Know the Code: Privacy Rights and Wrongs

/

Know the Code is a monthly series highlighting different sections of the County of San Diego Code of Ethics. The mission of the Office of Ethics and Compliance is to assist in fulfilling the County’s commitment to the highest standards of ethics and compliance.

By the Office of Ethics and Compliace

When most people think of privacy, they think of the right to be left alone. When it comes to personal information privacy means much more. 

Privacy of personal information means providing the right information to the right individual at the right time…no more and no less than is needed.

In general, data pertaining to an individual should be accessible by the individual. Therefore, individuals should be able to view, update for accuracy, and in some cases request the deletion or removal of their information.

When handling personal information, remember the golden rule: personal information should be handled in a manner as though it were yours. Best practices include collecting and storing the minimum information that is necessary for the stated purposes. 

  • When collecting personal information, it is a best practice to provide notice to the individual of the type of information that is being collected, how information is being used, how it will be safeguarded, with whom it will be shared and for what purposes. It is critical that business operations comply with the promise stated in the notice, otherwise undisclosed practices could be construed as unpermitted or deceptive.

  • When using personal information, ensure that the use is permitted in accordance with laws and regulations, departmental, and group policies and procedures. Another rule of thumb to consider is whether the reasonable person would expect their information to be used in that manner, especially if stated in a privacy notice.

  • When storing or transmitting personal information, ensure you comply with County, group, and departmental policies for data at rest and in transit. Do not store personal information on unprotected mobile devices.

    o   Encrypt sensitive information before it is transmitted.

    o   When forwarding emails, consider whether information in the thread might be excessive or not needed for the current purpose of the email message. 

  • If you offer to share personal information outside of your department, ensure that some form of a data use/sharing agreement is in place. When sharing information, verify the identity of the recipient, and verify that the recipient is authorized to receive the information. Best practices include sharing the minimum information that is necessary for the stated purposes. If the individual is verified to be the subject of the data, in most cases they are authorized to receive all the data they request.

  • Destroy personal information securely and in accordance with record retention policies.

  • Ensure you yield to departmental and group policies and procedures for healthcare, financial, sensitive, personal and County Confidential information.

Check out the OEC webpage on InSite for information about upcoming Ethics & Compliance Program events, training and resources including monthly “Know the Code” articles and micro-training videos.

OEC logo

 Ethics and compliance training or how to access the training and other resources, please contact the OEC team at oec@sdcounty.ca.gov, 619-531-5174. HHSA staff may also contact the HHSA Compliance and Privacy team at compliance.hhsa@sdcounty.ca.gov, 619-338-2807.