Privacy Awareness Month: Who has access to your personal data?

February is Privacy Awareness Month. I know what you are thinking: October was cybersecurity month, isn't Privacy Awareness Month the same thing? 

Although cybersecurity and privacy overlap and are interconnected, privacy principles are somewhat different. In the simplest terms, cybersecurity is about protecting unauthorized access to electronically stored data. Privacy is also about protecting data, but it is mostly concerned about protecting information that identifies individuals. Privacy comprises the appropriate protection, use and dissemination of information about individuals.

The purpose of Privacy Awareness Month, therefore, is to take a moment to inventory the ways we willingly provide data about ourselves to others and the ways we manage information others provide to us. 

As you probably know, social media and phone applications are key ways we share information about ourselves to others. Without reading, we gladly check the “Terms & Conditions” box so an algorithm can tell us which Game of Thrones character we are. We allow Pokémon to follow our every move so that we can catch enough Magikarp to evolve to a Gyarados. We even send our DNA to firms like 23andMe for testing and analysis to receive information on our ancestry or to know whether we carry genetic traits like cystic fibrosis or male pattern baldness. These applications give us something, but they collect quite a bit of information from us and use that information for various things.

For more information about what you are actually agreeing to check out the movie “Terms and Conditions May Apply” available on Netflix.

We trust random companies we know little about with our personal information, yet, when someone wants to mine data from medical files for studies, it is at that juncture that privacy becomes a concern for us.

What is the difference between 23andMe's genetic database and medical records' genetic database? They have the same information, right? The difference comes down to informed consent and the freedom to decide how our information is utilized.

At UC Agriculture and Natural Resources, we collect quite a bit of information about people. We require new employees to submit their Social Security number, their birth date, their family's information, their medical information and so on. The communities we serve provide personal information to us as well. Think about how well you protect and in what ways you use their information. For example, is your laptop's hard-drive encrypted to protect its contents if it is lost or stolen? Have you ever emailed a social security number through an unencrypted email system or fax system?  Do you still keep sensitive personal information after its usefulness has passed? Do you delete, shred or redact private personal information about others? 

University policy follows the law, and employees who are responsible for the maintenance of personal and confidential records must take precautions to assure we follow the proper administrative, technical and physical safeguards to protect information containing personal or confidential information in our possession.

During Privacy Awareness Month, think about the personally identifiable information (PII) that you collect and for whose safekeeping you are responsible. ANR's current approach to the management of privacy and information security risk is decentralized and relies on individuals in various units throughout the division to ensure compliance with numerous UC policies, as well as state and federal regulations.

ANR is subject to an enormous number of privacy laws and privacy principles. Luckily, we have resources that can help you navigate the privacy and information landscape. For instance, we have a Privacy and Information Security Board , an ANR Privacy Statement and a Records Retention schedule. 

In addition, to these resources, ANR has its own Privacy Official and Information Practices Coordinator.  The Privacy Official is the administrative resource for implementing privacy best practices at ANR.  The Information Practices Coordinator is the subject matter expert regarding the collection, maintenance, use, and dissemination of information about individuals.

For more information about privacy, cybersecurity and information practices, please visit the resources listed above or contact the individuals listed below:

Privacy and Information Practices Resources

Principal Analyst Robin Sanchez, J.D.
Phone: (530) 750-1235
Email: rgsanchez@ucanr.edu

Director Catherine Montano
Phone: (510) 987-0103
Email: catherine.montano@ucop.edu

Cybersecurity Resource

Tolgay Kizilelma, Ph.D.
Phone: (530) 750-1233
Email: tkizilelma@ucanr.edu

 

Read more