Data Accountability - Controllers, Processors, and Encryption
Accountability questions cover where/how/how long data is stored, sensitivity, encryption, cross-border transfer, and who sets the rules. A controller determines purposes and means; a processor processes on the controller's behalf - mirrored by HIPAA's business associate and GLBA's service provider.
Privacy professionals address accountability through a set of due-diligence questions, including where/how/how long data is stored, how sensitive it is, whether to encrypt it, whether it will cross borders, who sets the rules, how it is processed, and whether its use depends on other systems.
- Limited retention reduces breach risk - no breach occurs once data is removed; some laws require deletion after a period or when the collection purpose ends
- The data owner assigns sensitivity/classification (confidential, proprietary, sensitive, restricted, public)
- Under many breach laws, no notice is required if lost PI is sufficiently encrypted; HTTPS reflects widespread encryption in transit
On who sets the rules, U.S. professionals increasingly use GDPR terms: a controller determines the purposes and means of processing, and a processor processes on the controller's behalf. U.S. analogues for processor include the HIPAA business associate and the GLBA service provider. A storing company (processor) typically must sign a contract to meet the controller's privacy guarantees.
Under many breach-notification laws, no notice is required if the lost PI is sufficiently encrypted or otherwise effectively protected. This has driven wider use of encryption for stored data and in transit.