Develop privacy and security compliance policies, standards, and controls.
Policies are high-level statements about how data should be handled, similar to a vision statement. Standards outline the rules that govern putting policies into action, and controls provide specific instructions about how to implement a standard.
In order to facilitate secure and compliant data sharing:
- Data requesters must understand the privacy and security compliance standards of the data they're requesting
- Data owners must ensure that they clearly define the privacy and security compliance standards that govern the data they own
The points below highlight how to define and understand privacy and security compliance.
- Why do we collect personal information?
- What information do we collect? (Review the data dictionary.)
- When and how do we disclose/share information?
- How do we protect personal information, including the administrative, technical, and physical strategies?
- How do we protect the confidentiality, integrity, and availability of confidential information that is created, received, maintained, or transmitted?
Document critical data elements.
Confidential Information (CI) is any non-public information pertaining to the agency's business. Personally identifiable information (PII) is any data that can be used to identify an individual. Examples of PII include a user's name, address, phone number, and social security number.
Data owners should also document subsets of PII, such as:
- Payment Card Industry (PCI) data — credit card information
- Protected Health Information (PHI) — information about an individual's health
- Education records — data maintained by a school about students that includes information like test scores, special education records, courses taken, and attendance
Understand the laws that govern critical data elements.
State agencies need to understand the laws that govern each dataset based on its CI and PII. The standards and laws that govern data are critical in order to know:
- How data should be stored
- How data can be used
- What data can be shared (for example, individual rows or aggregate totals)
- How data are transferred
- How data are disposed of
Define acceptable use standards.
Define acceptable use standards based on the laws and regulations that govern the use of your agency's data. These standards will help define the specific requirements in data sharing agreements for keeping data secure. For example, for sensitive data, the data owner may require that the requesting party dispose of the data after a specific time frame.
Develop, implement, and maintain a comprehensive data-security program.
Your agency will need legal assistance creating a comprehensive data-security program that adequately protects CI. The program will need to be consistent with and comply with all applicable federal and state laws and written policies related to protecting CI.
The data-security program should cover considerations like:
- A security policy for employees related to the storage, access, and transportation of data containing confidential information
- Reasonable restrictions on access to records containing confidential information, including access to any locked storage where such records are kept
- A process for reviewing policies and security measures at least annually
- Creating secure access controls to confidential information, including but not limited to passwords
- Encrypting of confidential information that's stored on laptops or portable devices or that's being transmitted electronically
Enforce compliance controls.
A control is a safeguard to avoid, detect, or minimize security risks that might compromise the confidentiality, integrity, and accessibility of data. For example, a data owner might require a quarterly review of all users with access to a database or that people working with the data undergo compliance training.