This course will expose you to the data analytics practices executed in the business world. We will explore such key areas as the analytical process, how data is created, stored, accessed, and how the organization works with data and creates the environment in which analytics can flourish. What you learn in this course will give you a strong foundation in all the areas that support analytics and will help you to better position yourself for success within your organization. You’ll develop skills and a perspective that will make you more productive faster and allow you to become a valuable asset to your organization. This course also provides a basis for going deeper into advanced investigative and computational methods, which you have an opportunity to explore in future courses of the Data Analytics for Business specialization.
4. Data Privacy
Loading...
Do curso por University of Colorado Boulder
Introduction to Data Analytics for Business
341 classificações
University of Colorado Boulder
341 classificações
Curso 1 de 5 em Specialization Advanced Business Analytics
Na lição
Real World Analytical Organizations
In this module we focus on the people and organizations that work with data and actually execute analytics. We’ll discuss who does what and see how organizational structures can influence efficiency and effectiveness. We’ll also look at the supporting rules & processes that help an analytical organization run smoothly, like Data Governance, Data Privacy, and Data Quality.
Conheça os instrutores
David TorgersonInstructor
Information is at the core of just about everything we do in the world of data
analytics.
And an awful lot of the data we use is in some way, shape or
form related to real people.
Increasingly concerns are being raised in the public about the amount of information
that is stored and accessible by both private organizations and governments.
This includes the risk of identity theft and other adverse consequences for
consumers and citizen.
Should data that they considered private somehow be made public or use for
purposes that are unsanctioned by individuals in question.
In our rules as data analyst, when the most critical questions we have to ask is
how can we or how should we use data.
In this video we're going to take a broad look at the idea of the data privacy
by introducing four levels of standards,
the guide how we use data that might be considered sensitive.
However, we're not going to go into a lot of detail for a couple of reasons.
First, the set of laws and regulations that govern data privacy is extensive and
very complex and those regulations differ depending on where you are.
Secondly, the data privacy landscape is changing very rapidly and
what's true today might not be true tomorrow.
Nonetheless, what we will do is give you a sense for some common definitions and
the types of regulations that are out there.
Our discussion will be slanted towards the data privacy environment in
the United States but the same basic ideas will apply more globally.
Let's outline these four levels of standards.
The top level is legal standards which was established by law,
order, or rule to compel treatment of certain classes of data.
Legal standards must be followed by any organizations subject to them.
There's not a lot of choice in the matter and
consequences can be severe if legal standards are not followed.
The second level is ethical standard.
These standards are established by industry or
professional organizations which see to achieve some level of non-legally
binding treatment of information.
There can be consequences for violating these standards but
they are usually imposed outside of the courts.
The third level of standards are policy standards,
which are internal standards established by an organization to guide its own
treatment of data, usually through something like a privacy policy.
The company decides how to enforce these standards.
The last level of standards is simply what we might call good judgment.
Even if some action is not prohibited by legal, ethical, or policy standards.
We should always ask ourselves, is this really a good idea and
what might the consequences of using data in certain way be?
We're going to go into each of these areas in a bit more detail but
we'll spend the most time discussing a few types of data and
the legal standards attached to them.
Let's start with something called Personally Identifiable Information
or PII.
Like most terms associated with data privacy, PII has a long definition.
As defined by the US National Institutes of Standard or NIST, PII includes
any information about an individual maintained by an agency including.
One, any information that can be used to distinguish or
trace an individual's identity such as name, social security number,
date and place of birth, mother/maiden name or biometric records.
And two, any other information that is linked or linkable to an individual,
such as medical, educational, financial, and employment information.
Here are some examples of what is considered PII.
All or part of someone's name, including maiden name.
Any identification number,
address information, personal physical characteristics including images.
And any number of things that may be linked to one or
more of these definitive identifiers.
The linked data part of the PII definition is particularly interesting,
as it includes just about anything that I could conceivably link to an individual.
In the area of Internet connectivity and big data
the ability to link information across desperate domains has never been greater.
In fact, both the National Institution of Standards and the US Office of Management
and Budget, OMB have recognized how easy it might be to identifying individuals.
Let's read part of their findings.
A common misconception is that PII only includes data that can be used to directly
identify or
contact an individual or personal data that is especially sensitive.
The OMB and NIST definition of PII is broader.
The definition is also dynamic and can depend on context.
Data elements that may not an identifying individual directly for example, age,
height, birth date, may nonetheless constitute PIl if those data
elements can be combined with or without additional data to identify an individual.
In other words, if the data are linked or
can be linked to the specific individual it is potentially PII.
Moreover, what can be personally linked to an individual
may depend on what technology is available to do so.
As technology advances, computer programs may scan the Internet with wider scope
to create a mosaic of information that maybe used to
link information to an individual in ways that were not previously possible.
This is often referred to as the mosaic effect.
The implications of this mosaic effect are significant.
Let's put a really fine point on this with a little math.
Let's assume that we can find some number of characteristics on which people differ.
To keep it simple, let's say that each characteristic can only have two values
like male or female, homeowner or renter, married or not married, etc.
It turns out that the number of different types of people I can have with
n attributes of two values each is two to the n.
So how many people is that?
Let's say that we can assemble 29 attributes.
With 29 attributes, we can describe up to just over 500 million types of people,
which is significantly more than the US population of about 320 million.
What if have just a few more attributes, say 33?
With 33 attributes, we could describe eight and a half billion types of people
which is more than the world wide population of about 7.4 billion people.
Shall we keep going?
Let's do one more.
With 37 attributes we could describe over 137 billion types of people which
is more than the estimated 108 billion people that have ever lived on the Earth.
The point is this, it takes a surprisingly small number of data points to uniquely
identify a very large number of people.
Of course those data points need to be the right ones but you can see
how this mosaic effect can have a very real implication on data privacy.
What's really interesting about PII is that while there are quite a few
legal standards they tend to be narrowly associated with specific government
agencies or specific use cases especially in the United States.
International standards are a bit more stringent but there's surprisingly little
over arching legislation that restricts how personal information can be used.
Here's a short list of some of the regulations that do cover PII in some way.
We won't go through them, but you can use this as a reference point should you need
to understand PII standards more deeply.
The second type of information we'll discuss is consumer financial information,
or CFI.
CFI is defined in the US by the Gramm-Leach-Bliley Act,
also known as the Financial Services Modernization Act of 1999, as follows.
CFI is any information that is not publicly available.
And that a consumer provides to a financial institution to obtain
a financial product or service from the institution.
Results from a transaction between the consumer and
the institution involving a financial product or service.
Or that a financial institution otherwise obtains about a customer in connection
with providing a financial product or service.
This definition is further incorporated into a variety of Federal Trade Commission
and Securities and
Exchange Commission guidelines, as well as into the Fair Credit Reporting Act.
Regulations around CFI are a little more concrete than those around PII.
Here are some general information of CFI legislation.
First, it generally applied to financial institutions and
those who collect nonpublic personal information from customers, consumers or
financial institutions.
They include a number of specific provisions and how account numbers and
other specific pieces of information must be treated.
However, most of the rules are around disclosure
versus prescription of what's allowed or not allowed.
This means that they don't so much restrict what we can do with information,
but rather outline what we need to tell customers about that information and
what options customers must have to restrict use of their information.
And important detail here is that these regulations default when opt-out posture.
Meaning that if customers don't want information using certain ways,
they must actively opt-out from those users.
So that's customer financial Information.
Let's move on to another type of customer information called
customer proprietary network information or CPNI.
CPNI is collected by telecommunications companies about a customers
telephone calls.
It includes the time, date, duration and destination number of each call.
The type of network a customer subscribes to and
any other information that appears on the customer's telephone bill.
Importantly, this definition does not explicitly include non-telephone
activity like web browsing.
Although they were varying legal opinions on wether this type of
information is covered under CPNI regulations.
CPNI regulations are generally governed by the US Telecommunications Act of 1996 and
the 2007 Federal Communications Commission or FCC CPNI Order.
There are also broader statutes like the Electronic Communications Privacy Act of
1986 and the Communications Assistance for
Law Enforcement Act of 1994 or CALEA which speak to the conditions
under which the government can access to this and other types of electronic data.
Here's some key provisions of CPNI legislation.
First, it limits the information which carriers may provide the third-party
marketing firms without first securing the affirmative consent of their customers.
It also defines when and
how customers service representatives may share call details.
It establishes notification and reporting obligations for carriers as well as
identity verification procedures including a specific requirement.
The verification processes must include a match
between information provided by a person and what is shown in a company's systems.
There are a couple of interesting details to these rules.
For one thing, they do allow a company to freely share information with
any other communications company which is a pretty broad set of players.
Secondly, like CFI rules, CPNI regulations take an opt-out posture by default.
The last type of information we'll talk about is Protected Health Information or
PHI.
PHI is considered one of the most sensitive types of information and
consequently it's among those tightly controlled and regulated.
In the US, PHI is defined under the Health Insurance Portability and
Accountability Act of 1996 or HIPAA.
The definition is three parts and reflects the detail involved.
One, PHI is created or received by a health care provider, health plan,
employer, or health care clearinghouse.
Two, it relates to the past, present or
future physical or mental health or condition of an individual,
the provision of health care to an individual or the past, present or
future payment for the provision of health care to an individual.
And which either identifies the individual or
with respect to which there is a reasonable basis to believe
the information can be used to identify the individual.
And three, is maintained in electronic media,
or transmitted or maintained in any other form or medium.
The provisions of HIPAA around PHI are pretty complex and
we won't get into the details here.
However, there are broadly covered under our privacy rule
which speaks to the safeguards that must be taken to protect PHI in any form.
And a security role which provides additional measures that must be taken
when information is stored electronically.
The rules applied to health care providers, health plans and
health care clearinghouses.
And they include a lot of specific provisions around how certain types of
data need to be treated including the stripping out of identifiable information
in other precaution.
There are a couple of important exclusions to HIPAA regulations.
First, they exclude education records covered by
the Family Educational Rights and Privacy Act.
They also exclude employment records held by a covered entity in its role
as employer.
Okay, that's a lot of information so let's recap before we move on.
So far we have defined personally identifiable information PII,
customer financial information, CFI, customer proprietary network information,
CPNI and protected heath information PHI.
We've also covered the major legal standards that apply to
each type of information including major legislation and provision.
Now let's talk about some of those other types of standards that influence how we
use data, starting with ethical standards.
Most academic, scientific, legal, and medical fields have pretty well
established standards making bodies that hold members accountable for
a broad set of ethical behaviors, some of which include the use of data.
For example, in the US these might include State Bar Association,
the American Medical Association, or other field specific organizations.
For these more formal bodies, the consequences of violating ethical
standards are usually sanctions or being kicked out of the organization.
This can sometimes be pretty severe.
For example, a lawyer being disbarred usually ends or severely limits his or
her career.
In the business world it turns out that some of the more relevant ethics and
standards bodies operate in the area of marketing,
which makes sense as we're generally interacting with customers through some
sort of market activity or interface.
These include the direct marketing association
which provides broad guidelines on how to interact with customers.
The digital advertising alliance which adds guidance on first party
data collection.
And the network advertising initiative which addresses third-party
data collection and the practice of sharing data through data exchanges.
However, the ability for
these types of organizations to enforce their standards is much weaker.
Companies typically comply out of choice, not out of necessity.
But it's generally good practice to comply with these guidelines anyway.
In addition to both the legal and ethical guidelines established by governments and
other external entities, companies almost always establish their
own internal policies regarding data privacy.
It's common practice to make these policies available to customers and
even proactively ensure that customers read and acknowledge them.
Each company can have different permissions governing its privacy policy
but generally speaking these policies outline what data is captured and
shared and usually outline opt out or opt in procedure.
As a data analyst, it's really up to you
to ensure that you're aware of both the legal and ethical standards that apply,
as well as your organization's policies around use of data.
However, there's one final standard that always applies
regardless of what other rules exist.
That standard is good judgment.
Think about what it is you're about to do.
Even if it's legal, even if it's ethical and
even if it falls within corporate policy it still might not be a good idea.
As a general rule if it doesn't feel right chances are it's not a good idea.
If you think your customers would be upset if they knew what you were doing
It may not be a good idea.
Here are few things to think as you develop your own sixth sense for
what's good and what';s not.
The first is the creepiness factor.
We often use data and analytics to provide the best most customized
offers that we can do our customers but
there is a fine line between what's relevant and what's creepy.
Especially if the customer sees things based on information they
don't know you have.
Put yourself in the customers used and ask yourself how you perceive an action.
Secondly, it's generally a good idea to stay out of the news especially for
the wrong reasons.
Ask yourself what the consequences would be if your methods were made public and
everyone could see what you're doing.
Would there be a backlash?
A third thing to think about is what the unintended consequences of your
actions might be.
You're obviously trying to get customers to do one thing but
what if they did something else entirely, how bad would that be?
Even if you were purely focused on the economics of a decision without regard
to anything else and I'm definitely not advocating that approach.
One might argue that you should end up with a good decision almost all the time
if you properly asses the risk.
Most folks who get themselves in the trouble fail to
accurately asses the huge downsides associated with bad behavior.
Assume the worst and you're much more likely to stay on the high road.
So in summary, where data privacy is concerned,
you have four levels of standards that can guide your behavior.
Legal standards, ethical standards, policy standards, and above all, good judgement.
Heed them wisely, and you'll have a longer and more successful career.
Explore nosso catálogo
Registre-se gratuitamente e obtenha recomendações, atualizações e ofertas personalizadas.
O Coursera proporciona acesso universal à melhor educação do mundo fazendo parcerias com as melhores universidades e organizações para oferecer cursos on-line.
© 2018 Coursera Inc. Todos os direitos reservados.
