Virtually every enterprise IT project entails gathering data from users, and that data often falls under privacy and confidentially regulations such as HIPAA or the Gramm-Leach-Bliley Act. It takes a legal department to keep track of all these laws - literally.
However, the basic principles of user privacy are fairly constant, and some of them can even be described as boiling down to common sense.
Our partners at Info~Tech Research Group have developed a Project Privacy Checklist to help IT quickly evaluate the privacy implications of any project. The Word-based template is available for free to IT Business Edge members here in the IT Downloads library.
The first piece of advice offered by the template's instructions section is that before you dig too deeply into a project, you should definitely confer with the legal department about any specific regulations that might apply to the initiative. Again, this checklist is a roundup of general privacy and confidentiality concerns - don't take it as final legal review. It's a starting point.
The 15-point checklist is laid out in standard format, as you can see in the image below.
Among the more interesting points on the checklist are:
The type and format of information to be collected has been identified and documented. Be careful of simply adding a new field for personally identifiable information (PII) as a scope tweak after the project enters the build phase. All stakeholders in the project need to know exactly what data is being collected and why.
The entities that may make use of the information to be collected have been identified and documented. Who you share personally identifiable data with is as important as what data you collect.
Secure disposal mechanisms have been identified and documented. Storage and transmission tend to get all the attention when it comes to data security, but once your use of the data is complete, you need to ensure that it is completely eradicated.
If you are preparing to tackle a project that gathers personal information, be sure to check out the Guide to Protecting the Confidentiality of PII from the National Institutes of Standards and Technology. The 52-page report offers a nice balance to the quick overview of the privacy checklist - like all NIST publications, it is quite in-depth. The report takes a deep dive on issues like encryption, access control and field sensitivity. It's well worth the read.