I understand that enterprise - both private and public – has obligations with respect to the handling of personal information, including special standards for health care information.
But if a party advises that it does not need, nor does it want, access to such information in order to engage in business with the enterprise, then is it not incumbent upon the enterprise to ensure they don’t get give it?
Most entities have standard confidentiality and security practices – commercially available firewalls, virus protection etc. - that are suitable for their industry as a whole. It is not a viable business model to have to continually change these standards – different levels of encryption, special screening programs etc. - to comply with the differing requirements of each client. Unless of course the client is willing to pay all associated initial and ongoing costs for these measures.
I cannot see how an enterprise would be fulfilling its responsibilities with regard to the proper handling of personal information if all they do is insist that the other party agree to comply with its often amorphous standards of care regarding handling personal information, that the enterprise also reserves the right to change from time to time at its discretion.
I have been pleasantly surprised when enterprise has understood this. It agrees that it is not going to provide the personal information, but if it inadvertently does the other party’s obligation is to advise when they become aware of having received such information and to return and/or destroy it as soon as possible. This is a reasonable solution that both parties can live with.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment