I. Technical Field
The present invention generally relates to determining and facilitating compliance with privacy requirements of an information resource. More particularly, the present invention relates to determining and ensuring compliance with privacy requirements for an information resource by considering security requirements, sensitivity concerns, and applicable statutory, regulatory, and/or policy requirements for management of personal information maintained within an information resource.
II. Background Information
In today's economy, sensitive personal information is constantly being collected, transmitted, and stored by public and private sector organizations. Electronic transactions routinely transmit personal data, such as name, address, and account numbers over public networks for use and storage in organizations' databases. More detailed data related to the electronic transactions may also be collected, such as what a person purchases or how much time was spent at a website. Many conventional retailers, such as grocery stores and drug stores, use loyalty/discount cards that record a customer's brand preferences and specific purchases, including prescriptions, etc. Identification cards with embedded electronic transponders that ease lines at security gates, tollbooths, or public transportation may be used to track when and where a person travels. Local and national government agencies, health care entities, and educational institutions are legally required to securely collect and manage a broad range of highly sensitive personal information.
With the ever-increasing use of databases, data mining, electronic commerce, e-government, and the Internet, privacy concerns have become paramount. Unwanted marketing, inappropriate surveillance, and identity theft are potential results of mishandled personal data. Therefore, public and private sector organizations must vigilantly protect such data from misuse. Numerous laws and regulations, including the Privacy Act of 1974 and the Children's Online Privacy Protection Act, have been enacted to specify detailed requirements for how, when, and by whom specific types of personal data may be collected, stored, and used. Privacy policies have become commonplace on websites and companies, and are required at government websites. Privacy officers now work at the highest levels of organizations to promulgate and implement privacy protections.
One such institution is the United States Postal Service (USPS), an independent government agency required to provide mail delivery and other services to every person and organization in the US. The USPS is widely recognized as a safe and reliable means for sending and receiving all types of personal and business mail. With the advent and steady growth of electronic mail and electronic commerce, the physical mail stream will increasingly be utilized for securely sending and receiving essential correspondence, as well as packages and other items. The USPS collects, processes, transports and delivers billions of items each year. The agency also provides a number of related electronic services through its website, usps.com, which features 25 thousand web pages and receives over 1 million visits per month. To serve its millions of customers, the USPS is authorized and required to collect a vast amount of information, including home addresses, credit card numbers, change of address data, etc. Even more information is handled but scrupulously not collected or stored, such as the magazines a person orders or where a person's mail comes from. It is fundamental to its role as a trusted public servant that the USPS protect the information entrusted to it, and manage that information in diligent compliance with all applicable privacy statutes and regulations.
For agencies such as the USPS, governmental entities, and private companies alike, determining privacy requirements and implementing privacy policies remains a significant challenge. Furthermore, various privacy laws and regulations separately apply to individual types of organizations, with some laws covering only federal agencies (e.g., Privacy Act) and other laws controlling only private firms in a particular industry (e.g., Gramm-Leach Bliley Act in the financial service industry). Effective systems for managing large amounts of sensitive information while ensuring compliance with the applicable requirements are an operational necessity. As a government-controlled corporation, the USPS is required to comply with a combination of public and private sector privacy laws and regulations. As a corporation with over $60 billion in annual sales, more than 700,000 employees, and over 250,000,000 customers, the USPS also needs to implement corporate privacy policies in many circumstances. Accordingly, it is desirable to provide methods and systems for determining applicable privacy requirements and facilitating their implementation.