Privacy and Data Protection
Privacy Impact Assessment (PIA)
All new data processing activities require a Privacy Impact Assessment (PIA), which will assist in determining the correct legal basis for processing personal data. A PIA is an assessment of the risks and impact involved in processing personal data. GDPR also requires Delta to have in place measures and processes which demonstrate that privacy has been factored into all new business processes, IT systems, vendors, projects, products, or services where relevant. This is known as "Privacy by Design" and "Privacy by Default".
This training includes four modules, in which you will learn to: Define data privacy. Explain your responsibility in ensuring privacy when handling personal data. Describe the Data Protection Rulebook; its purpose, and its contents
Apply best practices for safeguarding personal data during your daily business. Explain individual rights that persons can request of Delta regarding the handling of their personal data
Your Role in Privacy and Data Protection
As you just learned, privacy and data protection matter to Delta. To maintain trust in the Delta brand, we all play an essential role and have great responsibility in safeguarding privacy when handling personal data. This is why privacy and data protection should matter to you.
Best Practices: Data Retention, Data Minimization, and Purpose Limitation
Data Retention Be aware of and follow the Records Management Policy and Delta's Records Retention Schedule (DRRS). Do not store personal data unnecessarily either on paper or in your shared drives, folders or inboxes (for example, in email attachments). Take steps to regularly delete unnecessary personal data from your inboxes and shared drives following the DRRS. If retention is necessary, retain the personal data in the correct application or system. Data Minimization Only collect and process the necessary personal data for the purpose intended. For example, if collecting email addresses to send email newsletters, do not also ask for postal addresses, date of birth, or gender as this personal data is not necessary to facilitate sending the newsletter. Avoid duplicating or copying personal data to the extent possible. For example, if personal data is stored on a structured data repository such as a database then, to the extent possible, make use of the personal data from this source and avoid making a copy of it to store on group or personal drives. Purpose Limitation If you share personal data internally, only share with those who require access to achieve the stated purposes. External sharing with third parties is subject to approval and sign-off from the DPO. If you would like to process personal data for purposes other than those set out in the Privacy Policy or EU Employee Notification, speak to your Privacy Champion or the DPO.
Data Protection
Data protection refers to the policies and practices put into place by an organization to protect the use of information about individuals. Data protection laws establish good data handling and data management principles. The laws include specific rights regarding an individual's personal data that is processed by an organization. In the European Union (EU), this protection is established in the European Charter of Fundamental Rights and detailed in the General Data Protection Regulation (GDPR).
Lawful Basis for Processing Data
Delta is committed to privacy and respecting the rights of those whose personal data we collect and use. Trust in our brand and how we treat others is essential to our business. When Delta processes personal data, it must do so on the basis of lawful grounds set out by laws and regulations.
Privacy Champions
Each Delta business unit appoints a Privacy Champion. The Privacy Champion's principal role is to act as a liaison between the relevant business unit and the DPO. They are the "first point of contact" for privacy and data protection activities within each business unit. Their responsibilities include: Advising on relevant policies and practices Identifying privacy and data protection training needs Assisting with PIAs and privacy assessments If more help or information is needed, you are equipped with a Privacy Champion that can assist with your concerns. Privacy Champions serve the Privacy Office to implement the methods and means for complying with applicable laws and regulations that govern the collection, process, and use of customer and employee personal data. To find out more about the Privacy Working Group and to identify your Privacy Champion, go here.
Best Practices: Privacy by Design (PbD)
Privacy by Design (PbD) Privacy by Design requires us all to consider the data privacy issues for each new project and initiative. If you are unsure of how this may impact you, contact your Privacy Champion or the DPO. Build time into all new projects and initiatives to allow for the PIA process. Consider the most "privacy friendly" approach to new projects and initiatives. For example, once the purpose of the project and initiative is established, consider how much and what categories of personal data are essential and identify the optional "nice-to-have" categories. Consider the use of privacy settings to enable individuals to control the amount and nature of personal data which they provide. Also, limit the internal and external sharing of personal data collected. Implement a mechanism to capture consent when necessary to collect and process personal data. Consent must be freely given, specific, informed and an unambiguous indication of the data subject's wishes.
Privacy
Refers to empowering users to control collection, use, and distribution of their personal data.
Security
Refers to establishing protective measures that defend against hostile acts or influences and provides assurance of defense.
What are Rights Requests
Right of Access (Subject Access Requests) The right to request a copy of the personal data Delta has concerning the individual and supporting information explaining how the personal data is used. Right of Rectification The right to request Delta correct their inaccurate personal data. Right of Erasure (Right To Be Forgotten) The right to request Delta erase all personal data concerning the individual. The right to, in some situations, request that Delta not use the individual's personal data they have provided (e.g., if they believe it to be inaccurate). The right to object to certain processing of his/her personal data, unless Delta has overriding compelling legitimate grounds to continue processing, and the right to object to direct marketing. The right to, in some situations, request Delta to port the individual's data to the individual or a new provider in machine readable format.
Data Protection Officer
Supported by the Law Department and a network of Privacy Champions, the DPO acts as a point of sign-off and compliance management. Specifically, the DPO: Informs and advises Delta and its employees of their data protection obligations Advises on PIAs and manages internal data protection activities Facilitates training and awareness Cooperates with and acts as a point of contact for external Supervisory Authority Periodically assesses the record-keeping procedures of Delta's business units regarding data processing activities
Delta demonstrates privacy by:
Telling users what data is collected and how it will be used. Ensuring data is protected and can only be used for the purposes disclosed. Ensuring data practices comply with Federal, State and International laws.
The Data Protection Rulebook
The core of Delta's global commitment to ensuring privacy is its Data Protection Governance Framework. A key resource in that framework is the Data Protection Rulebook which contains specific guidelines regarding privacy and data protection practices. Job responsibilities throughout Delta often require the use of restricted and confidential personal data such as customer ticketing details and employee personnel records. Next, we will discuss how you can apply the Rulebook guidelines in your daily work.
Who Can Provide Help
Upholding Delta's commitment to privacy and data protection is not a responsibility that belongs to you alone. The Data Protection Officer (DPO) and business unit Privacy Champions are available to support and guide you through any matters related to privacy and data protection.
Privacy Policy and EU Employee Notification
Whenever Delta processes personal data, it must be clear which legal basis is being relied on. Delta's current practices have been assessed and the relevant legal bases are set out in the Privacy Policy and EU Employee Notification.
Ninety percent of data breach incidents are a result of human error.
Which of the following do you think are the most common errors made that result in data breaches and/or puts that data at risk if mishandled? Select all that apply. Then Submit your response. Being overly helpful, resulting in providing unnecessary informationCorrect option Transmitting data without using proper encryption or data protection stepsCorrect option Failing to verify names and email addresses, resulting in files sent to the incorrect recipientCorrect option Over-collection of data, resulting in legal action or civil suits if the data is exposed in an incidentCorrect option Responding too quickly to business needs but failing to notify the appropriate stakeholders about potential required changes to polices or documented controls
Jean Claude is a French resident. He has read about the recent data breaches and is highly concerned about his personal data. He calls the Delta customer service line, and asks the agent what type of information Delta has about him. Is it permissible for Jean to request a copy of his personal information that Delta may have?
Yes, many international privacy laws provide individuals with rights to request a copy of the personal data that Delta has about them and to receive an explanation regarding how their personal information is collected and used.
Personal data refers to a combination of the following types of information.
pII(personally identifiable information) includes Name, address, telephone number, email address, and Known Traveller Number Delta Sky Club membership and SkyMiles account, Passport number and travel-related information such as flight, emergency contact, hotel preference, Online behavior provided by internet activity such as your internet service provider, browser type, and IP address pci(payment card indrustry) includes Credit/debit card number, Billing address Expiration date phi(protected health information) includes Medical needs, Dietary requests Medical emergencies or incidents which may occur while on board or travelling special categories of personal data includes Religious or philosophical beliefs Genetic data and biometrics, Racial or ethnic origin