Data privacy and security go hand in hand, right? It’s all the same thing.
In fact, there are times when one interferes with the other and can cause problems. Let’s dive in…
There have been several cases recently where the Information Commissioner’s Office (ICO) has fined or reprimanded companies for releasing more information than they meant to in response to a Freedom of Information request (FOI). The most recent examples include a Cambridge hospital data breach and Southend-on-Sea council data breach – cases where a whole spreadsheet with data and filters had been forwarded, rather than just extracting the required information.
In October 2007, two CDs holding details of child benefit claimants went missing when they were sent, unregistered, via a courier from HMRC to the National Audit Office. The CDs contained the details of approximately half the population of the UK. The audit office had requested that details it did not require, such as bank details, be removed, but it was too costly to filter out said data, so they sent the full data set, proving that lack of data privacy has been an ongoing problem.
Although some may think of this as a “simple mistake”, this carelessness can impact customers tremendously, exposing them to the dangers of their Personally Identifiable Information (PII) being stolen and sold for financial gain, identity theft, or to potentially cause harm to the individuals.
We need to share data as it has become a commodity in its own right. Whether it is because of a request, or to assist decision making, data is a key element in running a business or government. This means that data has a value, even if it does not appear to have any.
There is the view that all data “should” be accessible, open for the common good, nothing hidden – transparency. But personal data should not and cannot legally be open to all. Lack of “adequate” control of access to data has led to some of the highest fines issued by the ICO after a data breach.
What is the value of the data your company holds? How do you answer this question?
The phrase “you don’t know what you’ve got till it’s gone” certainly rings true with data. Would your company survive if it didn’t have it? You also have to understand the value of that information to other people. Personal data has a high value to the person it relates to but may just be another statistic to
you. So, it is not just its value to your company that you need to consider when you are either protecting it or releasing it.
This is where the conflict occurs between data privacy and security.
The data’s value to you is totally different to its value to the individual it relates to. So, what level of protection do you put on it? Do you protect it based on your value, the owner of that data’s value or the individual’s value? Who is the owner?
To avoid the conflict, you need to view data as an asset, and protect it as an asset.
It is vital that you consider these following areas when handling and sharing data:
Know why you hold the data – Do you have consent to hold it from the owner? Do you really need your customers’ mother maiden name in the database? If it has no value to you, don’t keep it!
Protect the data – Enforce “adequate” (ICO’s term not mine) controls over the data. You may need to hold your customers’ mother’s maiden name but does everyone in your company need to see it?
Control data sharing – Share only what you need to share, and only if you are satisfied that the recipient will also adequately protect the data in the same way that you do.
Know what you can do with the data – The owner of the data may not be you. There must be an agreement set in place as to what can be done with the data. To find out more about GDPR and data privacy laws, visit the HMRC website here.
There are common areas that are shared between privacy and security, and these are three key principles that have been the core of information security since before data protection/privacy was even considered.
Confidentiality – The protection and monitoring of access to data.
Integrity – The quality of the data. Given the increase in automated processes, a minor data entry or calculation error may have severe consequences. Just think what would happen if the retail price index had an extra zero added on the end!
Availability – Whether lack of information prevents you from doing business or prevents you from responding to a FOI within the timescale allowed by law, there is a cost involved in NOT having the information to hand.
The balance is to have the right level of security, while still ensuring information is available and correct. There is an argument that incorrect information is more dangerous and therefore costly than not having it at all.
But as stated previously, lack of focus on protecting the data can lead to large finds. What we do need to ensure is that the trinity of confidentiality, integrity and availability are handled with the same vigor, but in harmony with each other.