Obtaining Constituent Consent Is Critical
Notice and consent are two of the key principles of both GDPR and CCPA. They’re also two of the Generally Accepted Privacy Principles, which privacy professionals around the world endorse. State agencies should ensure that they collect, process and maintain personal information in a manner consistent with the GAPP.
Notice means agencies should clearly disclose to constituents the types of personal information they collect and maintain. Consent means they should obtain opt-in approval from those constituents before collecting or using personal information. These principles also dictate that information collected for one purpose should not be used for another purpose without obtaining additional consent from the information subject.
It’s important to note the GAPP framework was designed with the private sector in mind. There are clearly cases where the government must collect information about people regardless of their consent. Tax reporting information is a perfect example of this. However, in those cases, the principle of notice should still be observed unless disclosing the existence of a collection effort would run contrary to government interests, such as in the case of a confidential law enforcement investigation.
Encrypt Data in Motion and at Rest
Technology controls are not a cure-all for privacy concerns, but technological solutions do play an important role in the privacy professional’s toolkit. After all, ensuring the security of personal information is another of the GAPP criteria. Agencies that maintain stores of personal information about their constituents have a duty to protect that information from unauthorized disclosure.