To frame the concept of security management versus privacy management especially when it comes to international standards, we need to introduce some concepts. Firstly, we need to understand the boundaries of responsibility between privacy and security when there is a personal data breach. Those responsible for security are tasked with protecting the confidentiality of personal data. Thus, privacy is responsible for classifying the personal data and determining the security measures required.
After the roles have been clarified, the boundaries of responsibility need to be agreed. In order to do this, the organization needs security countermeasure classification categories. One way to do this is to categorise information into existing levels of security classification. For example: top secret, secret, confidential and unclassified. Personal data can be classified based on the level of secrecy required of the information. You may also define and document other forms of data classification schemes for personal data. This definition is needed by those working on or developing privacy measures in order to clearly define responsibilities. For those organizations who are seeking further guidance I would recommend privacy and security international standards such as the ISO/IEC 29151 Code of Practice for Personally Identifiable Information protection as a good technical practice guide.
The difference between privacy and security
Security, by definition means that the organization has a responsibility to secure and protect all types of information. Privacy within this framework means the appropriate use of personal information, and within legal and internationally accepted guidelines. So how do we define “appropriate”?
A layman’s point of view to “appropriate” use might be to avoid the use of personal information that affects the life of an individual in a manner that causes harm. The level of this harm varies and might include a company collecting information to push direct mail to a person after collecting his or her contact details. Direct mail is neither good nor bad and depends on whether the recipient likes to receive it or not. The “appropriate” thing for the company is to then manage the preferences of the individuals. However, there may be another issue. If the company does collect information, but does nothing with it then the customer may wonder why that information was collected. What will it be used for? This is not then a legal issue, but rather one of customer trust and this brings us neatly to the issue of notice and consent.
Notice and consent
Of course, consent is tremendously important. There are two types of consent that are required. The first one is explicit consent and the second is implicit consent. Explicit consent means that an action by the principal of that personal information is required to collect consent for data collection. Consent cannot be assumed. An example is ticking an “agreement” box to agree to receive a newsletter. The second is implicit consent. Action by the individual is not required. If the individual does not tick a “disagreement” box, then the organization can accept that as implicit consent to collect and use their personal information.
Within any large organizations, there are a variety of different types of personal information (such as address, social security numbers, mobile phone numbers, email address) that may be used in different ways. That is why it is essential to build a spreadsheet listing the types of individual information and whether various types of consent have been granted. It is interesting to note that in the European Union under the rules and regulations of the General Data Protection Regulation (EU GDPR), explicit consent is required – these rules and regulations do not permit implicit consent.
Using privacy and security international standards
International standards such as ISO/IEC JTC 1 SC 27 that addresses privacy and security, go a long way towards informing an organization on guidelines of how to treat consent. These international standards also highlight the importance of privacy impact assessments (PIA). In the real world, the PIA might sometimes be the assessment for the impact on business’s regarding a privacy incident or a security incident, rather than be limited to the impact on the individual whose information might be compromised. SC 27 does not fully cover the impact on the individual, but that will probably be the next step in the evolution of that international standard.
In the end privacy and security risks cannot be decided by the company directly, or alone. Risk assessment must be shared between the organization and the customers or consumers. The responsibility of the company is to ensure that it follows all the applicable rules and regulations regarding notice and consent and makes every effort to go beyond simple requirements when it comes to absolute transparency when declaring its intended use of information to the customer or client. Failure to do so will not only incur the wrath of regulators and the attendant fines as well as other possible civil legal penalties, but will also expose the company to enormous reputational risk.