Where I work, we really value skills development and knowledge expansion. In the course of a year, we are required to take several courses and earn certificates in various areas. And in my roughly eleven months working here, I've gathered some twenty of those.
A handful of those certificates are mostly for internal purposes; the courses covered how we conduct our business and how my role as a systems development associate fits into it. But all the others, they're applicable to other areas. They are still internal requirements but having gone through those courses means that workers like me understand the importance of conducting ourselves in compliance to the different laws of the different jurisdictions where our company does business.
Two of those laws that we need to have a clear understanding of are Europe's Genaral Data Protection Regulation (GDPR) and the United States' Health Insurance Protability and Accountability Act (HIPAA). The reason being that, people who have similar roles to mine need to work with personal, sensitive, and protected data.
We do have administrative and technological safeguards around to ensure that in doing our work, we do not violate those two laws. For example, workers like me have no access to any production databases where I can view real customer data. In our development environments, I might be able to see personal data like a birthday (because some calculations depend on the difference between the current date and that day) or a postal code (because some functions require a valid address). But I will never be able to correlate that sort of data with a specific individual.
My understanding of the GDPR is simple: no personal, sensitive, and protected data of an EU citizen, under any circumstances, must leave the EU. So, we go through a tedious process of depersonalising data; disassociating data points like the ones previously mentioned from their owners, removing any sensitive information that for some reason we need to have in production, and making mock versions of protected data like social security and tax identification numbers.
What I understand from the HIPAA is this: it applies primarily to medical professionals. When a doctor, for example, discusses a patient's medical condition where other parties can hear it (like in a hospital cafeteria or in a park); that can be HIPAA violation— even when the doctor is having that discussion with the patient himself. The exchange of a patient's information must only happen in private, where only the concerned medical professional and the patient can have access to that information.
Compared to the GDPR, HIPAA is a lesser concern when it comes to my role because for one, I don't need access to anybody's medical information (apart maybe, from a date of death, which factors into some time-based computations similar to a date of birth); two, if ever information like that were to come my way, it would still already be depersonalised; three, I am not a medical professional.
It's a bit tricky, that third part.
Even if I'm not a doctor or a nurse or an emergency responder, the organisation that I work for is expected to have a great degree of secrecy when handling records. As an individual, I may not be charged with a HIPAA violation in the event that such information were to be leaked through me out of negligence but there will still be consequences— whether they come from internal sanctions or cases based on other laws and regulations.
Of course, all of this gets thrown out the window if individuals themselves throw their own private, sensitive, and protected information out in public. If one were an EU citizen whose sexual orientation and religious affiliation has to remain safe within the borders of the EU; then he or she should not be going to Asia or Africa and spray painting walls with their names and announcing to the world that they're Catholic and straight— if that is information that they want kept secret.
It's an outrageous and absurd example, surely. But there are simpler ways where individuals can violate their own privacy: when they openly discuss their circumstances on various social media platforms, write about it and publish, or simply engage other people in conversation.
This is my place. This is my story.
I wasn't told anything in strict confidence— nothing that, if it isn't already common knowledge, it had already been discussed with an audience that is wider than this blog's readership. And while there are names mentioned in this story, nobody will make any association between those names and the people who own them—
unless they already know who they are.