Mapping Privacy requirements onto the IT function

This is a pre-print version of a paper published in two parts in “Privacy Law & Policy Reporter”, 2003.

Abstract

Full and ongoing conformance with the provisions of Privacy legislation has greater impact on a business’s risk management and technology management processes than often they first realise. It is tempting to believe that because privacy issues are broadly business based, they are mainly the concern of the legal department or of audit. But current catch-cries along the line that ‘privacy is not a technology issue’ should not be interpreted to mean that privacy has no relevance for the IT function at all. There are multiple regulatory requirements of the privacy regime that directly impact most organisations’ Information Security Policies, IT management functions, product/service development processes, and internal audit.

This paper presents a detailed mapping of the 10 National Privacy Principles (NPPs) onto the sorts of management processes that in most organisations are controlled by the IT function. The mapping exposes the breadth and depth of impact that Privacy compliance has on the IT function. It thus clarifies how each individual business should fine tune its processes and mobilise its IT function to satisfy the NPPs. It is hoped that such mapping can be repeated and built upon, leading to a common framework for analysing threats and risks to privacy compliance across all organisations.