Presumptions Contained in the Privacy Law

Presumptions Contained in the Privacy Law

Overall, people’s life is based on secrecy. Owing to such truth, those who are civilized are often anxious that their personal privacy should be respected. Such argument leads to the introduction of the concept of privacy. According to Sharma, the concept of privacy was formulated by Alan F. Westin; it refers to individual, institutions, or groups’ claims to determine “for themselves when, how, and to what extent information about themselves is communicated to others” (1994, p. 1). This implies that a person can refuse to allow his/her personal data from being shared with groups, researchers, or agencies. Although the concept of privacy emerged in the last century, it is used to describe the State’s duty to allow people act on free will without getting into their affairs and/or privacy. On the other hand, presumption refers to a rule of law that permits the courts to assume that a fact is true until such a time that there is sufficient evidence that outweighs or disapproves such presumption (Jacobsen, 2012). Different states have formulated different privacy law presumptions such as personally identifiable information (PII) is confidential and that unauthorized disclosure of PII harms the consumer among other presumptions to ensure that people have the right to control what, how, where, and who shares their personal data. Although some of the privacy law presumptions have not impacted many States’ privacy laws, others have given agencies, individuals, and groups more insight regarding the type of data that is considered to be personally identifiable and the levels of protection required for particular PII.

Personally Identifying Data is Confidential

Some States privacy laws presume that personally identifying information is confidential. For instance, the California privacy law cites that sensitive and confidential information is confidential thus it should be shared externally only when it is consistent with law, education, business necessity, adequate protection, and internally only on a need-to-know basis (Christen, 2012). Moreover, the protections should include written confidential agreement if necessary. This implies that if such data is shared internally (within an organization), the recipient should be informed of the sensitive nature or confidentiality of the information and the need to safeguard the information. However, this presumption does not address the doubt that might arise about the prudence or appropriateness of disclosing PII. Consequently, people might end up disclosing confidential data without taking appropriate measures to safeguard the use of such data thereby leading to identity theft among other issues (Minow and Lipinski, 2003). To avoid such issues, individuals, agencies, and/or groups handling personally identifying data should use systems such as automated or Gaylord-type circulation that does not identify the person with disclosed data.

Criminals seek personally identifiable data to plan robbery and murder among other crimes or steal the victim’s identity (Jacobs, 2011; Hewitt & Simone, 2000). Therefore, the presumption that personally identifying data is confidential cautions agencies, groups, and individuals that, unauthorized disclosure of such information is against the privacy law because it might be used to facilitate attacks and threats. Owing to the provisions of this presumption, States such as Minnesota, Florida, and Alaska protect the data regardless of its personification. However, majority of other States protect certain type of records if they contain personally identifying data (Minow & Lipinski, 2003). Nevertheless, from the privacy law’s point of view regarding disclosure of personally identifying data, protecting only personally identifying data compromises the underlying data and type of record presumption thereby prohibiting disclosure of any record or other data that might identify a person.

In addition, the presumption that PII is confidential establishes a PII data type to assist in tracking the use of such data (PII) and help individuals, agencies, and groups to comply with the privacy law requirements to identify all PII, regularly review their holdings for PII, and conduct privacy assessment for all their systems containing data in identifiable form regarding public members (Gantz & Philpott, 2013; Goldmann, 2013). This presumption’s provisions are based on Special Publication 800-122, where the National Institute of Standards and Technology (NIST)  provides guidance to agencies to identify PII, assign confidentiality impact levels on PII, and implement appropriate safeguards to protect PII (Rothman, Greenland & Lash, 2008). NIST recommends agencies to consider PII as a separate factor whenever assigning confidentiality impact levels where determining the extent of confidentiality needs to be protected, the agencies should supplement the provisional impact level in Special Publication 800-60 or in agencies’ specific data type definitions.

The approach of establishing first the context in which the agencies will use the data and then assessing the sensitivity of the data in that particular context yield confidentiality impact levels for specific PII instances rather than for all PII within agencies (Gantz & Philpott, 2013; Meinert, 2012). Ideally, determining confidentiality impact levels for PII within each data type acknowledges the fact that, different PII have different need for protection. This helps agencies to avoid implementing privacy laws for PII beyond the levels which are commensurate with risks to agencies incase PII is modified or disclosed without the consent or even become unavailable.

Moreover, the presumption can be interpreted to imply that harm to the owner of the data will be presumed whenever his/her personally identifying data has been disclosed without his/her consent. As such, Minow and Lipinski (2003) emphasize that states’ privacy laws should only allow the release of PII with the consent of the PII’s owner. In fact, all states’ privacy laws should require approval to be in writing. Minow and Lipinski (2003) found out that while some states’ privacy laws complies with consent provisions, other states’ privacy laws overlook the issue of consent. For instance, while Mississippi requires that the written approval be express, Michigan leaves the consent’s particulars to the agency. This implies that the form and the procedure of giving written consent might be determined by the agency rather than the PII’s owner.

On the other hand, New Jersey, New Hampshire, and Wisconsin allow for consent to be provided by the owner of information, but does not require the consent to be in writing. Owing to the presumption that PII is confidential, consent cannot be regarded as one of the privacy laws’ explicit exception (Leino, 2000; Smith & Sulanowski, 2002). As such, states should not allow the release of data even to family members or with the approval of the agency, but with approval of the information legal owner. This will prevent harming the owner of the data by disclosing his/her information without his/her approval.

Unauthorized Disclosure of Personally Identifiable Data Harms the Consumer

This presumption emphasizes the need to inform the legal owner of the data being disclosed to the public or to other people. For instance, Harman (2001) recommends agencies to ensure quality and privacy of personal data on any record. That is, the agency should inform consumers regarding what data is collected, by who, and how such information will be used. The information collection notice should further be conspicuously provided in language that every person can understand (Harman, 2001; Derenzo & Moss, 2006). Informing the consumer gives him/her meaningful opportunity to make choices regarding what information is collected and how such information will be used. In other words, the presumption that disclosing PII without informing the owner in prior might harm him/her emphasizes the need to give the legal owner of the data the right to opt out or into specific uses and disclosure of his/her personal data.

Nonetheless, some States do not offer actual punishment or remedy for violation of privacy law. Regardless of such fact, the presumption that unauthorized disclosure of PII harms the consumer provides that any individual, agency, or group can face the law for invading into another person’s privacy (Nass, Levit, & Gostin, 2009; Smith & Sulanowski, 2002). As such, states which do not prohibit unauthorized disclosure of personally identifying data, the best defense that individuals, agencies, and groups can have in protecting their privacy is to have well-developed and implemented privacy policies. This measure will deter against indented and unintended disclosure of PII by unconcerned or inattentive staffs.

Privacy Law Enforcement Exception

Some States’ privacy law creates presumptions against disclosure of personal data and sets out limited circumstances regarding when such information might appropriately be disclosed. For instance, the US privacy law presumes that individuals have power over their personal data held by the government and vests people with power to wave such privacy in such information at their own discretion (Raul, 2002). This implies that, the US privacy law does not ignore the benefits of open access to government records. In other words, the Congress has recognized that the proper law for personal information held by the government consists of a delicate balance between access and privacy. Therefore, the US privacy law provides various exceptions to its privacy protections (Northouse, 2006). Such exceptions balance the personal control with the public’s interests in accountable and efficient government.

The exceptions presumes that a federal agency might disclose personally-identifying data without the owner’s approval to (a) the census bureau to conduct official survey or census, (b) the agency’s own employees and offices which require such information to carry out their duties, (c) for the agency’s routine use (the agency must notify the public regarding what such routine uses are), (d) conform to the provisions of freedom of the information law, (e)  the US jurisdiction for law enforcement, and (f) researchers and statisticians as long as the information is in forms which do not identify persons and is solely for reporting or statistical research among other exceptions (Raul, 2002). This shows that, most privacy law’s exceptions are related to governmental use of PII that is held by the federal agencies. However, this provision does not show a congregational intent to abandon the principle of access because such disclosure must abide with the provisions outlined under the Freedom of Information Act (FOIA), one of the privacy law’s significant exceptions.

However, for privacy law presumptions to be effective, it is important that such exceptions be carefully drafted and be made as narrow as possible. In other words, the US privacy law exceptions are broad thereby making it difficult for public officials to find other privacy laws which will make it easier for them (public officials) to access the personal data that is otherwise protected in the law (Grama, 2011). The problem regards the list of agencies; national security, law enforcement, investigatory, Department of the US, or regulatory agency-together with a clause requiring authority to be granted to the agencies by the person to who the data pertains (Grama, 2011; Rule & Greenleaf, 2008). Such provisions essentially defeat the Fourth Amendment of the US Constitution’s purpose to ensure that the judiciary plays important roles where lawful search for information is authorized. Therefore, the US should deploy the standard in other privacy laws that authorizes law enforcement agencies to act on state or federal warrant, properly executed administrative order, or court order. That will provide the government with a wider range of opportunities to access data for legal uses in manners which ensure judicial oversight thereby minimizing the risk of personal data abuse.

Nonetheless, presumptions about disclosure of personal information provide remedies if privacy law regarding disclosure of personally identifying data is violated. These include law suits, fines, punishments, or both (Minow & Lipinski, 2003). However, such remedies depend on the particulars of the States’ privacy law regarding open records. For instance, in some states, individuals might file public records lawsuits against agencies, individuals, or groups for disclosing their personal information without seeking their (owners) consent.

The Data Recorded Regarding an Identifiable Person is owned by that Individual

Most privacy laws presume that, any information recorded regarding an identifiable individual ought to be owned by such person (Iacovino, 2006; Portela & Cunha, 2010). However, such presumption confuses privacy right with ownership. For instance, email is an erroneous belief about employee ownership that is confused with right to privacy. In other words, records which organizations create during their business containing individual data cannot be considered to be owned by the information writer (the employee), but the legal author. As such, the employee might have the right of non-disclosure of information, but not proprietary right.

People Have Right to be Let Alone

Some States’ privacy presumes that people have the right to be let free. However, such presumption does not give rise to the right of privacy. For instance, Brettschneider (2007) argues that, citizens rarely have a right to be independent from state prohibitions against physical assault. This is because state coercion in such circumstance is justified. Therefore, to illustrate a right to privacy, it is important to indicate that the arguments for coercion are incompatible with the important values as articulated in the democratic contractualist framework (Fischer, 2013). This implies that, privacy rights are only justified whenever they protect people against coercion that is not supported by democracy’s inclusion principle.

Working Privacy Laws across Different Countries

The privacy law presumption for firms operating in different countries is that the information privacy laws of a particular country are completely different from the data privacy laws which apply at the firm’s home country (Dennedy, Fox, & Finneran, 2014; Determann, 2012). In such cases, none of the companies’ existing privacy laws can apply in the foreign country. It is also assumed that, the firm’s privacy laws regarding personal data can be absolutely identical to the privacy laws which apply at the country of the company (Dennedy, Fox, &Finneran, 2014). Under such case, the firm does need to pay special attention handling or consideration in the privacy laws. This implies that the international privacy policy can either be similar to or differ from individual countries. As such, both the presumptions and laws cannot be applied across all countries. That is, in most cases none of the working privacy law presumptions are effective. Therefore, a sensible and well-drafted privacy law should transcend the country borders (Dennedy, Fox, & Finneran, 2014). For instance, a well-drafted privacy law should meet North American legal requirements. Such law will have much application and relevance to countries such as Europe and beyond since good data handling practices such as security, information quality, and transparency should go beyond country borders.

Nonetheless, drafting privacy laws which are identical to those of a particular country might lead to some challenges. Dennedy, Fox, & Finneran (2014) argue that copying other country’s privacy law will require ignoring important priorities, differences, and historical sensitivities. This explains why many global firms have had challenges when it comes to drafting privacy law presumptions (Kuner, 2003). For instance, some firms assume that, privacy laws which are related to monitoring employee communications in countries such as Finland are identical and permissive as those applied in the United States. Such assertion might result into challenges among these firms. Similarly, for firms with headquarters in Europe, to assume there are minimal or no security breach notification laws in the US because there are few such law in the home country can lead to problems (Kuner, 2003; Turnbull, 2009). In other words, privacy law based on overly, shaky broad presumptions might result into problems despite that the firm might be following all its privacy laws.

In conclusion, people’s lives are based on privacy. As such, States should put in place appropriate privacy laws to empower people to control the use of their personal data. Some States have formulated various privacy law presumptions to assist agencies, individuals, and groups control how, when, what, and to whom PII is shared. Whereas some of these presumptions have not had significant impacts in some States’ privacy laws, other States do not pay attention to privacy laws. This might lead to abuse of PII such as being used to facilitate robbery among other issues. Nonetheless, some privacy law presumptions are based on a logical basis thereby assisting agencies to categorize data depending on the levels of protection required and putting in place appropriate measures and strategies to protect and/or safeguard such data.




Brettschneider, CL 2007, Democratic rights: the substance of self-government, Princeton University Press, Princeton.

Christen, P 2012, Data matching concepts and techniques for record linkage, entity resolution, and duplicate detection, Springer, Berlin.

Dennedy, MF, Fox, J & Finneran, TR 2014, The privacy engineer’s manifesto: Getting from policy to code to QA to value, Apress Open, New York.

Derenzo, EG & Moss, J 2006, Writing clinical research protocols ethical considerations, MA, Elsevier Academic, Burlington.

Determann, L 2012, Determent’s field guide to international data privacy law compliance, Edward Elgar, Cheltenham.

Fischer, PE 2013, Will privacy law in the 21st century is American, European or international? Grin Verlag, New York.

Gantz, SD & Philpott, DR 2013, FISMA and the risk management framework the new practice of federal cyber security, Syngress, Boston.

Goldmann, P 2013, Financial services anti-fraud risk and control workbook, John Wiley & Sons, Hoboken, NJ.

Grama, JL 2011, Legal issues in information security, Jones & Bartlett Learning, Sudbury, MA.

Harman, LB 2001, Ethical challenges in the management of health information, Aspen Publishers, Gaithersburg, MD.

Hewitt, ME & Simone, JV 2000, Enhancing data systems to improve the quality of cancer care, National Academy Press, Washington, D.C.

Iacovino, L 2006, Recordkeeping, ethics and law: Regulatory models, participant relationships and responsibilities in the online world, Springer, Dordrecht.

Jacobs, S 2011, Engineering information security: The application of systems engineering concepts to achieve information assurance, John Wiley & Sons, Hoboken, NJ.

Jacobsen, KH 2012, Introduction to health research methods: A practical guide, Jones & Bartlett Learning, Sudbury, Mass.

Kuner, C 2003, European data privacy law and online business, Oxford Univ. Press, Oxford.

Leino, KH 2000, Patient’s autonomy, privacy and informed consent, IOS Press, Amsterdam.

Meinert, CL 2012, Clinical trials: Design, conduct, and analysis, Oxford University Press, New York.

Minow, M & Lipinski, TA 2003, The library’s legal answer book, American Library Association, Chicago.

Nass, SJ, Levit, LA & Gostin, LO 2009, Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research, National Academies Press, Washington, D.C.

Northouse, C 2006, Protecting what matters technology, security, and liberty since 9/11, Computer Ethics Institute, Washington, D.C.

Portela, IM & Cruz-Cunha, MM 2010, Information communication technology law, protection and access rights: Global approaches and issues, Information Science Reference, Hershey, PA.

Raul, AC 2002, Privacy and the digital state: balancing public information and personal privacy, Kluwer Academic, Boston.

Rothman, KJ, Greenland, S & Lash, TL 2008, Modern epidemiology,  Wolters Kluwer Health/Lippincott Williams & Wilkins, Philadelphia.

Rule, JB & Greenleaf, GW 2008, Global privacy protection the first generation, Edward Elgar, Cheltenham, UK.

Sharma, SK 1994, Privacy law: A comparative study, Atlantic Publishers & Distributors, New Delhi.

Smith, RE & Sulanowski, J 2002, Compilation of state and federal privacy laws, Privacy Journal, Providence, RI.

Turnbull, IJ 2009, Privacy in the workplace, CCH Canadian, Toronto.

Are you looking for a similar paper or any other quality academic essay? Then look no further. Our research paper writing service is what you require. Our team of experienced writers is on standby to deliver to you an original paper as per your specified instructions with zero plagiarism guaranteed. This is the perfect way you can prepare your own unique academic paper and score the grades you deserve.

Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.