The enforcement and management of privacy obligations is a challenging task, which involves legal, behavioral, technical and organizational aspects. The management of privacy obligations for identity and confidential data requires efforts in the short and long term that can be affected by events. The area of data privacy is of particular relevance for enterprises and government agencies. Privacy and data protection laws dictate obligations involving ongoing and long term constraints. The mechanisms are required to represent, manage, monitor and enforce obligation policies in complex and heterogeneous environments. For addressing aspects of the problem, policy-driven scheduling mechanisms coupled with secure workflows and auditing techniques can be useful. It is therefore important to strongly implement these policies to confidential data, track their storage and distribution.
What is an obligation? It is an act or course of action to which a person is morally or legally bound. In terms of an organization, a privacy obligation is therefore a legal course of action for an enterprise to implement privacy rules. Different types of privacy obligations have been defined for financial institutions, health-care, enterprises and e-commerce. They have different interpretations, implications and enforcement requirements depending on the context and the legislative framework where they are applied.
The description of responsibilities and commitments stated by privacy obligations can differ in various ways as they can either be very abstract or they can be very specific. Just for an example if we take: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” - Gramm-Leach- Bliley Act (1999). The obligations can be expressed in terms of notice requirements, limits on reuse of information and information sharing for marketing purposes. At the extreme side, privacy obligations can dictate very specific requirements, where data retention has to be enforced for a long period of time or data is temporarily stored by organizations.
Any data that has been gathered by an organization must be accurate, kept up-to-date and deleted when it is no longer needed. Many organizations, just throw away the used hard disk and dint delete the data, which contains confidential information. This makes the data go into the wrong hands. If the collection and usage of personal information for any other reason than staff administration, marketing the other company’s products or maintaining customer records, the concerned has to notify the Information Commissioner's Office. The collection and use of personal information has to be fair and should also make sure that what information has been collected is proportionate.
While dealing with privacy obligations, different aspects are need to be kept in account:
- The period of validity or the timeframe that applies for obligations.
- The enforceability of obligations, which states that the obligation can be technically enforceable or its implementation can only happen as the result of guidelines, human behaviors and best practices.
- The situations/events that fulfill the need of obligations. The event can be specific or can be ongoing. Events include deadlines, specific transactions/interactions and contextual changes.
- The entities responsible for enforcing obligations and criteria.
- The target of an obligation and the implications, such as the target can be confidential data, personal profiles, medical or criminal data, etc.
- Exception or special cases that applies for obligations.
The high-level privacy obligations have “ongoing” commitments for organizations, dictated by privacy guidelines. These obligations describe what the acceptable behaviors and best practices are that are to be enforced to maintain privacy. More refined privacy obligations can still impose commitments over a significant number of years, for example in health care, financial and criminal contexts, where data retention laws must be applied.
Important issues are need to be considered when dealing with the management and enforcement of privacy obligations:
- The aspects of privacy obligations need to be modeled, which data is affected by the obligation, the events and conditions that trigger the fulfillment of an obligation, and the actions that are to be carried on.
- The association of privacy obligations to the targeted confidential data must be strong and this aspect is particularly challenging in dynamic environments where confidential data can be processed, moved around or sent to other parties. And the breakage of the association of data to their associated privacy obligations is a violation.
- The explicit management of accountability is fundamental to ensure that the enforcement of privacy obligations is carried on with clear responsibilities of the involved parties.
- Complexity and cost of instrumenting applications and services involves that as long as possible, a privacy obligation framework should be adopted in a way that requires a minimum impact on applications and services.
The management of privacy obligation is important for enterprises and organizations to preserve their reputation, brand, which in result, increases the customer satisfaction too. The privacy obligation must be compliant with legislation and customers’ requirements to increase business opportunities.