Data has emerged as the biggest asset and currency in an increasingly technocratic world, and with great power, comes great responsibility. Data associated with humans (i.e., Personal Information) is used extensively in advertising, public relations, Marketing, behavior modeling, and artificial intelligence. Social Media giants like Twitter, Snapchat and TikTok are Ad-revenue based owing to the data collected from their massive user base.
With businesses collecting growing amounts of data from their customers, and with data being vulnerable to breaches, businesses must secure their customer data and ensure that the data collected is safe and used responsibly. This responsibility increases significantly in a regulated environment where Sensitive Personal Information is often collected.
Pharmaceutical companies are high-value targets for breaches because of their intellectual property and proprietary information, as well as their vital role in developing life-saving treatments. The transition towards remote workplaces, driven by the COVID pandemic, increased operational digitization and overall digital footprint of companies in this sector, leading to a higher data security risk and digital vulnerabilities. According to a recent report by digital risk protection company Constella Intelligence, of the 20 pharma companies Constella analyzed, five clocked more than 200,000 total data exposures and breaches, with some as high as 400,000 during the period from January 2018 through September 2021.
In this blog, we will discuss important privacy principles and provide best practice recommendations for enhancing the data security of Personal Information in your organization.
What is Personal Information?
Personal Information (PI) is any information that, directly or indirectly identifies or reasonably could be used to identify an individual.
PI can be categorized as basic, restricted, and sensitive.
- Basic: Information shared within an organization or with authorized Third Parties for the legitimate purpose of day-to-day business activities. This PI is categorized as Proprietary. Basic Data Elements include: first name or last name, initials, work contact details, group memberships and membership numbers, network or user identification number, employee ID, work history & skills, employee job information, gender or title, event attendance.
- Restricted: Information shared based on a “need to know” basis, only to those who have to perform legitimate business activities within or for the organization. May require enhanced controls and/or may be subject to breach notification laws and regulations. This PI is categorized as Confidential. Restricted Data Elements include: marital/civil status, details of spouse, personal contact details, home contact details, compensation data, employment details, age or date of birth, vehicle license plate number, key coded data, security clearance, citizenship or nationality or place of birth, purchase history, sales and marketing information, usage behavioural/usage data, organizational job information, information workplace, surveillance data, photograph or video containing an individual.
- Sensitive: Information requires enhanced controls or may be subject to breach notification laws and regulations. This PI is categorized as Confidential. Sensitive Data Elements include: ethnicity or race, medical or health information, union affiliation, criminal information, political affiliation or opinions, religious or philosophical belief or affiliation, sexual orientation or sex life, genetic information, biometric data, biological samples, physical characteristics, lifestyle information, payment card number, financial account details, government issued ID numbers, digitized electronic signature, geo-location data, credit status or rating.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The following principles are derived from Articles 5 to 11 of the GDPR. These principles may be used as a baseline for any business to build their Privacy Framework:
- Fair, lawful and transparent: PI must be processed for a specific business, commercial, or legal purpose.
- Restricted to the original purpose: PI should not be used for a different purpose than originally shared with the individual without review further review and approval. Individuals must be notified of a new secondary purpose.
- Limited to the minimum necessary: The PI collected must be adequate, relevant and limited to the minimum necessary to meet the purpose for which it was collected.
- Accurate: Any PI obtained and processed must be accurate and kept up to date, if appropriate. If the PI is inaccurate, it should be deleted or rectified as soon as possible.
- Not retained longer than necessary: PI must only be retained for as long as necessary for the business purpose or as specified by the Organization’s Records Retention Schedule.
- Kept secure: PI must be kept secure by applying appropriate security safeguards, including where PI is processed by third parties.
- Processed in accordance with the rights of data subjects: Make provisions in systems and processes that enable us to fulfill individual rights.
- Not transferred across borders improperly: PI must always be transferred across borders with the appropriate safeguards in place as prescribed by the originating country. These safeguards are secured and implemented through contracts and IT measures.
- Demonstrates compliance: Demonstrate compliance with obligations under applicable privacy laws by collecting evidence of informed decision making and implementing appropriate privacy controls.
While there is no one regulation that governs Data globally, almost every country has their own set of regulations that organizations need to comply with when collecting Personal Information. A few examples are:
- The General Data Protection Regulation (GDPR) is a regulation of EU law on data protection and privacy in the European Union and the European Economic Area.
- HIPAA is a US federal law that governs the privacy and security of Personal Health Information (PHI) in the US
- The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.
- The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.
Privacy Do’s & Don’ts
✓ Disclose PI to third parties only when appropriate contractual controls are in place in relation to privacy
✓ Use PI shared by a third party only if you are sure that such third party provided appropriate notice and, where necessary, obtained the consent from the relevant individuals
✓ Create access management controls around PI, e.g. approval process for requests to access data, review users’ rights of access, etc.
✓ Dispose of PI appropriately, e.g. using confidential waste bins, shred paper and permanently erase electronic media
- Ask your local Country Privacy Advisor or Regional Privacy Officer if you have privacy questions
- Password protect files that contain PI – this includes sending the password via a separate email
✓ Think before you share any information:
- Does the information need to contain PI?
- Are you aware whether you are sharing PI?
- Is it necessary to share the PI?
- Apply the same diligence whether sharing PI internally or externally
- Consider the values of transparency, respect and integrity and the expectations of courage and accountability
- Confirm email receipt before hitting the send button on emails containing PI
- Be aware that PI travels: it gets forwarded (via email) both internally and externally
✕ Don’t assume a supplier will have appropriate controls in place to protect PI, ask.
✕ Don’t assume a supplier will properly dispose of PI; ask specific questions about their disposal processes and confirm in writing
✕ Don’t store PI via personal cloud-based services such as Dropbox and iCloud
✕ Don’t store PI on unapproved non-encrypted removable media, e.g. CDs, USBs, stand-alone hard drive
✕ Don’t throw documents containing PI in the regular waste bins – use confidential shred
✕ Don’t store PI longer than necessary per records retention policy or local laws
✕ Don’t share passwords or access codes with others
✕ Don’t ignore potential privacy issues or concerns
✕ Don’t use or allow anyone to use PI for any reason other than what it was originally collected for without the individual’s explicit consent.
✕ Don’t send any work to your personal email so that you can work on it at home
Privacy is everyone’s responsibility. Businesses must understand what data they are collecting, how the business uses that data, and the risks associated with that data. Data breaches can happen in various forms, ranging from receiving suspicious emails and forwarding them without investigating to leaving a device unattended or losing it.
Having a Privacy framework not only protects business interests and revenue, it also helps build trust with patients and customers that their data is secure and being used to the extent of the business purpose. In addition to the customer and patient PI, it is important to secure Employee and third-party PI attributes like email addresses, passwords, phone numbers, addresses, employee corporate credentials as they are used by threat actors to launch an array of Cyber attacks like phishing, ransomware, spreading misinformation, etc. Pharmaceutical companies in particular must adopt privacy by design and establish a privacy driven culture to protect sensitive and proprietary data.