Comment: Privacy Legislation Drives Information Governance in Emerging Markets
Tomorrow – Friday 15 March – sees Janders Dean hosting its first Legal Knowledge & Innovation Conference – Africa at the Radisson Blu Gautrain Hotel, Sandton, Johannesburg in South Africa. To coincide with this event we have an excellent article on privacy legislation in South Africa from Symantec eDiscovery counsel Allison Walton…
Privacy and Data Protection are claiming their seats at the Information Governance table and will continue to do so in 2013 and beyond. Privacy and data protection concerns have resulted in new privacy legislation all around the world; supporting the reality that globalization will be the main driver to bridge the gaps between eDiscovery, Privacy and Security through Information Governance technology.
South Africa is an example of a country that has recently proposed comprehensive privacy legislation. The Protection of Personal Information Bill (POPI) has proposed quite extensive requirements and is the country’s first attempt to regulate personal information.
The aim of the bill is to promote confidence in South Africa as a safe place to conduct business in the knowledge that electronically stored information will be protected. The tension between achieving compliance with the eights principles outlined in POPI, and the reality of the implementation of the policies, processes and technologies is proving a real concern.
Many that have read POPI don’t understand the requirements in relation to the technology that will enable compliance. Many organizations in South Africa are still using backups as their primary storage vehicle, resulting in an inability to comply with POPI’s mandate. Backup is for disaster recovery, whereas an archive enables the intelligent management of data. Data needs to be: classified, protected and expired.
At this juncture, POPI does not specify what technologies an organization will need to achieve compliance. Therefore, compliance is left to the organization’s information governance committee, technology partners, and trusted consultants. At a minimum, organizations will need an archive (either on premise or in the cloud), classification technologies, and data loss prevention. For multi-national companies and serial litigants, in-house eDiscovery capabilities are recommended.
Many emerging market countries with new privacy legislation lack a body of case law related to eDiscovery. While in the U.S. eDiscovery has been in effect for more than ten years, yet there is little holistic privacy legislation. Privacy legislation in emerging markets is resulting in the same push to implement policies and technologies that eDiscovery drove in the West.
For example, in the U.S. privacy laws are largely sectoral. The privacy framework in the U.S. has been built ad hoc in reaction to data breach. HIPPA and COPPA are two key data privacy acts in the U.S. HIPPA protects private health information and COPPA protects sensitive information about children. These laws were enacted because private information breaches resulted in a societal uproar that was many times accompanied by litigation.
In contrast, the European Union Directive on Data Protection of 1995 (which requires that each EU member nation enact privacy and data protection laws that meet the Directive’s guidelines) remains the comprehensive body of law regulating privacy and data protection. It applies to all industries and organizations on a blanket and geographic basis.
Privacy in Africa and Asia has emerged as a primary concern for organizations. Countries on these continents have been recently passed or are imminently passing privacy laws. This is also evidenced by the formation of commissions to adjudicate privacy breaches, as well as the criminal and monetary fines that may be imposed under law.
While the globalization of the economy is changing this archetype due to increased cross-border litigation, there are still major differences in privacy, data protection and discovery laws across the globe. This means that for less litigious countries, privacy and data protection are emerging as drivers for information governance. The only way to effectively tackle these information governance challenges is to break down silos and to establish a committee to make decisions about how to invest in a process and technology. This includes decision makers from: IT, Legal, Security, Compliance, Privacy, and any other crucial stakeholders.
• Information Governance Subsumes Data Privacy and Protection as a Category
There is now a seat at the table for the Privacy Officer or in South Africa’s case, the Information Protection Officer. This executive is invested in how information is managed, concerning all of the following: classification, storage, transfer, deletion, and discovery. These considerations must be integrated into any document retention policy or technology decisions. This officer will be accountable for the inquiries regarding the treatment of the private information of data subjects, and they must be equipped to retrieve this information in a timely and complete manner.
• Economic globalization is driving the need for a greater understanding of jurisdictional variances in data privacy and protection laws
A recent study found that out of 114 global lawyers participating in cross-border investigations/litigation, 54% said that data privacy was the biggest challenge they face. Statutory frameworks such as the Foreign Corrupt Practices Act (FCPA) and the UK Anti-Bribery Law now mandate enterprise-wide policies and controls for global companies, which must also take privacy into account.
• Data Breaches Are Increasing, Necessitating Data Loss Prevention Implementation
Data breaches and cyber-attacks are increasing, giving rise to litigation and other regulatory actions. In 2011, 232 million identities were stolen; hacking accounted for 187 million of those thefts and 18 millions identities were exposed through lost or stolen devices. As mentioned, there is a strong correlation trending between privacy/data breach and litigation, especially in countries where a privacy breach is also a cause of action in a civil lawsuit.
In conclusion, information governance platforms are being extended for use in connection with data protection and privacy. The good news is that one set of technological tools exists to address all of the concerns under the information governance umbrella. We are in an age where automated technology is the only way to protect, manage and discovery electronically stored information. Regardless of the country, laws, or specific drivers (privacy, litigation, etc.), we are now at a place where one set of tools can be the basis to enable compliance with all these concerns.
 Information privacy, or data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them.
 Retain, secure and analyze data to deliver a common view across business, legal and IT and Privacy and enable organizations to balance information control and freedom.
 eDiscovery refers to discovery in litigation, which deals with the collection, culling, search, review and exchange of information in electronic format (often called ESI).
 Stronger data protection proposals were submitted in 2012 to make these laws more uniform and exacting across the EU member states.
 Taiwan, Singapore and the Philippines have all enacted privacy legislation in the past year. South Africa’s POPI legislation is scheduled to pass in 2013.
 The Information Retention and eDiscovery Survey by Symantec 2013.
 Internet Security Threat Report 2012.