Author: Catherine Cote
Publisher: Harvard Business School Online
Publication Date: 2021
Summary: The following article discusses how there is both a legal and ethical obligation when it comes to personally identifiable information (PII). Data privacy is composed of the data collected, the way it is stored, and who has access to it. It is not the same as data security, although the two intertwine to make up data protection. One strategy is to de-identify data by removing name, address, phone number, email, SSN, etc. from the data set. The remaining variables of interest can be analyzed without risking subject privacy. Care should be taken to ensure the data is truly de-identified as re-identification is much easier than it may appear to be. PII should only be available ton a need-to-know basis, so internal security is crucial. There are laws, such as the General Data Protection Regulation (GDPR), that combine guidelines with repercussions. The GDPR addresses lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. More laws exist, such as the California Consumer Privacy Act and Health Insurance Portability and Accountability Act. There are real people behind data points, which makes these precautions well worth it. Doing so enables data professionals to maintain client/customer trust and use data for good.
