection is part of an organization's policy and procedural infrastructure, working in the background like a silent sentinel that few realize is constantly on alert. When it's done poorly, it makes headlines and ripples through an organization from the cubicles to the board room.

Media reports tend to make privacy protection synonymous with cybersecurity, and some resources, such as the EDRM's Information Governance Reference Model, take the position that while business, legal, and records and information management (RIM) stakeholders have input, it is IT s responsibility to manage the information protection environment.

Protection, though, is as much about policy and procedural issues as it is about technology activities. Anti hacking and anti-theft measures, for example, can exist only as the result of well-defined policies that are made in response to laws governing collection, storage, transfer, retention, and disposition of private information and the assignment of privacy protection responsibilities.

The Push for Privacy

The states of Massachusetts and Nevada have enacted tough privacy laws, and members of the U.S. Congress are moving forward with cybersecurity legislation aimed at protecting private information. Meanwhile, privacy experts are advocating that individuals have the right to control the collection and use of their personal data, an idea embodied in many European laws. Organizations, therefore, find themselves squeezed between pressures from lawmakers and customers.

Privacy breaches are expensive for business. According to the Ponemon Research Institute's "2014 Cost of Data Breach Study: Global Analysis," the average cost for each stolen or lost record containing sensitive or confidential information is $145 (U.S.). Considering that Verizon's "2012 Data Breach Investigations Report" showed that 95% of the 174 million records compromised worldwide in 2011 contained personal information, the total cost is significant. What's worse is the potentially irreparable harm to customer confidence in the breached organization and its impact on future business.

Privacy breaches can be costly for careers, too. In some cases, high-level executives have lost their jobs, and in the high-profile incidents at Wyndham Worldwide and Target, shareholders brought lawsuits against their respective boards alleging that board members failed to take reasonable steps to maintain their customers' personal and financial information in a secure manner.

But, determining what "reasonable steps" are is a mammoth task in an environment that is a complex tangle of evolving state, national, and international information privacy laws, industry regulations, human behaviors, and physical and electronic systems.

Privacy Protection Principles

Two well-known sets of principles offer a starting point for making sense of what is required of organizations and knowing what to do and in what order: the Generally Accepted Recordkeeping Principles[R] (Principles) and the Generally Accepted Privacy Principles (GAPP).

Principle of Protection

One of the eight Principles from ARMA International, the Principle of Protection, notes that an information governance (IG) program should be designed to offer "a reasonable level of protection to information that is personal or that otherwise requires protection." The context for this principle says that the program must ensure that "appropriate protection controls are applied to information from the moment it is created to the moment it undergoes...