Show all

Connecting Privateness & Ethics to Enterprise Worth

The pandemic has created a new world of daily symptom forms for personal environments, temperature logs, and contact tracking forms. The collection of all of this sensitive health information has put privacy at the forefront of all thoughts. Both the people who submit the information and those who collect the information are concerned about the protection and compliance with data protection regulations. It is more important than ever for companies to demonstrate their data protection obligations. In this article, we're going to examine some of the privacy ethics considerations, why ethics matter, and how privacy ethics can be incorporated into your organization.

Link ethics to your privacy program

Whether you have an existing privacy program or want to set one in place, now is a good time to review how your organization handles sensitive information. Protecting personal data from your customers and employees is both required by law and the right thing to do.

Records containing personal information have specific data protection control requirements for each stage of the record's lifecycle. These controls within the data protection program also have an ethical component at every stage of the data set lifecycle.

Accuracy is important

If the creation or receipt is reconciled with the collection, several elements of the efforts to ensure accuracy should be checked, e.g. B. how the information is collected, from whom / where it is collected and more. Information should be obtained directly from the person concerned. An exception would be when information is given: on behalf of a minor, by a specific person or by someone relevant to an investigation. Accuracy must be taken into account when collecting to ensure that decisions about an individual have valid assistance. Authentication methods can include asking the individual to verify the information collected or the reliability of the primary source. Ensuring accurate coverage is an ethical obligation. Otherwise, a person may not be able to receive goods, receive services, or possibly fail to receive any benefit to which they should otherwise be entitled.

Notification is required

The information-gathering notice should also be included in any data protection program. Individuals have the right (and expectation) to be informed about information that is collected about them. There are very few exceptions to this rule, and in some areas it is even a legal obligation related to data protection laws such as GDPR, CCPA and HIPAA. From an ethical point of view, if someone is not informed about the collection of their personal data is perceived as misleading regardless of the intention . Unless an individual is under authorized surveillance, they should always be informed that their information is being collected, and they should also be made aware of why it is being collected and who to contact with questions about the collection.


Prescribed use

The use and disclosure of a data set also has data protection-related considerations. Personal data should only be used for the purpose for which it was collected. It should only be passed on to persons who need to see the information for the provision of goods, services or services. Your privacy program should include certain parameters about what can be shared and with whom. For efficiency reasons, it can be way too easy to share information with a new department or partner organization. This can result in personal information being shared without someone's permission and it is likely that most data protection laws will not be complied with.

Safe storage

When storing personal information, it is important to implement strict controls to protect the information from unauthorized access. Using active security controls is another way for organizations to comply with regulations. Security protocols embedded in the systems used to manage your information are the most effective. For example, a person with secure access to information shouldn't have to think about whether or not they can send a confidential document to someone else. Rather, the system should allow or deny sharing based on established data protection standards.

For physical files, this means ensuring that the files are locked and only handled by appropriately authorized personnel. Everyone should receive regular training in handling sensitive information. If you are using an external storage facility, make sure that the facility maintains logs to protect sensitive information. Compliance with the highest standards for information security shows your ethical commitment to employees inside and outside your company.

Restraint and destruction

How long you store or retain personal data should depend on regulation and the need for the information to provide goods, services or benefits. Excessive retention can violate regulations and put the information at greater risk of inappropriately accessing it. The ethical choice is to work actively to ensure that personal data only remains in the organization for as long as is necessary. Also, in some cases, it can mean responding quickly and completely to a person's request, being forgotten and removing their information from all organization locations (physical and electronic).

During the disposition phase of a recording, it is of vital importance to ensure that personal data is not made available to parties who should not have access. For many organizations that use a record destruction provider, it is important that organizations conduct due diligence with their provider to ensure that controls are in place to prevent unauthorized access. Anything else would be unethical.

You have come to the right place at Virgo for the latest legal investigations into storage! Get your 90-day free trial here.


Training and communication must be continued. Your company's data protection guidelines should be shared internally and with business partners. Training for internal stakeholders should be carried out regularly. Data protection requirements for business partners should be explicitly stated in your contract.

Contract renewals are a good time to review the requirements set out for changes that may be required as a result of changes in industry or legislation.

Doing good by doing it right

There are many consequences for organizations that do not make ethical decisions about the handling of personal information. There is direct and explicit impact from regulators, which could include severe financial penalties (up to $ 25,000,000 in a Canadian jurisdiction! Up to 10% of gross EU sales), orders or policies for operational changes, temporary work stoppages, and orders that could close a company by effect and even expensive process costs.

All legal consequences are important, but compliance and compliance with data protection standards is more than just the law. Management should show support for data protection initiatives and the overall data protection program. Protecting customers from accidental exposure is ethical and moral. An organization committed to protecting customers from potential data breaches can ensure their reputation is preserved while attracting better quality employees. This can also lead to better overall credibility in your industry and community.

Components of the data protection program

The data protection program should contain the following components:

  • A defined role as a guide for departments and individuals in program implementation and with sufficient authority to enforce program requirements
  • A strong set of governance policies and procedures
  • A full set of data protection principles that includes: accountability, identification of purposes, consent, limitation of collection, accuracy, limitation of use / disclosure / retention, safeguards, openness, individual access, challenge of compliance
  • Training as part of the onboarding process
  • Annual refresher training
  • Clear and published process for individuals to question how their information is being treated or to ask to be forgotten.
  • Regular audits or practice reviews

However, it is not enough just to have a data protection program. Data protection issues and related guidelines should be communicated regularly in company newsletters and at group meetings. Reminders of why privacy is important and how individuals can support positive outcomes around privacy should be reinforced by leaders at all levels.

Whenever possible, it should not be left to the individual employees to enforce the guidelines. Rather, the data protection principles should be integrated into operational processes that cover the collection, use, disclosure, protection and storage of personal data. This practice is a philosophy known as "privacy by design". This means that employees can focus on their core business functions and be sure that privacy has been built into their daily work flow.

Investing in data protection pays off

Data protection is not a new concept, but it is receiving more attention due to the increasing collection of sensitive health information and increasing legislation. Respect for privacy is important to most people and should be important to any organization that handles personal information.

Many problems could arise if the ethical obligation to protect personal data is ignored. However, most of these problems can be alleviated by having a set privacy program. Such a program can save organizations from regulatory compliance issues and help them not to damage the organization's reputation.

More importantly, making an ethical commitment to protecting personal information pays off for companies willing to make the investment.

For more information, see our recorded webcast: Linking Privacy and Ethics to Company Value – Doing Good by Getting It Right

Comments are closed.