Data Privacy

Data Sensitivity Labeling and Handling

  • Data / Info classified according to its value and level of sensitivity.

  • The appropriate level of security can be applied.

  • Process should be:

    • Easy to Apply

    • Consistent

    • Visible

Data Sensitivity Classifications

  • Common Labels:

    • Public / Unclassified - No harm if disclosed.

    • Confidential - Limited harm if disclosed.

    • Secret - Grave harm if disclosed.

    • Proprietary - Limited to internal use only. Restricted externally.

    • Private - Information regarding people.

  • Classification terms and labeling is determined by the organization.

  • PII - Personally Identifiable Information

    • Data that identifies or is traceable to a specific individual.

    • Name, SSN, Bio, Address

  • PHI - Protected (or Personal) Health Information

    • HIPAA, "any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" that can be linked to a specific individual."

Data Roles

  • Data Owner

  • Data Custodian

  • Privacy Officer

Data Retention & Disposal

  • Retention

    • US Federal Rules of Civil Procedure (FRCP)

    • Keep information for only as long as you need it and no longer.

    • Set in a Data Protection Policy

  • Disposal

    • Properly disposing of data and associated hardware.

Data Destruction and Media Sanitation

  • Trusting third parties for destruction.

  • Observe destruction process.

  • Transportation to destruction facility.

  • Use of media after destruction.

  • Best practice is to combine methods.

  • Burning - Use of heat or fire.

    • Not environmentally friendly.

  • Shredding - Reduces the size of objects with the intent of making them no longer usable.

    • Items may still be re-assembled.

  • Pulping - Reduces paper to liquid slurry.

    • Can be safely recycled.

  • Pulverizing - Using hydraulic or pneumatic action to reduce the materials to loose fibers and shards.

    • High cost.

  • Degaussing - Using a large magnet to remove data from magnetic storage media such as hard drives and magnetic tapes.

  • Purging - Removing files and all traces of data.

    • Sanitary.

  • Wiping - Overwriting data.

    • Data is replaced and then removed.