Image of business executive walking up stairs representing steps for security experts to gain privacy perspective, from CISO to CPO
CISO to CPO: Four Steps for Security Experts to Get a Privacy Perceptive

CISO to CPO: Four Steps for Security Experts to Get a Privacy Perceptive

Congratulations! You are part of one of the fastest growing professions and one at the forefront of where our information society is heading. Cybersecurity or information security professionals work to ensure the safeguarding of information while allowing that information to flow freely throughout the information economy.

Now what?

But what about this thing called privacy?  Isn’t it just a subset of security, right?

Well, no, it’s not and, as we will see, while it relates to security and uses it to protect information, privacy takes a very different tack on information.  Although the confidentiality, integrity, and availability of information plays crucial roles in the lifecycle of information and are necessary to ensure privacy protections, privacy presents a different facet to the information lifecycle and relates back to people, their lives, their choices, their viewpoints.

So, how is privacy different?  What do you need to know about things like the fair information principles and requirements for notice, consent, and erasure? What do you need to know about things like collection, use, and disclosure?  To succeed as a security professional, you need also to think like a privacy professional and, while you don’t have to become a legal or compliance expert, there are some core knowledge points you should add to your professional skills.

So, what should you know and how should you get there? Let’s break this down to four steps on the road to getting privacy savvy.

First Step: Information and People

To understand privacy, you need to first understand how privacy is separate, but related to security. Security alone cannot protect privacy, because merely safeguarding data does not prevent its improper collection, use, or disclosure (see the next step for what these mean), which connect to and impact the person about whom the information related. That said, security is a foundational tool that when deployed properly can be leveraged to provide protections for the privacy of individuals to support the proper and authorized collection, use, and disclosure of personal information.

Personal Information

First thing to know is what “Personal Information” is.  Sometimes called, PII or Personally Identifiable Information, or Personally Identifying Information, or Personal Data, this is information about or relates to a person, what that person does, where they are, who they know, what they are like, how they feel, whether directly connected to the person, in terms of being “identifying” like a name or ID number, or indirectly related, such as demographic terms or characteristics, also known as “identifiable.” The key is that this information allows the reader accessing or systems using the information to “know” something (or many things) about an individual. Personal Information is core to who we are as an individual and that is why it needs to be protected.

A general definition used across many different privacy frameworks is “any and all information or data (regardless of format) that (i) identifies or can be used to identify, contact or locate an individual, or (ii) that relates to an individual, whose identity can be either directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of any attributes or status of such individual.”

Sensitive Personal Information

In addition to Personal Information, a subset of information called Sensitive Personal Information or Sensitive Information (Data) requires more stringent controls, especially as they related to the confidentiality, integrity, and availability of that information, because the improper or unauthorized collection, use, or disclosure of this information could significantly and adversely impact the life of the person to whom it relates. This information typically includes financial account information, health records, employment files, government issued identification, or data elements revealing race, ethnicity, national origin, religion, trade union membership, sex life or sexual orientation, and criminal records or allegations of crimes.  Any of this information could, if not provided proper privacy protections, impact a person’s finances, health, reputation, opportunity, rights, or, in the worst case scenario, life.

Second Step: Fair Information Principles

While the concept of privacy can be traced back to early societies and, in the U.S., the core legal framework and the courts have recognized a right to privacy for nearly 250 years, the modern ideas for privacy that drive the current frameworks for controls and privacy management began in the 1960s and 1970s as the information age began to take shape and the digitization and the electronic storage of information made it simpler to process, easier to access, and effortless to store.  Professionals and lawmakers began to see that a code of conduct was needed to bring greater accountability around personal information and to protect individual from improper or unauthorized processing.

HEW Report

Some of those first concepts were formulated in a report issued by the U.S. Department of Health, Education, and Welfare back in 1973. This report was done because of the extensive and, at the time, new use of electronic information in the U.S. government and looked to create a set of principles to govern any organization in connection with personal information This became known as the Fair Information Principles (or sometimes also known as the fair information practices or, putting the two together for FIPP, the fair information practice principles).

The Fair Information Principles advocated by the HEW Report were:

  1. there must be no record-keeping processes or systems for personal information whose very existence is secret;
  2. there must be a way for an individual to find out what personal information is maintained and how it is used;
  3. there must be a way for an individual to prevent personal information obtained for one purpose from being used or disclosed for other purposes without that individual’s consent;
  4. there must be a way for an individual to correct or amend personal information maintained or processed; and
  5. any organization collecting, creating, maintaining, using, or disclosing personal information must assure the reliability of that personal information for its intended use and must take reasonable precautions to prevent its misuse or improper disclosure.
OECD Guidance

In 1980, the Organisation for Economic Cooperation and Development or OECD also recognized that the problem of privacy was not a national one, but a global factor in a global economy.  Rules for the interchange and exchange of personal information would not only be necessary to protect privacy across differing legal jurisdictions, but also to promote the free flow of commerce, which was reliant on this information. The result of this acknowledge was Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, otherwise known as the OECD Guidelines, which drew upon the previous work from the HEW Report and additional concepts across multiple legal regimes. Here the Fair Information Principles began to take more of the shape that exists today.

Under the OECD Guidelines there should be limits to the collection of personal information and it should be obtained by lawful and fair means including, where appropriate, with the knowledge or consent of the data subject (Collection Limitation Principle). Further personal information should be relevant to the purposes and should be accurate, complete and kept up-to-date (Data Quality Principle). The purposes for which personal information are collected and use should be specified not later than at the time of data collection and the subsequent use and disclosure limited to those purposes or ones not incompatible Purpose Specification and Use Limitation Principles). Reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data should be employed (Security Safeguards Principle). There should be a general policy of openness about developments, practices and policies with respect to personal information, including the identity of the data controller (Openness Principle). Further, an individual should have the right of access and correction (to include erasure, if appropriate) (Individual Participation Principle). A data controller should be accountable for complying with appropriate measures to protect privacy.

The OECD Guideline was designed to have member countries maintain minimum standards of data protection, reduce differences between implementations of national law, and prevent restrictions on transborder flows of personal data.

FIP Controls

To effectuate the protections for privacy under the Fair Information Principles, an organization must put in place a framework to control the collection, use, and disclosure of the personal information.  Over time, these concepts, coming from the HEW Report and OECD Guidelines have typically been broken out into eight control domains.

  1. Notice: The organization should be transparent and provide notice to the individual regarding its collection, use, and disclosure of personal information. Notice would describe in a level of detail that allow the individual to understand not only what information is involved, but also the related protections and safeguards for the personal information.
  2. Consent: The organization should involve the individual in the process of collecting, using, or disclosing personal information.  While it may not be possible to include consent in all situations, to the extent practicable, the organization should attempt to seek the consent of the individual.
  3. Access and Correction: The organization should provide the means for an individual to get access to or a copy of the personal information held by the organization.  Additionally, to the extent feasible, the organization should permit an individual to provide corrections to that individual’s personal information through mechanisms for appropriate access, correction, and redress.
  1. Purpose Specification: The organization should specifically articulate the particular reasons that the organization needs to collect, use, and disclose the personal information through the notice to the individual and through the internal procedures ensure that the organization processes the personal information consistent with the specified purpose.
  2. Minimum Necessary: The organization should only collect, use, and disclose the personal information that is directly relevant and necessary to accomplish the specified purpose, including only retaining the personal information for as long as is necessary to fulfill the specified purpose. Any internal sharing also needs to comport with the purpose specified as a use of the personal information.
  3. Quality and Integrity: Depending on the purpose and the needs for the personal information and to the extent practicable, the organization should ensure that personal is accurate, relevant, timely, and complete. For information gathered from third parties, the organization should understand what level of accuracy that any personal information was originally gathered, collected, or generated.
  4. Safeguards: The organization should safeguard personal information from unauthorized or improper collection, use, and disclosure through appropriate security controls against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
  5. Accountability: The organization should be accountable for deploying controls and complying with the fair information principles through proper training and awareness for all personnel, policies and procedures to document the implementation and operation of necessary controls, risk assessment processes to determine impacts to privacy, and auditing the actual use of personal information to demonstrate compliance with the fair information principles and all applicable privacy protection requirements.

Third Step: CUD

To begin managing privacy operationally, you need to understand the underlying principles that drive management of privacy – collection, use, and disclosure.  These three principles are the core attributes in defining privacy and the risks that impact it.

Collection

First, you need to examine how the organization gathers the personal information. The collection principle address how data or information flows into the organization.  This addresses whether the information comes directly from the individual or the organization got the information from a third party or intermediary.  The controls like notice and consent address what the individual knows about the organization receiving the personal information.  Additionally, the concept of minimum necessary applies to ensuring that the organization gathers only the information related to the particular purpose for the collection.  In combination, these controls focus the collection principle to get information into the organization.

Use

Once personal information is in the organization, then the principle of use applies to determine how the organization processes the information.  The use ties back to the same controls of notice, consent, and minimum necessary.  With regard to notice and consent, the organization should use the personal information the same as what was told and agreed to by the individual.  The control around minimum necessary ensures that the organization only processes the information related to the purpose for which the individual understood and agreed. Use also includes the internal sharing of personal information, so that the controls must address the internal flows of information to ensure the uses and sharing comport with the notice and consent received.

Disclosure

The last issue is the means by which personal information flows out of the organization to third parties.  Again, the controls addressing notice and consent focus to what organizations the information can go. The purpose specification becomes important to allow both the organization and the individual to understand what sorts of disclosure support the purpose originally put forward.  Additionally, notice and consent play a role in furthering that understand between the organization and the individuals allowing for choices in who may have the personal information.

Fourth Step: Privacy Management

The last step is understanding how to put the Fair Information Principles as controls into effect to address and ensure the proper and authorized collection, use, and disclosure of personal information.  The concept of privacy management does not differ extensively the management of cybersecurity.  Any Organization must put in place policies and procedures to guide its members, understand the legal regimes that affect the implementation of the controls, and, finally, manage the risks to the privacy of individuals throughout the lifecycle of the personal information.

Administrative

As with cybersecurity controls, an organization cannot “know” what to do unless it has written rules to follow. Privacy policies and procedures guide the organization to understand how and to what extent privacy controls must be implemented to ensure the proper and authorized collection, use, and disclosure of personal information. Unfortunately, there is not a standard control policy and procedure framework to build upon like in cybersecurity with ISO 27000 series and the NIST SP 800-53 documents.  Nevertheless, guidance for official privacy regulators and professional organizations, like the International Association of Privacy Professionals, provides plenty of examples and methods for policy and procedure sets.

Which Law Apply?

It is important to understand which laws apply to an organization’s collection, use, and disclosure of personal information to ensure the proper implementation of controls respective of the privacy protection necessary for compliance with the law.  Although as noted during the discussion of the Fair Information Principles, the general rules are nominally accepted throughout the world, different cultures and legal structures mean that different approaches to legal regimes exist.  For example, the U.S. takes what is called a sector-based approach and has laws depending on the “type” of personal information, whereas, in Europe, a general approach is employed across all “types.” There is no singular way that is better than another. See the bonus “fifth” step below.

Managing Risks

In addition to defining the privacy controls and understanding the applicable laws, a privacy professional needs to manage the protections for personal information throughout the organization.

To begin, knowing what are the assets needing protection is crucial to putting in place controls to provide the protections.  In addition to feeding the privacy impact assessment, discussed below, the inventory may be necessary for regulatory requirements of notification and registration.  The question here is not whether to have an inventory, but rather how detailed such an inventory should be.  The answer will depend upon both the regulatory requirements and the level of risk depending on the sensitivity of the personal information.  For many situations, having a category-level (i.e. what “types” of personal information) may be more useful than a detailed listing of the data elements processed.  Key though is to be able to maintain a current inventory as a stale one will prevent alignment of controls with known risks.

Just as risk assessments from a cybersecurity standpoint allow a cybersecurity professional to understand the threats and vulnerabilities in an environment, impact assessments provide similar risk understandings from a privacy perspective.  A proper impact assessment allows for the discovery and analysis of risks to privacy from privacy measured against the Fair Information Principles.  The results of the assessment will provide information about how privacy controls need to be integrated into the operational process and what sorts of monitoring and training are appropriate.

An important management area aligns with the cybersecurity practices in ensuring that the organization has an incident response process in place and that process is tested.  The difference with privacy versus cybersecurity are that not only will remediation address discovered weaknesses, but also, because of the impact to individuals, notification to regulatory bodies and the affected individuals will be necessary if the personal information has been compromised.  Most jurisdictions require prompt notices to individuals following an event and regulators judge the effectiveness of a response by examining the delay between discovery and notice.  Data breach response must be ready to go when necessary.

Lastly, and no different from cybersecurity, you need to ensure that there is training and awareness to build a culture of privacy within an organization.  This training should integrate with the cybersecurity training, but not rely on that training as being complete as to be sure to add the components of collection, use, and disclosure, because it is in the operational interaction with personal information that privacy risks come into play.  Separate training that is focused on the particular processing of personal information by the organization will add the necessary dimension.

You are now a privacy savvy security professional!

So, while this article has not made you into a certified privacy professional, you now know the key points that privacy professionals deal with on a day-by-day basis. While privacy and cybersecurity are not the same, they are inexorably intertwined and being able to examine technology and administrative issues from the perspective of privacy will permit better cybersecurity controls. Understanding the Fair Information Principles and that privacy is not just a legal regime, but relates to the risks of an organization processing the information about real people gives you new insight into privacy and allows for more effective management of information overall.  And, in the end, you are now better prepared to safeguard security; welcome again to the profession.