Personal data is any information relating to an identified or identifiable person (ie data subject). The term “identifiable” refers to those who can be identified directly or indirectly, in particular by reference to a specific identifier.
A data subject is you (ie the natural person to whom the personal data refers to). A data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the United States that is designed to provide privacy standards to protect patients’ medical records and other health information provided to surgeons, health plans, hospitals, business associates and other health care providers.
Under HIPAA, Protected Health Information (PHI) is health information in any form, including physical records, electronic records or spoken information about an individual’s health status, provision of health care or payment for health care that is created or collected by a covered entity that can be linked to a specific individual. There are 18 HIPAA identifiers that make health information PHI.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR regulates how companies protect EU citizens’ personal data.
Special categories of personal data under the GDPR include, data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Processing means any action which is performed on personal data or on sets of personal data, whether or not by automated means. Examples or processing include the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Basically, anything you can imagine that you’d ever want to do with personal data is considered processing.
Processing of personal data is lawful with informed consent from an individual or when necessary which may include for the performance of a contract, to comply with European law, to protect someone’s life, to perform a task in the public interest or for official functions or to further legitimate interests.
Anonymization means rendering personal data anonymous in such manner that the data subject is no longer identifiable. This requires all identifiers, used by a controller or by another person, to reasonably identify and individual be removed. Information which is truly anonymous is not covered by the GDPR.
Pseudonymization means the processing of personal data in such a manner that it can no longer be linked to a specific data subject without the use of additional information. The additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. Information which has had identifiers removed or replaced in order to pseudonymize the data is still personal data under the GDPR.
Profiling is any form of automated processing of personal data evaluating personal aspects, in particular to analyses or predict aspects concerning your personal preferences or interests, reliability or behavior, location or movements.
Consent is the clear, affirmative act establishing a freely given, specific, informed, and unambiguous indication that a data subject agrees to the processing of their personal data.
If processing of personal data requires consent, it must be obtained separately. Providing a privacy notice does not replace obtaining consent.
A data controller refers to the entity that, alone or jointly with others, determines the purposes and means of processing personal data. Controllers exercise control over the purposes and means of the processing of personal data. Controllers must comply with and demonstrate compliance with all the data protection principles as well as the other GDPR requirements. They are also responsible for the compliance of their processor(s). If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
Data processors are entities which process personal data on behalf of the data controller. If there is not a designated purpose for processing the data and you only act on a customer’s instructions, you are likely to be a processor, even if you make technical decisions about how you process the data. When processing on behalf of a controller, the controller must use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR, including the security of processing and the protection of the rights of the data subject.
Data processors can engage another processor, known as a “sub-processor,” to carry out specific processing activities on behalf of the controller. In such instances, the same data protection obligations set out in the contract between the controller and the processor shall be imposed on the sub-processor (ie appropriate technical and organizational measures).
When sub-processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of its obligations. The engagement of the sub-processor must be with prior specific or general written authorization of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object to such changes.
Anyone who is not a data subject, a controller, or a processor is called a third party. Examples of third parties could be a cleaning service company hired to clean its offices or an equipment maintenance company. Even though they may occasionally come across personal data when moving around in the office or on equipment, they can carry out their task without accessing data. Additionally, third parties are contractually prohibited from accessing or otherwise processing personal data that a company keeps as a controller.
A data recipient is any other entity to whom we may disclose personal data, regardless of whether they are a third party.
A Data Processing Agreement (DPA) is a legally binding contract that dictates the rights and obligations of each party concerning the protection of personal data.
To implement effective and applicable measures ensuring safe international data transfers, the European Data Protection Board (EDPB) adopted recommendations on safeguarding international data transfers on June 18, 2021. Those recommendations are based on the "Schrems II" ruling of the Court of Justice of the European Union, which established an obligation for controllers transferring Personal Data to non-EU countries to take additional measures to secure the data transfer.
The Standard Contractual Clauses (SCC) contain contractual obligations between the data exporter and the data importer and rights for the individuals whose personal data is transferred.
The European approach to data processing includes the key concept of "Know Your Transfer," which relates to the country where Personal Data will be transferred to for processing. Based on the "Schrems II" ruling of the Court of Justice of the European Union, a controller transferring personal data to a non-EU country is obliged to take additional measures to secure the data transfer.
The term “third countries” is not defined in the GDPR but comes from the EU’s primary treaties to refer to countries that are not a party to those treaties. It is a common term in EU law and is normally taken to refer to any country that is not part of an organization that is to be held under that law. Because the GDPR applies as law to the EU and EEA, “third countries” refers to those countries that are not Member States of the EU or EEA.
The "adequacy decision" of the European Commission confirms that another country, territory, or sector outside of the EU provides an equivalent level of protection for personal data similar to the EU. An updated list of countries with adequacy decisions can be found (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
A Business Associate Agreement (BAA) is a written agreement that specifies each parties. Responsibilities when it comes to the handling of PHI. The satisfactory assurances must be in writing between a covered entity and business associate. All BAA’s must be reviewed and signed by Privacy.
Privacy by Design requires that privacy and data protection are embedded throughout the entire lifecycle of a project, from the early design state through deployment, use and disposal. The main functions of Privacy by Design include being proactive, implementing privacy controls and demonstrating respect for data subject’s protection. The idea is that the Privacy Team is notified in the beginning stages of a project idea so that privacy controls may be considered.
Under HIPAA, a breach of PHI is the acquisition, access, use or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational or other harm to an individual. The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS and in some cases the media of a breach of unsecured PHI.
Under the GDPR, a data breach of personal data means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.