Data privacy or information privacy is an offshoot of data security involving judicious data handling — consent, notice and regulatory obligations. Practical data privacy concerns often revolve around the below three points. → Whether or how data is shared with third parties → How data is legally collected or stored → Regulatory restrictions such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA), to name a few
How is data privacy different from data security?
It is a common belief that by keeping sensitive data secure from hackers, they’re automatically compliant with data privacy regulations. However, this is not the case. Although the terms ‘data security’ and ‘data privacy’ are often used interchangeably, there are significant differences. The simplified version is as below.
Think of a situation where you’ve gone beyond your means to secure personally identifiable information (PII). The data is encrypted, access is restricted and multiple overlapping monitoring systems are in place. However, if that PII was collected without proper consent, you could be violating a data privacy regulation even though the data is secure.
What is the importance of data privacy?
There are two reasons for why data privacy is one of the most significant issues in the industry. Data is one of the most important assets that a company owns. With the rise of the data economy, companies find colossal value in collecting, sharing and using data. Many organizations such as Google, Facebook, and Amazon have built empires atop the data economy. Transparency in the way businesses request consent, abide by their privacy policies, and manage the data that they have collected is key to building trust and accountability with customers and partners who expect privacy. Many companies have learned the importance of privacy the hard way, through highly publicized breach of privacy. Privacy is the right of an individual to be free from uninvited surveillance. To safely exist in one’s space and freely express one’s opinions behind closed doors is critical to living in a democratic society. Privacy is the chief constituent of our freedom. One needs moments of reserve, reflection, intimacy, and solitude.
How do you protect privacy?
Firstly, you need to be aware of your sensitive data.
Protecting your sensitive data boils down to solving two main problems.
- Finding the sensitive data wherever it may be in the organisation : The first step in protecting sensitive data is to know everywhere that the database resides. The next step is to identify the various tables and columns that contains personal identifiable information (PII).
- Applying various sensitive data protection techniques : Having identified the above information, you will have to make it seem useless to prying eyes, yet keep it easily accessible to applications and users. You could choose to hide all of this data to be on the safer side. It would be better to apply various encryption codes, masking and redaction, which are built into the database itself to only relevant tables and columns.
What is the impact of data privacy on the digital world?
In this data driven economy, data is the new oil. Data happens to be the heart of businesses. Data is the driving force of innovation that guides digital transformation, fuelling core business activities and new business opportunities. Large organisations have huge amounts of data on users along with an understanding of new types of user profiles. So, in this data-driven world, where companies might have a large amount of data around you which it can use in a myriad of ways , it becomes of utmost importance that they use this power wisely. “With great power comes great responsibility.” Today, banks don’t just sell you their products, but want to thoroughly understand what drives you, your life events in which they can help you in the most relevant manner. It comes down to trust. If we don’t value our clients, then our clients will not find value in our services. If the users know perfectly well, how their information is used and have full consent to withdraw at any time, without sacrificing too much of the value provided to the company, they’re in good hands.
Data privacy in the finance sector
Banking is one of those sectors that are most at risk for privacy violations due to the sensitive and highly personal nature of information that is exchanged, recorded, and retained. Individuals must trust banks with personal identifying information (PII), their financial records, the access information to their accounts, and their credit history. Hence, privacy violations are not taken lightly and impact the individual whose privacy was violated at an enormous level. Violation of privacy can take place in the banking sector in many ways, including: sharing personal information with third parties without consent for marketing purposes, stolen or lost banking number or card, sharing personal information or allowing access to third parties without informed consent, inadequate notification to an individual concerning what will be done with their data, collecting more personal data than is necessary, refusal to provide financial records upon request by client, incorrectly recording personal information, and loss of a clients personal data due to improper security measures.
What are the current privacy standards of banks in India?
Both in banking customs as well as statutes, there is a standardized, recognized obligation of secrecy. The wording in the following section is reproduced identically in many banking related acts including: SBI Act, 1955 — Section 44, SBI (Acquisition and Transfer of Undertakings) 1980 — Section 13, Credit Information Companies Act 2005 -section 29, and The Public Financial Institutions Act, 1983 -section 3. The section is applicable to the respective Bank as a whole and its directors, local boards, auditors, advisers, officers or other employees of the State Bank, and creditors are required in addition to affirm an oath of secrecy. The Reserve Bank of India has periodically issued guidelines, regulations and circulars which require banks to maintain the confidentiality and privacy of customers. Thus, the Master Circular on Credit Card Operations of banks issued by the RBI in July 2010 contains an elaborate set of provisions on “Right to Privacy” and “Customer Confidentiality” under a section titled ‘Protection of Customer Rights’. The provisions inter alia, forbid the banks from making unsolicited calls, delivering unsolicited credit cards and from disclosing customer information to any third party without specific consent. Similarly, the Master Circular on Customer Service in banks issued in 2009 contains a detailed clause on Customer Confidentiality Obligations. The clause reaffirms the customary banking obligation of secrecy and extends it by forbidding the usage of customer information for “cross-selling purposes”. It imposes a restriction on data collection by requiring Banks to “ensure that information sought from the customer is relevant to the perceived risk, is not intrusive, and is in conformity with the guidelines issued in this regard”. Banks are governed by the Information Technology Act 2000 as amended in 2008. The latter amendments contain provisions that enjoin inter alia, banks to adopt reasonable security practices with respect to their databases. Customers of banks can, under the IT Act, obtain compensatory relief for losses arising out of data leakages as well as unauthorized disclosure of information by the banks for gain.
Is this enough?
A couple of questions are worth pondering about.
- Should financial information be separated into categories based on level of privacy risk?
- Should financial information be treated to a greater level of security?
- Should organizations who commit data breaches in the financial sector receive more severe sanctions?
- Should a privacy legislation create a standardized privacy policy for the financial sector?
- Should a privacy legislation require specific internal and external audits and monitoring of the financial sector? Surely, we have all thought about these. Is it rational? Is it feasible? What do you think?
