ANY ORGANIZATION CAN TAKE THE FOLLOWING ACTIONS TO PROTECT DATA PRIVACY POST-DOBBS

Important issues about data privacy are raised by the US Supreme Court's judgement in Dobbs v. Jackson Women's Health Organization. One of the initial concerns voiced by women, healthcare professionals who specialise in reproductive issues, employers, and a number of data aggregators was that sensitive personal information would be used to track down and penalise people who violate abortion laws. Organizations can, however, take action now to ensure that data privacy laws and principles are followed to the fullest and to reduce the danger of releasing this sensitive material in the future, post-Dobbs.

The rhetoric and early acts of certain legislatures make it difficult to predict if state abortion restrictions will actually be aggressively enforced, but shrewd businesses will prepare for the prospect of information requests, subpoenas, and warrants involving sensitive personal data. Every business should be aware of the risk that such requests represent to individual data subjects' and, in general, their right to data privacy. Given the numerous advancements in this area, now is a good moment for companies to review their data policies in order to safeguard personal information and have a higher level of data security.

RIGHT NOW, UPDATE YOUR INFORMATION MANAGEMENT PROGRAM

Many firms' operational and compliance functions frequently overlook the significance of information governance. Programs for information governance (IG) are designed to manage, safeguard, and maximise the use of the information that businesses keep for legal, regulatory, and commercial purposes. An successful information governance (IG) programme manages the lifespan of an organization's information and establishes standards for information creation, usage, storage, security, privacy, retention, and dispose.

Federal and state laws, industry standards, best practises, business requirements, and organisational culture typically serve as the framework for determining how to retain and dispose of information. Personal identifying information (PII) is information that can be used to uniquely identify a person. States in the US have only recently started to enact specific data privacy laws that apply to PII collected by organisations under their jurisdiction and generally limit its use and minimise its retention. Although federal data privacy legislation is in the works, its future is unknown for the time being.

Furthermore, only a small number of legal and regulatory retention requirements apply to the majority of US firms. Most organisations have wide discretion in deciding what information to maintain and for how long because there aren't any explicit rules or regulations that mandate information retention.

Many companies keep substantially more data (and for longer periods of time) than is necessary to meet their business, legal, and regulatory obligations. The development of inexpensive storage, big data, and the spread of gadgets and apps that encourage increased data production, consumption, and storage have all contributed to this tendency. The collapse of Roe v. Wade and the possibility of vigorous enforcement of state abortion laws offer a strong motivation to enhance your organization's IG programme right once, even though passivity may have been the prevalent approach to IG prior to Dobbs.

A good IG programme is well-managed and well-documented during regular corporate operations. A record retention policy and schedule describing the organization's business records and outlining how long they are kept should be at the very least included in the programme documentation.

In states with data privacy legislation, a data privacy policy is a requirement addition. However, it is also becoming more and more crucial that all companies have a data privacy policy to set up a procedure and justification for data minimization. An acceptable use policy, a BYOD (bring your own device) mobile device policy, a social media policy, and a legal hold policy are possible additional regulations to take into account.

The duty for educating, training, and providing the resources and instructions necessary for everyone in the organisation to comply must be assumed by someone inside the organisation who will also be responsible for owning the programme.

Following: DATA MINIMIZATION

Organizations should subsequently focus on implementation and compliance after updating their documentation. The implementation of record retention needs a strategy for creating a legal repository for official business records, planning the regular destruction of non-records, and enforcing the periodic destruction of expired documents. Applying retention to user-controlled data, including email and messaging, is one of the implementation's most difficult tasks.

The three most crucial actions a company can take to improve data privacy are: (1) limiting the PII it collects; (2) knowing where the PII goes when it does gather it; and (3) aggressively decreasing it. Organizations should aim to restrict the kind and quantity of PII they gather and implement procedures that reduce the duration this data is kept on file.

Data reduction is required by the upcoming California Privacy Rights Act (CPRA),[1] which is anticipated to influence state privacy regulations across the nation. The CPRA stipulates, among other things:

For each given purpose for which personal information was obtained, [a] firm shall not retain a consumer's personal information or sensitive personal information for longer than is reasonably necessary for that disclosed purpose. CPRA § 1798.100(a) (3).

To fulfil the purposes for which the personal information was collected or processed, a business's acquisition, use, retention, and sharing of a consumer's personal information must be reassuringly necessary and appropriate. CPRA Section 1798.100 (c).

According to Section 1798.81.5 of the CPRA,[2] a company that collects a customer's personal information must put in place adequate security measures and practises appropriate to the data's nature to guard against unauthorised or illegal access, deletion, use, alteration, or disclosure (e).

Practically speaking, monitoring the locations of an organization's PII storage is one of the most crucial actions it can take to execute data minimization. In order to identify the PII that the organisation gathers, preserve it appropriately, reduce its retention, and delete it legally after it has served its purpose, tracking is required. Where PII is kept, think about anonymizing it by, for instance, keeping only the demographic data that might be required for reporting or other business needs.

Tracking and deleting data are also important in evaluating and responding to information requests that may be made by law enforcement and individuals exercising their private rights of action as a result of some state-level bans on abortion. After all, a party to a request for information, subpoena, or warrant cannot produce information that it does not already have. In order to comply with data privacy rules and in the absence of a retention need imposed by law, regulation, or a business necessity, an organization's PII should be kept to a minimum and routinely destroyed.

In the months and years that follow the Dobbs ruling, state laws and regulations governing abortion will likely grow clearer, and efforts to enforce them will likely become more focused on personal data. The prevalence of personal data should prompt every company to examine its current security measures and take immediate action to ensure that the data is safeguarded. IG policies give you the tools you need to properly and legally reduce, monitor, and delete personal data throughout regular business operations.

CHECKLIST FOR INFORMATION GOVERNANCE

Program Support Materials

Record Retention Schedule Data and Record Retention Policy Acceptable Use Policy Privacy Policy

• BYOD Rule
• Policy on Social Media
• Legal Hold Guidelines and Notifications
• Data Reduction: Important Steps
• Minimise PII gathering
• Track current PII and sequester it when you can
• reduce the keeping of PII
• Where feasible, anonymize PII
• In the regular course of business, swiftly destroy any PII that has become inactive.
• REPRODUCTIVE RIGHTS: IMPACT OF DOBBS

In order to effectively advise clients on how to respond, our Reproductive Rights Task Force is carefully observing and assessing the effects of state laws governing abortion access. Visit our consolidated site to see an overview of our observations and assessments of Dobbs and how it affected state laws around the US.