Making data privacy considerations an everyday
affair
If there’s one good thing to come of the recent furore over Edward
Snowden’s revelations about the US National Security Agency PRISM system,
it’s that the issue of data privacy has been given some serious attention of
late.
Much of the focus in the media has been in relation to the
potential impact on personal civil liberties, as well as the complicity of
major companies in allowing the NSA to have access to their data (BTW in my
view, the dismissive comments to the effect that PRISM
is only accessing “metadata, not data” is a diversionary and obfuscating
tactic – the information that’s being collected can tell the NSA a lot about
people’s activities…)
So data is in the public eye for a wee while. All to the
good, and it’s great to see the debate still continues. But from practitioner’s
perspective, what can we do to make data protection and privacy more actionable
within our companies and organisations?
Recognise the impact
Firstly, you to recognise that (outside of the USA, at
least!), failure to manage data privacy can have a material impact on your
business:
- Average costs of $2.16m per data breach (or approximately $138 per record lost. Based on Australian 2011 figures)
- Negative effects on stock price (e.g. as identified by Garg, Curtis and Halper in Quantifying the financial impact of IT security breaches., and by Campbell, Gordon, Loeb, and Zhou in The economic cost of publicly announced information security breaches: Empirical evidence from the stock market.)
- According to The Billion Dollar Laptop Study, the average value of a lost laptop is $49,246 with the data breach element equaling 80% of total cost.
- Even a cursory level of analysis and some critical thinking should be able to identify real-world impacts for your own situation.
Recognise that it’s
preventable
These types of issue are almost always due to some level of
error or systemic failure.
- Human errors & system glitches caused nearly two-thirds of data breaches globally in 2012
- In 2011 there were 1.1M identities per breach, with 232M total identities breached.
- According to Verizon, most victims possess easily exploitable weakness, rather than because they were pre-identified for attack
- Ponemon Institute and Intel identify that 46% of lost laptops contained confidential data; only 30% encrypted, 10% with anti-theft technology.
- According to a study by Symantec, bout 65% of employees who commit insider theft have already accepted positions with a competitor.
Understand what data
you’ve got
You’ve got to have an up-to-date catalogue of your
information holdings. In my earlier post on Information
Asset Management, I discuss the need for an Information register as a
building block of effective Data Governance.
Not only does the Information Asset Management process help drive better understanding of the utility and value of your data, it also supports improved management of privacy issues by helping you understand the nature of your data and identifying which data sets have privacy implications.
Not only does the Information Asset Management process help drive better understanding of the utility and value of your data, it also supports improved management of privacy issues by helping you understand the nature of your data and identifying which data sets have privacy implications.
Classify for Privacy
Organisations have specific obligations to address data
privacy matters and provide duty of care in accordance with the relative
privacy principles and legislation in their jurisdiction.
The specific classification expectations are normally laid
out as part of the definition of the principles, and will typically follow a
scheme similar to that laid out by the New South Wales Government, viz:
Privacy Classification
|
Conditions
|
PERSONAL – HIGHLY SENSITIVE
|
Personal information (data) that includes details of ethnicity, union
membership, sexual preference and/or medical conditions, or as otherwise
indicated by the individual as being particularly sensitive.
|
PERSONAL
|
Information (data) that contains information or an opinion about an
individual whose identity is apparent or can be reasonably ascertained from
the information or opinion.
|
PERSONAL –DIRECTION TO WAIVE
|
Personal information (data) where the Privacy Commissioner has made a
direction to waive or modify the application of one or more of the
Information Principles.
(Note: decisions to waive occur rarely and are usually temporary)
|
OTHER NON-PERSONAL
|
Information (data) otherwise held that does not meet the above
criteria.
|
Identify who is
accountable
Easy to say, hard to do sometimes!
The questions of ownership and stewardship for data often remain unresolved. This is not just true for the specific aspect of data privacy, but in more general terms of explicit accountability for data.
As with any other aspect of data governance, ownership of the data needs to include an explicit expectation that any Privacy issues will also be proactively managed. (I’ll aim to elaborate on the question of ownership and accountability for data in a future post…)
The questions of ownership and stewardship for data often remain unresolved. This is not just true for the specific aspect of data privacy, but in more general terms of explicit accountability for data.
As with any other aspect of data governance, ownership of the data needs to include an explicit expectation that any Privacy issues will also be proactively managed. (I’ll aim to elaborate on the question of ownership and accountability for data in a future post…)
Service Delivery
considerations
The Australian
Government Cloud Computing Policy provides both government agencies and
industry with guidance on the approach to cloud computing, and identifies
consideration factors when procuring cloud-based services. Any solution(s) will
need to appropriately balance criteria such as:
- Value for money (including fitness-for-purpose);
- Adequate security;
- Delivering better services;
- Improving productivity;
- Achieving greater efficiency;
- Developing a more flexible workforce.
The expectation of “adequate security” should be made with reference to the Privacy considerations noted above (as well as other good data management considerations such as sensitivity, IP and Ethics).
Note to that such guidance is equally applicable when considering non-cloud data systems provisioning and application hosting services.
Implications of US
Legislation
The US PATRIOT Act of 2011 asserts claims on data that is
either stored on US-located services, or operated by US companies, while
additional data hosting issues and effects are raised by law enforcement powers
identified within instruments such as the US Foreign Intelligence Surveillance
Act (FISA) of 1978, Protect America Act of 2007 and FISA Amendment Act of 2008.
These legislative measures also have significant
implications and risks for non-US entities hosting data in the US. (See also
the excellent paper by UNSW Cyberspace Law and Policy Centre Data
Sovereignty And the Cloud )
In the current
climate, I suggest that non-US organisations give very serious consideration to
the question hosting of data with privacy implications, and that in most
circumstances, such data should not be stored in public cloud-based solutions (e.g.
such as those provided by Google, Dropbox, iCloud etc.)
Final thoughts
First and foremost, it’s really a case of applying the KISS
principle – make it easy for people, and they’re more likely to follow through.
(For more and entertaining thoughts on simple solutions to difficult problems,
see the excellent TED
Talk by Rory Sutherland…).
That means:
- Think “value” not “compliance”
- Register your information assets
- Classify for privacy
- Accountability is imperative
- Plan early and embed into business practices
- Triggers for Privacy should be triggers for Data Governance
Some further online resources that you may find useful to help get you started:
OAIC Guide to handling Personal Information Security Breaches
Information Shield Privacy Breach Impact Calculator
Ponemon Institute
Office of the Australian Information Commissioner
Federal Commissioner for Data Protection and Freedom of Information (Germany)
Information Commissioner’s Office (UK)
European Union