Privacy Best Practices for Data-Sensitive Industries

Depending on the specificity of a given industry taken in combination with local privacy laws, data privacy approaches may vary substantially. Taking the USA as an example, we can observe that sectors such as healthcare, financial and higher education are all governed by different sets of rules. And while it may be impossible to come up with a one-size-fits-all solution for every case, there are some recommended steps to follow in data-sensitive sectors like government, healthcare, telecommunications and financial.

In this post we focus on challenges and best practices for particular industries, as described by renowned data privacy expert Aurélie Pols.

Government and Public Sector

More than any other type of organization, governments and public institutions need to be transparent and observe the highest privacy standards,as they are under heavy public scrutiny.
• Privacy statements need to be aligned with the technology in use, and must reflect the tools deployed and data collected along with cookie policies.
• Equal treatment of all individuals is a must, as is the utmost care for their security and dignity.
• Unnecessary complications and data privacy risks should be avoided. It is recommended to stay away from SaaS solutions with evolving terms and conditions. Public sector agencies should choose flexible and autonomous software and adjust it to their particular requirements.

Related: Here you can learn what features you should look for in analytics software for Government and Public Sector.

Healthcare

In the USA, health data is regulated by the HIPAA, the Federal Health Insurance Portability and Accountability Act of 1996. It imposes specific requirements related to security, data retention and other important areas. In Europe, data subjects must give their consent before a healthcare organization engages in any data usage.
• It is important to educate employees responsible for technological solutions and data in the health sector and make them aware that seemingly insignificant details, such as data flow direction, can be of fundamental significance in terms of liability.
• If you are looking for advanced security features server log analytics may be an option worth investigating.
• Access and sharing protocols are also stricter than, for instance, in the retail industry.

Banking and Finance

Finance & banking may be one of the most heavily-regulated sectors when it comes to data privacy. Its obligations are defined mostly by other sectoral requirements. An exception is the Payment Card Industry Data Security Standard (PCI DSS), a globally recognized proprietary security standard. Another piece of legislation that spurred several banks to review their procedures is the Sarbanes-Oxley Act of 2002. This law was passed by Congress in the United States to protect stakeholders from errors and inconsistencies.
• Financial institutions are turning with increasing frequency to mobile banking. Permissions management in mobile and security updates is highest on the priority risk list.
• As many banks are going through the process of mergers and acquisitions, their back-end technology needs to be aligned to mitigate privacy risks.
• A good idea in the long run would be implementation of an on-premises analytics tool offering flexibility in terms of both security and features. Properly managing user groups and robust password policies are helpful.

Telecommunications

The telecommunications industry should be extremely vigilant about the information it collects. Consent is key when data from telecoms is to be tracked and used. Recall the infamous case of BT and Phorm when customers weren’t even informed about the interception of their information for individually targeted advertising.
• Operators in the telecommunications industry often serve as ISPs as well. That should make them extremely vigilant about the information they collect from their digital properties.
• Technology bundling can make things even more complicated – think of a variety of apps with their own tracking, available on top of the original operating system.
• If telecoms industry is to play a role in handling digital identity through the use of SIM cards, an ideal set-up should involve flexible, self-hosted tools linked to back-end systems to minimize data privacy risks.

Data-Privacy Expert Advice: Aurelie Pols of Mind Your Privacy

“Each case is specific and needs to be viewed in context. Depending on circumstances, such as data type, sector, or sovereignty – a variety of teams will be involved in the data treatment, working in collaboration through defined or yet-to-be-identified processes.”