Blog

Security Doesn’t Mean Privacy

Posted by Donna Recchione on Jul 9, 2018 9:00:00 AM

In IT, Job Trends, ICS insights, Candidate

Due to advancements in technology, security professionals must use the mindset of a privacy specialist to succeed in their occupations. While there is no need to be a compliance expert, there are still various knowledge points that will prove to be of value in a security professional's set of skills. 

The question is, what can a security professional do to become more successful? Fortunately, there are four steps you can take to become more privacy savvy. Let's explore these four steps and learn how you can put them into practice. 

Step Number One: Understanding Information and People

The first step you need to take to become more security savvy is to understand how privacy relates to security, yet also understand that they are two different elements. Security in and by itself cannot protect a person's privacy. Why? Well, the simple safeguarding of data does not guarantee that it will not be improperly collected, used, or disclosed. For a better understanding of this, check out step number two. 

The collection, use, and disclosure of a person's information directly impact the person and all person's to whom the information and data are related to. With that being said, it becomes easier to see that security serves as a foundational element that must be deployed to correctly leverage the tools that are used to collect personal information. 

Understanding Personal Information

It is also crucial that you understand what personal information is. Many times, personal information is referred to as personally identifiable information (PII) or personal data (PD), and it is any type of information that can be used to identify who a person is, what the person does, where they are located, the people they know, the things that demonstrate what they like, and how they view certain aspects. You should understand that this information can be directly or indirectly connected to the person. For example, an ID number would be a piece of information that is directly related to a person, while a demographic term would be a piece of indirect information that can help identify the person. Whether the information is directly or indirectly related to the person, the key here is that it still allows a person to access the information to determine or "know" something about the person to whom the data relates to. Moreover, since personal information is in the very least essential to who we are as individuals, it is pertinent that it be protected to our utmost capabilities, making the profession of a security specialist all the more important.

Various privacy frameworks use different definitions for PII. However, one that remains general in use among most frameworks is as follows:

“Any and all information or data (regardless of format) that (i) identifies or can be used to identify, contact or locate an individual, or (ii) that relates to an individual, whose identity can be either directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of any attributes or status of such individual.”

Understanding Sensitive Personal Information

In addition to PII, we have a subset of data that is often referred to as sensitive personal information. Some people refer to it as sensitive data (SD), and this type of data tends to require tighter controls. Why? Because it tends to be information that is more confidential and carries higher levels of integrity. More so, if this type of information were to be improperly collected, used, or disclosed, it could cause significant harm to the person it relates to as well as to people connected to the person to whom the information directly or indirectly is about. There are various types of information that fall into the category of being SD, including:

  • Financial account data
  • Health records
  • Data elements revealing race
  • Government-issued identification
  • Employment files
  • Trade union membership
  • Sex life
  • Sexual orientation
  • National Origin
  • Ethnicity
  • Religion
  • Criminal records
  • Allegations of crimes committed

If any of the above information were misused, it could be detrimental to a person's:

  • Finances
  • Health
  • Reputation
  • Opportunity
  • Rights
  • Even their life

Step Number Two: Understanding Fair Information Principles

Even though the concept of privacy dates back to very early societies, including over 250 years ago in the United States, the modern ideas that relate to privacy and fuel the current privacy and security frameworks did not actually begin until the 1960s. It was during this period of time that the information age really began to form and take its shape. More so, digitization became more readily accessible and electronic storage became more of a common form of storing and protecting data. In light of digitization, though, lawmakers and professionals alike saw early on that a code of conduct was needed to ensure there was greater accountability for storing personal information. This accountability was and is still needed to ensure PII is protected and not improperly used. 

HEW Report

Back in the 1970s, more precisely 1973, a concept was formed and outlined in a report that was issued by the United States Department of Health, Education, and Welfare. This report was published due to the increasing use of electronic information and the United States government wanted to create a governed set of principles that outlined how organizations and entities could use personal information. This concept eventually became known as the Fair Information Principles. Many people, however, refer to as Fair Information Practices, while others also call it the FIPP, standing for Fair Information Practice Principles. 

According to CIPP GUIDE, the HEW Report outlines the following fair information practices:

  • There must be no personal data record-keeping systems whose very existence is secret.
  • There must be a way for an individual to find out what information about him is in a record and how it is used.
  • There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent.
  • There must be a way for an individual to correct or amend a record of identifiable information about him.
  • Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.

CIPP Guide also states that the summary of personal privacy according to the HEW Report is as follows:

“An individual’s personal privacy is directly affected by the kind of disclosure and use made of identifiable information about him in a record. A record containing information about an individual in identifiable form must, therefore, be governed by procedures that afford the individual a right to participate in deciding what the content of the record will be, and what disclosure and use will be made of the identifiable information in it. Any recording, disclosure, and use of identifiable personal information not governed by such procedures must be proscribed as an unfair information practice unless such recording, disclosure or use is specifically authorized by law.”

OECD Guidance

According to OECD Guidelines, there should always be in place certain limits relating to the collection of personal data and how it can be both obtained and used. More importantly, that PII should always be collected only according to lawful and fair means. This means that if a person's data is collected, the person should always be fully aware that the data is being collected and the exact ways in which the data is going to be used both now and in the future. Not only should a person know that the data is going to be collected, but that the person must opt-in or give consent for the date to be collected as well as consent to the ways in which the data can be used. 

OECD Guidance also mandates that only personal data that is relevant to the purposes in which it is intended to be used for should be collected. The information should always be kept accurate and well maintained as well as up to date; this is known as Data Quality Principle. Never should the purposes for which the data is going to be collected be disclosed after the data has actually been collected. To help safeguard data from any improper collection and use, Security Safeguards Principle should always be employed. There is a general policy of openness that must always be maintained that goes into detail regarding how a person's data is collected, what it is being used for, and any practices and policies that relate to its collection and use. Most importantly, there should be great detail given in regards to the identity of the data controller (Openness Principle). 

The OECD Guidance also mandates that a person have access to their PII and that they be able to correct it if any changes need to be made. They should also be able to erase the collection of the data if appropriate (Individual Participation Principle). As always, the data controller should be held to high standards in relating to accountability for complying with all collection and use measures.

FIP Controls

To ensure the protections for privacy that are outlined according to the Fair Information Principles are effective, an organization must develop and implement a framework to ensure all collected, used, and disclosed PII is not abused or improperly used. As time has passed, these concepts, which are derived from OECD Guidelines as well as the HEW Report, have been broken into eight separate control domains. 

  1. Notice
  2. Consent
  3. Access and Correction
  4. Purpose Specification
  5. Minimum Necessary
  6. Quality and Integrity
  7. Safeguards
  8. Accountability

Step Number Three: Understanding CUD

From an operational standpoint, to start managing privacy, it is pertinent to understand that there are three underlying principles that fuel the management of privacy:

  1. Collection
  2. Use
  3. Disclosure

Each of these principles is a core attribute in being able to define and protect privacy as well as to pinpoint any possible risks that could potentially negatively impact a person's privacy. 

Collection

The first step in protecting a person's privacy is to examine how you are going to go about collecting the person's personal information. You will also need to outline how the collection of this data is going to be used by your organization. In addition, you need to determine whether the information is going to be collected by you or a third-party. It is crucial to understand the 'concept of minimum necessary,' which helps to ensure your organization is collecting only the information needed to fulfill the purposes in which the data is being collected. As stated before, you must first receive consent from a person to collect the data as well as to use the information for your intended purposes. 

Use

Once you have the information collected, you will also need to identify how you are going to go about processing it. All of this ties back into the notice and consent you collected from the person. You should NEVER use collected information for any purpose other than what you informed the person it was going to be used for. If you do, this sets yourself up for huge lawsuits. You should always tell the person of any internal sharing that will take place so that the intended purposes of the collected data can be fulfilled. You will also need to inform the person if you intend to share the data with one or more third-parties, as well as collect consent to do so.

Disclosure

After you have collected the consent and the information, you will then go through the proper disclosure processes to fulfill your intended purposes. There will be much detail provided to a person to let them fully understand how their information is going to be disclosed and the exact methods you intend to use for disclosing the data. Both notice and consent play a vital role in making sure proper disclosure has been achieved. 

Step Number Four: Understanding Privacy Management

The final element of being able to collect, use, and disclose PII properly is to implement the Fair Information Principles. Privacy management from a concept viewpoint does not differ but in small ways from the concept viewpoint of cybersecurity management. You will have to put into place a list of policies and procedures that guide all of your employees and help them fully understand the legal regimes that impact any implementation aspects of putting the controls and principles into effect. Lastly, all members must be trained how to manage any risks that relate to the privacy of individuals that data has been collected from, and any and all controls and principles must, without error, be put into place throughout the entire lifecycle of a person's PII.

Managing Risks

As a privacy professional, you need to be able to manage any protections that are put into place to safeguard the information of collected data. The management of these protections must be streamlined with all operations. You will begin by first gaining a bird's eye view of the assets that need to be protected; this allows you to put together a list of controls that need to be developed. You will also need to make yourself aware of any applicable regulatory and compliance guidelines and laws. This is crucial to being able to put together an effective set of protective tools and resources that can be accessed to safeguard all PII. As you gain a thorough understanding of risks, threats, and vulnerabilities, you can then conduct an assessment and analysis that enables you to create privacy measures that keep in line with Fair Information Principles. Since technology and data collection processes are always becoming more advanced, you must reassess your current assets, needs, threats, risks, and tools and resources to update your protocols and safeguarding procedures on an as-needed basis. 

Your Next Step

Are you looking for the next big step in your security career? ICS can help you find that role. Our team of recruiters is here to help you further your career. Put those skills and newfound knowledge to good use and apply to a new position today! Click below to search our current opportunities. 

Search Jobs