|Privacy, Data Protection and Security|
|Thursday, 03 December 2015 20:56|
By: Arthur M. Freyre
National Journal recently posted an article titled, “OPM Just Now Figured Out How Much Data It Owns”. The article states that the months after its system was breached, the Office of Personnel Management was able to conduct an inventory of the information that the agency had in its network. Although, it is easy to say that this is an example of a bad management, the fact is that many companies do not know what information they have stored in their computers, or even the content of the stored information.
Instead of waiting until after the damage of a data breach has been done, companies should begin the process of assessing the data that they have stored in their systems and start keeping an up-to-date inventory of such information. Assessing the data includes reviewing the following items:
Assessing the network includes not only your current system, but also any old computers and/or external hard drives that your company may have in storage. If your company has old computers in storage, it is important to see what information is stored in those systems. You may be surprised to find what may be sitting on those hard drives.
Assessing the information stored focuses on the content of the information and the purpose of the information. The content of the information may be considered to be personal identifiable information that is considered to be the subject of data protection statutes. If the information is considered personal identifiable information, then you are under an obligation to provide measures to protect that information. Your obligation to protect that information depends on the state that your business is incorporated.
Besides reviewing the content of the information, you must also review the purpose of the information. The purpose of the information answers the questions, “Why do I need this information?” and “How long do I need this information saved?”
Finally, the issue of accessing the information focuses on the question of “Who needs to have access to this information?” If the information is of a personal nature, then access to that information must be limited. Another question to consider is “How much information should that person have access to?” In other words, “How much access would that person need to complete their work?”
Suppose you own an accounting office. The executive assistant may need a client’s name and address because that person is mailing something. On the other hand, the accountant working on a matter for that client may need access to said client’s financial information, in addition to the client’s name and address. The access is dependent on the employee’s role.