Privacy by Design

Making data privacy considerations an everyday affair

If there’s one good thing to come of the recent furore over Edward Snowden’s revelations about the US National Security Agency PRISM system, it’s that the issue of data privacy has been given some serious attention of late.

Much of the focus in the media has been in relation to the potential impact on personal civil liberties, as well as the complicity of major companies in allowing the NSA to have access to their data (BTW in my view, the dismissive comments to the effect that PRISM is only accessing “metadata, not data” is a diversionary and obfuscating tactic – the information that’s being collected can tell the NSA a lot about people’s activities…)

So data is in the public eye for a wee while. All to the good, and it’s great to see the debate still continues. But from practitioner’s perspective, what can we do to make data protection and privacy more actionable within our companies and organisations?

Recognise the impact

Firstly, you to recognise that (outside of the USA, at least!), failure to manage data privacy can have a material impact on your business:

• Average costs of $2.16m per data breach (or approximately $138 per record lost. Based on Australian 2011 figures)
• Negative effects on stock price (e.g. as identified by Garg, Curtis and Halper in Quantifying the financial impact of IT security breaches., and by Campbell, Gordon, Loeb, and Zhou in The economic cost of publicly announced information security breaches: Empirical evidence from the stock market.)
• According to The Billion Dollar Laptop Study, the average value of a lost laptop is $49,246 with the data breach element equaling 80% of total cost.
• Even a cursory level of analysis and some critical thinking should be able to identify real-world impacts for your own situation.

Recognise that it’s preventable

These types of issue are almost always due to some level of error or systemic failure.

• Human errors & system glitches caused nearly two-thirds of data breaches globally in 2012
• In 2011 there were 1.1M identities per breach, with 232M total identities breached.
• According to Verizon, most victims possess easily exploitable weakness, rather than because they were pre-identified for attack
•  Ponemon Institute and Intel identify that 46% of lost laptops contained confidential data; only 30% encrypted, 10% with anti-theft technology.
•  According to a study by Symantec, bout 65% of employees who commit insider theft have already accepted positions with a competitor.

Understand what data you’ve got

You’ve got to have an up-to-date catalogue of your information holdings. In my earlier post on Information Asset Management, I discuss the need for an Information register as a building block of effective Data Governance. 

Not only does the Information Asset Management process help drive better understanding of the utility and value of your data, it also supports improved management of privacy issues by helping you understand the nature of your data and identifying which data sets have privacy implications.

Classify for Privacy

Organisations have specific obligations to address data privacy matters and provide duty of care in accordance with the relative privacy principles and legislation in their jurisdiction.

The specific classification expectations are normally laid out as part of the definition of the principles, and will typically follow a scheme similar to that laid out by the New South Wales Government, viz:

Privacy Classification	Conditions
PERSONAL – HIGHLY SENSITIVE	Personal information (data) that includes details of ethnicity, union membership, sexual preference and/or medical conditions, or as otherwise indicated by the individual as being particularly sensitive.
PERSONAL	Information (data) that contains information or an opinion about an individual whose identity is apparent or can be reasonably ascertained from the information or opinion.
PERSONAL –DIRECTION TO WAIVE	Personal information (data) where the Privacy Commissioner has made a direction to waive or modify the application of one or more of the Information Principles. (Note: decisions to waive occur rarely and are usually temporary)
OTHER NON-PERSONAL	Information (data) otherwise held that does not meet the above criteria.

Identify who is accountable

Easy to say, hard to do sometimes! 

The questions of ownership and stewardship for data often remain unresolved. This is not just true for the specific aspect of data privacy, but in more general terms of explicit accountability for data.

As with any other aspect of data governance, ownership of the data needs to include an explicit expectation that any Privacy issues will also be proactively managed. (I’ll aim to elaborate on the question of ownership and accountability for data in a future post…)

Service Delivery considerations

The Australian Government Cloud Computing Policy provides both government agencies and industry with guidance on the approach to cloud computing, and identifies consideration factors when procuring cloud-based services. Any solution(s) will need to appropriately balance criteria such as:

• Value for money (including fitness-for-purpose);
• Adequate security;
• Delivering better services;
•  Improving productivity;
• Achieving greater efficiency;
• Developing a more flexible workforce.

The expectation of “adequate security” should be made with reference to the Privacy considerations noted above (as well as other good data management considerations such as sensitivity, IP and Ethics).

Note to that such guidance is equally applicable when considering non-cloud data systems provisioning and application hosting services.

Implications of US Legislation

The US PATRIOT Act of 2011 asserts claims on data that is either stored on US-located services, or operated by US companies, while additional data hosting issues and effects are raised by law enforcement powers identified within instruments such as the US Foreign Intelligence Surveillance Act (FISA) of 1978, Protect America Act of 2007 and FISA Amendment Act of 2008.

These legislative measures also have significant implications and risks for non-US entities hosting data in the US. (See also the excellent paper by UNSW Cyberspace Law and Policy Centre Data Sovereignty And the Cloud )

In the current climate, I suggest that non-US organisations give very serious consideration to the question hosting of data with privacy implications, and that in most circumstances, such data should not be stored in public cloud-based solutions (e.g. such as those provided by Google, Dropbox, iCloud etc.)

Final thoughts

First and foremost, it’s really a case of applying the KISS principle – make it easy for people, and they’re more likely to follow through. (For more and entertaining thoughts on simple solutions to difficult problems, see the excellent TED Talk by Rory Sutherland…).

That means:

• Think “value” not “compliance”
• Register your information assets
• Classify for privacy
• Accountability is imperative
• Plan early and embed into business practices
• Triggers for Privacy should be triggers for Data Governance

Some further online resources that you may find useful to help get you started:

http://www.indefenseofdata.com/
OAIC Guide to handling Personal Information Security Breaches
Information Shield Privacy Breach Impact Calculator
Ponemon Institute
Office of the Australian Information Commissioner
Federal Commissioner for Data Protection and Freedom of Information (Germany)
Information Commissioner’s Office (UK)
European Union