The Data Privacy Matrix
Why the Data Privacy Matrix?
In recent years there has been a big shift for users to use cloud services to store and process their data. However several fundamental questions linking to data ownership and privacy are constantly asked:
- Where is my data being stored?
- How is my data being used?
- Is my data still my data?
- Who has access to my data?
There is a need for clarification around the data privacy legislation from the various jurisdictions where and how data may be stored or process. To do that, we need to visit the legislation governing data privacy, and explore their current gaps and the possibility of aligning them towards a common matrix, much like a ‘rosetta stone’ for prominent data privacy laws around the world.
What is the Data Privacy Matrix ?
The Data Privacy Matrix is an easy-to-follow matrix for users and vendors to use as a guide for basic data privacy laws which protect themselves and their data. Cloud services are often spread over multiple jurisdictions or different countries. There is a need to know if a certain aspect of data privacy means the same thing across the regions around the world. The Data Privacy Matrix helps to align data privacy laws throughout APAC, the EU and the U.S. It does this by having a set of seven predefined domains which include a control specification.
- Legislative Framework
- Privacy Body
- Pre Collection Process
- Data Processing
- Data Storage
- Interception of Data
The first domain is ‘Legislative Framework’ which includes six ‘control specifications’. Next to each control specification it lists the name of the documents relevant to that specification. The document name in the first domain gives the user the full name of the document and a link they can click which will take them to that document.
The Data Privacy Matrix directs a user to a specific section, article, schedule or part in the applicable legislation, this reduces the user hunting through government or other websites to find the relevant legislation they need and then directs them to the specific part of that legislation where they can see what the law states. The Data Privacy Matrix allows a user to see if there are any similar laws to do with that control within some of the countries located in the APAC, EU or U.S.
It can be seen from the events and technological progress over the last decade that the world is moving closer to a complete digital era, where everything will be done online. The data privacy matrix will help with providing information to users as this evolution happens, meaning users can reference the data privacy matrix and always be aware of where their data will be safe and secure and their privacy adequately protected.
Use of the Data Privacy Matrix
If we look at the 'Pre-collection process' domain, specifically at PCP-04. It directs the user to many different documents that relate to whether consent is required from the individual involved in the collection. In New Zealand there are three documents identified. The Privacy Act 1993 - which is the legislation, section 6 which in the Act is titled ‘Information privacy principles’ and then to principle 3. A user can follow this, to quickly and painlessly find and identify any relevant information relating to consent. It also directs the user to two other documents. The Asia-Pacific Economic Cooperation (APEC) privacy guidelines and the OECD guidelines for privacy. Although these are not pieces of legislation, because New Zealand is an APEC and OECD member country, these guidelines should be enforced in legislation. This may give extra information to a user if they wish to do further research.
The example also shows the names of Australia, China and the United Kingdom which helps the user to see immediately that there is some law around consent in these countries.
Example Use Case
The following use case is a hypothetical example to show an instance where the Data Privacy Matrix would be useful.
A recent start up company, `Data Storage Solutions Group' (DSSG), has a business which offers cheaper and more reliable data storage than their Australian competitors. They are a local data centre within their residing country of Australia. Within a few months, DSSG have thousands of new clients in Australia using their data centres to store different forms of data. Word has spread to the US about the reliable service DSSG offers. With all the excess traffic from the US, DSSG has decided to open a new data centre in Silicon Valley. DSSG spent a considerable amount of time prior to setting up the company to ensure they met the Australian privacy principles. With uncertainty and a lack of the law in the US, they turn to the Data Privacy Matrix to give them guidance. By using the Data Privacy Matrix, they are able to save money and man-hours by quickly comparing and aligning the laws in Australia, with the laws in the US, and avoiding any serious repercussions on their business. Luckily, thanks to the Data Privacy Matrix, DSSG can successfully open their new data centre and maintain their high standard of data privacy protection for storage.