125
6
Data Privacy, Security, and Compliance
through Data Governance
Charlyn A. Hilliman
INTRODUCTION
is chapter will provide a framework for developing data privacy, secu-
rity, and compliance through a systematic data governance structure.
An eective data governance initiative within an organization should be
focused on issues related to data management. ere are several aspects of
data management, for example, designing, warehousing, and ensuring the
quality of the data. is chapter will provide a foundation for protecting
data and complying with the federal regulations that govern data usage
CONTENTS
Introduction ....................................................................................................125
People Management: Identifying Appropriate Stakeholders to
Manage Privacy and Compliance .................................................................129
Process Management: Dening Data Governance through
Implementing Policy Standards and Appropriate Strategies to
Achieve Privacy, Security, and Compliance ................................................136
Technology Management: Using Technology Frameworks and
Initiatives to Ensure Appropriate Access across Systems ..........................139
Risk Management: Dening and Managing Risks Using
Data-Related Controls to Ensure Security and Compliance ....................142
Enforcement: Enforcing Regulatory and Contractual Compliance ........145
Conclusions ..................................................................................................... 147
References ........................................................................................................ 147
Further Readings ............................................................................................147
126 • Charlyn A. Hilliman
and accountability. ere are risks related to warehousing data; therefore,
this aspect of data usage is heavily regulated and must comply with indus-
try standards. e data governance committee must develop strategies for
regulatory compliance and adherence to determined policies.
For the purposes of this chapter, we will focus on privacy as it relates to
the most basic yet comprehensive denitions of privacy. According to the
Merriam-Webster Dictionary (2012), “privacy is the freedom from unau-
thorized intrusion or the state of being apart/secluded.” e basic right
of privacy is the right or freedom to which all human beings are enti-
tled to be free from government interference. Individuals have the right
of basic liberties and freedom of thought or expression and equality of
the law. Although the right to privacy is not mentioned directly in the
Constitution, the Supreme Court has used constitutional amendments
to infer that individuals have the right to privacy and that it should be
protected by law. In order to present the most comprehensive denition,
privacy will be separated into three aspects of privacy: personal behavioral
privacy, personal communications privacy, and personal data privacy.
Privacy Aspect One, the personal behavior privacy, relates directly to
an individual’s expectation of the privacy of sensitive matters. In general,
when addressing privacy of computer systems, developers focus on the
technical limitations or infrastructure related to privacy and oen over-
look the personal connections to privacy. Privacy must be inherent in sys-
tems, through the use of technology, because of the personal expectations
that people ascribe to the protection of their private information. When
customers share their most intimate details with an organization, they
expect it to be regarded as such. Moreover, the organization’s responsibili-
ties should be linked more to the needs and expectation of its customers
than simple regulatory compliance. Individuals have the right to choose
what should be shared with others. Individuals do not expect that their
personal information will be shared with the media or other individuals
not related to the provision of services. Alan F. Westin describes infor-
mation privacy as the “the claim of individuals, groups, or institutions
to determine for themselves when, how, and to what extent information
about them is communicated to others” (Lederer et al., 2004, p. 441). For
example, when applying for a loan, a customer expects that his or her
annual salary will remain condential.
In Privacy Aspect Two, the personal communications privacy, individu-
als expect that their personal information will be free from interception
and accidental disclosure to nonrelevant personnel. According to the
Get Data Governance now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
