The SITCAR Model: Privacy in Content

Your information: centrally stored, automated, searchable, and secured from prying eyes.

The SITCAR Model: Privacy in Content

The SITCAR Model: Privacy in Content

Taking control of Enterprise Data Privacy for Documents, Records and Emails

One of the most critical repositories of PII (Personally Identifiable Information) at your organization are your content servers, email servers, and line of business systems.  However, these systems are often ignored by privacy professionals in exchange for data-specific systems like a Sales CRM, Marketing Database, or Cellphone App.   This doesn’t give the whole picture.

These systems absolutely contain private information, and lots of it.  Information like Name, Phone Number, Email address, Location, and more.  That information is GDPR and CCPA relevant and constitutes risk to your organization.

 

However, compared with your Content Repositories, that risk is small.  In our experience, the highest risk PII for most organization reside in Documents, Email, and other forms of Content.  It resides in unstructured data.

Consider, for example, the documents that your company stores in your HR document repository.  That repository contains very private health information, employment status, background investigation results, income, Social Security numbers, HR issues, citizenship status, Life insurance information, performance status, and more. 

And your HR system is not unique in this respect.  Consider the private information stored in your contracts system.  Consider the Intellectual Property and other forms of private information passed between your employees and clients by email.

It’s essential to take a quality, not quantity, approach when developing a Privacy Strategy at your organization. In our experience, when it comes to sensitivity for most organizations, content reigns supreme.

SITCAR:
Secure, Identify, Tag, Control, Audit, Remove

When dealing with PII in Content, the strategy required is slightly different from dealing with PII in Data. 

Feith Systems developed The SITCAR Model for privacy control and compliance projects.  The model defines the six major steps and concerns when dealing with privacy in content systems, and clarifies how Feith Systems uses our software to help clients solve the privacy in content problem.


S: Secure
Security should always come first.  Other steps in privacy control mean very little absent adequate security.  This means the steps we’ve come to know, like Encryption in Motion and at Rest, and using Alerts to notify of unusual downloading or viewing behavior.  

It also means steps that not all organizations have adopted, like ensuring that your Content Repositories vendors undergo adequate code review, threat modeling, and can ensure Data Integrity. 

I: Identify
PII that you don’t know that you have, that you have not identified, can constitute a major risk.  If you don’t know that you have it, it will be hard to control.  Taking inventory of your systems and the PII therein is key. 

Data Discovery technologies, like Feith’s, can help you determine where to focus your energy, and can help you with Data minimization / ROT reduction before you begin tagging that data.

Feith uses our Auto-Categorizer engine for this step, helping us identify basic structured information like Phone Numbers, SSNs, as well as more complicated unstructured PII by identifying records by type (e.g. Background Investigations, Income Documents).

T: Tag
After you’ve identified the relevant content, the next step is to Tag it.  Tagging the PII with Metadata values allows us to deal with it programmatically.  Without tags, all PII would need to be dealt with manually. Those tags can include the sensitivity level of the information, the nationality of the data subject, or the category of information.

C: Control
Having tagged the content makes it possible to control and secure it.  Feith builds roles with access to only certain tags.  A kind of Security Keyword profile.  So, for example, you may want to limit documents tagged EU Data Subject to employees in the EU — by building a profile with access to that keyword, you can control that PII.

A: Audit
Auditing is made up of a few different parts:

  1. Provable data integrity and data accuracy
  2. Tracking employee access and actions
  3. The ability to respond to data requests
  4. The ability to document compliance
Feith is able to do this, because they audit every field in system — a requirement of the DoD 5015.02 standard.
 

R: Remove
Last but not least is the ability to remove the PII.  For Feith, this means being able to handle Data Retention and Records Management.  It also means being able to Securely and Automatically Redact information, which makes it possible to keep up with Data Subject Right to Forget requests.

 

Much of the information that you collect about your clients, partners and employees constitute PII.  Not only are there laws and regulations that define how you control and manage that information, but that PII can also constitute a legal risk to you. PII, or Private Identifiable Information, that is leaked in a breach or inappropriately maintained can come with large fines or damage to your brand.

Feith’s SITCAR model can help you take control of PII in your content.  If you’re interested in learning more about how Feith Systems has helped organizations like yours deal with Privacy in their Content, reach out today.

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on email
Email
Share on print
Print
Richard Long

Richard Long

Richard loves getting conversations started about the Big Ideas in Records Management and Information Governance. He helps run the Records Management University program, bringing great free content to information professionals. Got his start at Feith Systems in 2014 as Head of Training. He now runs the marketing group. Reach out to Richard with questions at rlong [at] feith.com

Social Media Records Management

Social Media Records Management

Federally-compliant Records Management for Social Media

Since the first presidential tweet in January 2010, sent by then President Barack Obama, the medium has exploded as a way for government officials to make public announcements.  Since his inauguration in 2017, President Trump has made Social Media not just a means, but perhaps the means, for his office’s announcements.

This shift follows the trends at large, as Social Media overtakes print for the first time in global advertising revenue earlier this year. Traditional radio announcements, TV ads and print media, are still useful ways to reach out to the broader public, but many budgets simply can’t afford traditional media’s high-cost per impression, and its comparative effectiveness is increasingly up for debate.

Social media is now recognized as a powerful and inexpensive tool for engaging the public, to make announcements, and to educate, no matter what size the agency or their budget.  It’s no wonder that every agency and office up to the President has begun to leverage these effective tools for low-cost/high-impact outreach.   

But be forewarned — many agencies forget that Social Media posts constitute official government records and need to be managed according to the letter of the law. 

NARA Bulletin, ‘Guidance on Managing Social Media Records’
The Federal Records Act (44 U.S.C. 3301) defines Federal records as any material that is recorded, made or received in the course of Federal business, regardless of its form or characteristics, and is worthy of preservation. Social media content that meets this definition must be managed according to the applicable laws and regulations.” 

NARA makes the point very clearly, but it may underplay the concrete importance of Social Media as record.

As of March 2019, 73% of Americans interviewed by Pew Research Center report that they get some or all of their news from Social Media.  It’s clear that Social Media constitutes a strategically significant method for agencies to make announcements to the public, but if they’re going to use Social Media for official business they’ll have to align with NARA’s guidance.

Feith will ensure your social media presence remains compliant with all federal records regulations and guidelines.  Reach out today to learn more about our new Social Media archive solution, backed by our complete Government Records platform:  more-info@feith.com

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on email
Email
Share on print
Print
Mitch Farbstein

Mitch Farbstein

Mitch is our resident thought-leader on Information Lifecycle Management, he runs the perennially popular Records Management University series, and shares his expertise at conferences like ARMA, AIIM, and more. In his spare time, Mitch runs the Feith Systems Government Sales division, guiding and building our relationships with the US Government.

Are your Repositories ready for GDPR?

Are your Repositories ready for GDPR?

Protect Data With Feith’s GDPR-ready Platform

In May 2018, the EU’s General Data Protection Regulation (GDPR) went into effect. Even though the EU established this law, the regulation applies to nations at a global level because of how integrated markets are with the EU.

Data controllers need to make sure they’re collecting and managing an individual’s data in the right way using a technology that supports GDPR compliance. The system needs to provide complete life-cycle management over this information and allow for easy accessibility while also providing a high-level of security. 

There are Five Key Metrics To Ensuring A GDPR-ready Platform

    1. Data accessibility: It’s important that organizations can access and locate data across their entire enterprise
    2. Advanced search and analyses: System should provide full visibility across all data repositories, including email, files shares, SharePoint, social media, and more. It should search even the largest enterprise data environments using complex queries such as boolean, wildcard, proximity, and nested search. Advanced search and analyses functionalities help organizations better understand their structured and unstructured data.
    3. Data retention: All data needs to be retained in accordance with GDPR regulations. Companies must also know and recognize who they’re retaining information for; this knowledge is vital because individuals must consent to having their information collected.
    4. Centralized management: The solution should aggregate data in a single repository accessible by your enterprise data controllers.
    5. Lifecycle control: The technology should support complete lifecycle management and defensible disposition.

Feith’s GDPR-ready platform provides organizations with an accessible, secure, and manageable system for capturing, storing and cleansing PII and other GDPR-relevant data. Feith keeps track of when a user accesses, views, edits, or acts on a document or data record. Further, it gives executives and managers access to review audit logs, making it easy to obtain information as needed. Through a secure website, users may even deliver audit information to external auditors.

From development to post-launch support, the Feith remains highly secure and prevents outside parties from gaining entry. Personal data protection is essential for GDPR compliance, and Feith makes it easy to identify PII across the enterprise, automatically-categorize it, perform auto-redactions, and protect that data where it lives.

Feith also grants users with full control over managing their data system. The system automates complex processes which improve the entire workflow from document creation to record declaration, and through final disposition and removal. These management controls enable companies to track information about archived documents and view insights into their data with reporting dashboards. 

Avoiding GDPR violations starts with taking proactive measures to secure your enterprise repositories; Feith can help. To learn more about Feith’s GDPR-ready platform, contact our team of experts today!

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on email
Email
Share on print
Print
Shannon Heim

Shannon Heim

Helping others is what Shannon loves most, making her a great fit for outreach at Records Management University. She is in charge of credits and certificates as well as the RMU email account. When Shannon isn’t talking with students, she edits the on-demand classes to make them as high quality as possible.

The EU General Data Protection Regulations & Why it Matters

The EU General Data Protection Regulations & Why it Matters

Let’s talk big picture…
The way we use Personal Identifying Information (PII) has vastly transformed the digital economy in recent years. Advancements in technology that captures, stores, organizes, and analyzes PII have made way for some pretty remarkable means of increasing efficiency and generating greater revenue. And who’s not a fan of that?

So how’s it changing?
Going into effect May 25th 2018, the EU’s new GDPR has serious implications for worldwide companies, so be sure to pay attention. These new regulations warrant that the rights of any individual residing in the European Union will be enforced, even if their data is being processed by companies outside the EU. The focus of the new regulation is to increase user rights as well as increase accountability for people storing or processing data.

If you’re looking for evidence that they mean business, just look at the fines. Up to 20 million euros or 4% of a company’s annual worldwide revenue, whichever is greater. By the way, once the new GDPR goes into effect, that will also include subsidiary companies and partners, even if a subsidiary was not directly involved in processing the data in question. The GDPR also makes it easier for individuals to bring private claims against organizations, including breaches that result in non-material damages. You heard right, individuals can receive compensation for emotional damages as well as financial. Sound a little daunting?

Start planning now…
There are several techniques that organizations can employ to remain in the good graces of the GDPR’s supervisory authorities. The big ones are Anonymization and Obfuscation. By removing PII from data sets, the process of anonymization renders the subject of the data anonymous.

Obfuscation ensures that existing data can’t be traced back to a specific individual. It’s a means of processing information that isolates certain identifying data and organizes it in separate places so that a person might be identified only by combining information from multiple locations.

Kind of a mouthful, huh?
Let’s break it down some more. The whole point of these tighter sanctions is to protect users from being specifically identified based on the information being gathered from their data. There’s no denying the value of the information and in fact one of the pillars of the EU’s Digital Single Market directive is to “[maximize] the growth potential of the digital economy.” The new GDPR is simply aiming to ensure that individuals, and organizations that store and process PII, are all on the same page and level playing field.

The light at the end of the tunnel…
If you’re in an industry dealing in PII (financial, medical, educational, employment) just to name a few, these new regulations make it more important than ever to have a strong Enterprise Content Management system with seamlessly integrated Records Management. Furthermore, having an open line of communication with your ECM system provider to communicate your changing needs will be an invaluable tool in navigating the changing landscape of data protection regulations.

These regulations aren’t so scary if you truly have control over exactly how your data is organized, who can access it, and when it gets disposed of. And if you don’t already have these capabilities, then you’re not getting the most use out of your data anyway.

Just think of these new sanctions as a great excuse to improve efficiency within your organization by adding structure to your data.

After all, the tighter you run your ship, the smoother the sailing.

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on email
Email
Share on print
Print
Mitch Farbstein

Mitch Farbstein

Mitch is our resident thought-leader on Information Lifecycle Management, he runs the perennially popular Records Management University series, and shares his expertise at conferences like ARMA, AIIM, and more. In his spare time, Mitch runs the Feith Systems Government Sales division, guiding and building our relationships with the US Government.