SEP 12, 2018 | US
BSA | The Software Alliance Releases Privacy Framework to Support Data Privacy Legislation
- Transparency: Organizations should provide clear and accessible explanations of their practices for handling personal data, including the categories of personal data they collect, the type of third parties with whom they share data, and the description of processes the organization maintains to review, request changes to, request a copy of, or delete personal data.
- Purpose Specification: Personal data should be relevant to the purposes for which it is collected and obtained by lawful means. Organizations should inform consumers of the purpose for which they are collecting personal data and use that data in a manner that is consistent with that explanation, the context of the transaction, or reasonable expectation of the consumer, or in a manner that is otherwise compatible with the original purpose for which the data was collected. Organizations should employ governance systems that seek to ensure that personal data is used and shared in a manner that is compatible with the stated purposes.
- Informed Choice: Organizations should provide consumers with sufficient information to make informed choices and, where practical and appropriate, the ability to opt out of the processing of personal data. BSA recognizes that certain data, such as financial account information or health condition, may be particularly sensitive. If the use of sensitive data implicates heightened privacy risks, organizations should enable consumers from whom they collect sensitive data to provide affirmative express consent. Certain existing US laws, such as COPPA, HIPAA, GLB, and the FCRA, also provide important protections for the processing of sensitive personal data covered by those laws and should therefore remain in place.
- Data Quality: Personal data should be relevant to the purpose for which it is used and, to the extent necessary for those purposes, should be accurate, complete, and current.
- Consumer Control: Consumers should be able to request information about whether organizations have personal data relating to them and the nature of such data. They should be able to request a copy of the data, challenge the accuracy of that data, and, as appropriate, have the data corrected or deleted. Organizations that determine the means and purposes of processing personal data should be primarily responsible for responding to these requests. Organizations may deny such requests where the burden or expense of doing so would be unreasonable or disproportionate to the risks to the consumer’s privacy; to comply with legal requirements; to ensure network security; to otherwise protect confidential commercial information; for research purposes; or to avoid violating the privacy, free speech, or other rights of other consumers.
- Security: Organizations should employ reasonable and appropriate security measures designed to prevent unauthorized access, destruction, use, modification, and disclosure of personal data based on the volume and sensitivity of the data, size and complexity of the business, and cost of available tools.
- Facilitating Data Use for Legitimate Business Interests: Privacy frameworks should facilitate the use of data for legitimate business purposes. Such purposes may include providing services to other business customers or consumers. Where the processing of data poses risks to the privacy of consumers, privacy frameworks should implement a risk-based approach that tailors protections to circumstances that are likely to lead to substantial harm.
- Accountability: Organizations should develop policies and procedures that provide the safeguards outlined in this framework, including designating persons to coordinate programs implementing these safeguards and providing employee training and management; regularly monitor and assess the implementation of those programs; and, where necessary, adjust practices to address issues as they arise.
- Legal Compliance and Enforcement: Organizations that determine the means and purposes of processing personal data should have primary responsibility for satisfying legal privacy and security obligations. Entities that process data on behalf of those organizations should be responsible for following their agreed upon instructions. Any uniform federal privacy law should harmonize requirements in state law. The Federal Trade Commission, which has a strong record of robust enforcement, should have the tools and resources necessary to carry out its mission effectively.
- International Interoperability: Privacy frameworks should enable and encourage global data flows, which underpin the global economy. Where differences exist among varying privacy regimes, governments should create tools to bridge those gaps in ways that both protect privacy and facilitate the free flow of data.