In-Charge, It

Database privacy and legal issues

Data privacy law regulates data management, and information systems manage data. Therefore, data privacy assurance must consider system assurance. An IT department should streamline its functions with the industry standards and privacy regulations in order to avoid any disruption. In order to achieve those objectives, the IT department should assess the risks, design a strategic plan to achieve privacy compliance, implement required policies and procedures, and monitor and audit the procedures to ensure privacy compliance.

Gavison, in his article "Privacy and the Limits of the Law", describes privacy in terms of controlling access to our physical person, and to our information. In one phrase, it is the "protection from being brought to the attention of others" struck us as particularly relevant to the census problem (1995). In his article "creating the Privacy Compliant Organization", Parker mentions that there are other forms of privacy to consider, includes: privacy of persons, privacy of personal behavior, privacy of personal communications, privacy of personal information, and privacy of territory (2001).

Risk Assessment

An IT department should identify and document the information systems that are subject to privacy requirements includes computer files, databases, archives, microfilm, personal records and copies wherever located. Moreover, it should perform a risk assessment and gap analysis of controls and procedures that are in place. The gap analysis will reveal the deficiencies between the current status and the legislative requirements and regulations under which the organization must operate. Additionally, the risk assessment must be applied to the likely risks that an organization may experience from a breach in privacy which include damage to the corporate reputation, damage to business credibility, financial loss, negative publicity, and fines and criminal records for employees. The result of this phase will be the basis for developing a strategic personal information privacy plan (Parker, 2001).

Design a Strategic Plan

Designing a privacy plan involves planning, and implementing a set of direction, methodology, and tools to address number of issues in order to achieve privacy compliant, which includes:

* Establishing the required infrastructure, including the required positions and appointing key privacy personnel.

* Establish the methodologies, which include team members, deliverables, activities, critical path, resources, skills, timelines and approaches to addressing the privacy gaps

* Introduce the privacy policies, standards, guidelines and procedures required to meet compliance requirements.

* Identify the changes required in the systems, procedures, forms, etc.

* Formulate the changes required to address the gaps, and

* Train the individuals to ensure that they fully understand the requirements of the legislation and the organization's objectives and deliverables to be created (Parker, 2001).

Implementing Policies and Procedures

At the end of the designing phase, the department should have clear ideas of the procedures and policies that should be in place, the personal should complete the training and are ready to implement the required procedures. At this stage, information systems should be developed or changed to address the privacy requirements. A schedule should specify the deadline for implementing the new or upgraded systems, procedures and policies (Parker, 2001).

As for the database, policies and procedures should ensure that data is protected from intruders, by ensuring that the following steps are in action:

* Ensure that audit logs can not be altered by individuals with data access privileges, to guarantee that all changes are logged;

* Prevent unauthorized viewing, altering or copying of configuration files; and

* Prevent IT personal form viewing data file content.

It is critical for the corporation to ensure that the entire database environment be sealed off from all unauthorized accesses.

...