CISO to CPO: Four Steps for Security Experts to Get a Privacy Perceptive

Congratulations! You are part of one of the fastest growing professions and one at the forefront of where our information society is heading. Cybersecurity or information security professionals work to ensure the safeguarding of information while allowing that information to flow freely throughout the information economy.

Now what?

But what about this thing called privacy?  Isn’t it just a subset of security, right?

Well, no, it’s not and, as we will see, while it relates to security and uses it to protect information, privacy takes a very different tack on information.  Although the confidentiality, integrity, and availability of information plays crucial roles in the lifecycle of information and are necessary to ensure privacy protections, privacy presents a different facet to the information lifecycle and relates back to people, their lives, their choices, their viewpoints.

So, how is privacy different?  What do you need to know about things like the fair information principles and requirements for notice, consent, and erasure? What do you need to know about things like collection, use, and disclosure?  To succeed as a security professional, you need also to think like a privacy professional and, while you don’t have to become a legal or compliance expert, there are some core knowledge points you should add to your professional skills.

So, what should you know and how should you get there? Let’s break this down to four steps on the road to getting privacy savvy.

First Step: Information and People

To understand privacy, you need to first understand how privacy is separate, but related to security. Security alone cannot protect privacy, because merely safeguarding data does not prevent its improper collection, use, or disclosure (see the next step for what these mean), which connect to and impact the person about whom the information related. That said, security is a foundational tool that when deployed properly can be leveraged to provide protections for the privacy of individuals to support the proper and authorized collection, use, and disclosure of personal information.

Personal Information

First thing to know is what “Personal Information” is.  Sometimes called, PII or Personally Identifiable Information, or Personally Identifying Information, or Personal Data, this is information about or relates to a person, what that person does, where they are, who they know, what they are like, how they feel, whether directly connected to the person, in terms of being “identifying” like a name or ID number, or indirectly related, such as demographic terms or characteristics, also known as “identifiable.” The key is that this information allows the reader accessing or systems using the information to “know” something (or many things) about an individual. Personal Information is core to who we are as an individual and that is why it needs to be protected.

A general definition used across many different privacy frameworks is “any and all information or data (regardless of format) that (i) identifies or can be used to identify, contact or locate an individual, or (ii) that relates to an individual, whose identity can be either directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of any attributes or status of such individual.”

Sensitive Personal Information

In addition to Personal Information, a subset of information called Sensitive Personal Information or Sensitive Information (Data) requires more stringent controls, especially as they related to the confidentiality, integrity, and availability of that information, because the improper or unauthorized collection, use, or disclosure of this information could significantly and adversely impact the life of the person to whom it relates. This information typically includes financial account information, health records, employment files, government issued identification, or data elements revealing race, ethnicity, national origin, religion, trade union membership, sex life or sexual orientation, and criminal records or allegations of crimes.  Any of this information could, if not provided proper privacy protections, impact a person’s finances, health, reputation, opportunity, rights, or, in the worst case scenario, life.

Second Step: Fair Information Principles

While the concept of privacy can be traced back to early societies and, in the U.S., the core legal framework and the courts have recognized a right to privacy for nearly 250 years, the modern ideas for privacy that drive the current frameworks for controls and privacy management began in the 1960s and 1970s as the information age began to take shape and the digitization and the electronic storage of information made it simpler to process, easier to access, and effortless to store.  Professionals and lawmakers began to see that a code of conduct was needed to bring greater accountability around personal information and to protect individual from improper or unauthorized processing.

 

Leave a Reply

Please Login to comment
  Subscribe  
Notify of

Pin It on Pinterest

Share This