this post was submitted on 15 Jun 2023
79 points (98.8% liked)
Malicious Compliance
19662 readers
1 users here now
People conforming to the letter, but not the spirit, of a request. For now, this includes text posts, images, videos and links. Please ensure that the “malicious compliance” aspect is apparent - if you’re making a text post, be sure to explain this part; if it’s an image/video/link, use the “Body” field to elaborate.
======
-
We ENCOURAGE posts about events that happened to you, or someone you know.
-
We ACCEPT (for now) reposts of good malicious compliance stories (from other platforms) which did not happen to you or someone you knew. Please use a [REPOST] tag in such situations.
-
We DO NOT ALLOW fiction, or posts that break site-wide rules.
======
Also check out the following communities:
[email protected] [email protected]
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
That's absolutely wild. I bet if he owned a garage, he'd expect you to be able to fix a car in the dark.
Question tho, as someone not in IT, how do you handle HIPPA policies. Clearly you have to have access, but I assume the info would just be backed up seperately from other data.
I worked as a Data Engineer in health insurance for almost a decade. I'm Canadian, but we have similar laws and the answer is basically that every employee signs a lot of NDAs. Data access should be limited to what you need to do your role, and any data that leaves the company has to be totally stripped of personal identifying information (usually some form of data masking).
That being said, I never found it difficult to get access to data, it was usually just another NDA to sign. I did work with government policies for a bit where I had to go to a government facility and get finger printed and all that before they gave me access, that was interesting. I work in tech now and the controls around data access are a lot more serious, gotta jump through a lot of hoops to get access to anything. Probably because of the scrutiny tech is under these days.
What if you need personal info? Or will you never need it?
Personal info is fine to use if you're using it internally for uses that clients agreed to in the ToS and you've signed the appropriate NDAs. If personal data is being sent externally the clients have to agree to the external personal data use, or it has to be masked/aggregated so that it no longer contains personal data.