I had the
pleasure of attending Ark
Group’s Next Generation Data Privacy and
Security Forum on the 23 September. As with other Ark Group events, the event
featured some excellent speakers offering thought-provoking points of view and
stimulated much discussion and debate throughout the day.
Here are some of my own personal “top takeaways” from the forum.
- March 2014 is a key date. The amendments to federal privacy legislation enacted in 2012 come into full effect in March 2014, and extend the requirements for full privacy compliance to commercial as well as government entities. In addition, the Australian Privacy Principles (APPs) are updated to clarify and strengthen compliance expectations and penalties for breaches.
- Measuring the level of privacy compliance. The measure of privacy is a function of the number of attributes in the data, and the relative size of the data set. Techniques for assuring the integrity of an individual’s identity within a data set include adding noise, restricting the types and specificity of queries, and sampling. Monitoring and analysis are crucial. For statistical data sets to fully preserve non-disclosure expectations, data must be abstracted to a level where the individual cannot be identified.
- “Secure the human” – Engage, Empower, Encourage. However good the security technologies and policies are, it’s people’s behaviour that creates the greatest risk exposure. Applying open-sourcing methods to establishing and sharing privacy requirements and security concepts. We improve the expectations and behaviours for security of data if we engage in a partnering model within our communities and with our vendors. A twin-track approach supported by both technology tools and behavioural education campaigns is required.
- The security paradox. We expect universal access to data with absolute confidentiality. The reality is that there has to be a trade-off, where we balance our appetite for risk against our tolerance for potential failure.
- ID Federation. We have a proliferation of accounts online and this is not going to get any better! Multiple unique passwords cannot be the answer and are already moving towards a federated approach to persisting our online identities (Facebook, Google+, Twitter as de facto identification methods), though none has become a universal standard “trusted broker” as yet. Tokens are likely to be a fact of life, at least for the medium term.
- Information Asset Register. The Information Asset Management process is an entry point for multiple conversation – information planning, information value, information ownership, information security, information privacy.
- There is more to NSA than PRISM. Under the auspices of the FISA Act, the NSA has procured what amounts to unfettered access to data services and telecommunications through systems such as MAINWAY (Telco CDRs), BULLRUN (VPN, email and encryption backdoors), UPSTREAM (data tapping of fibre-optics) and BOUNDLESS INFORMANT (visualisation and analytics) as well as PRISM (data services monitoring). The full impacts are unclear, but in addition to the stated counter-terrorism purposes, it is highly likely that these capabilities are also being used for foreign policy interventions and support for US commercial interests. If using cloud-based solution, sensitive or private data should not be stored with US based providers.
It was interesting to note that of the eight presentations
offered during the day, not one addressed technology issues in any level of
detail. The implementation of IT tools was pretty much taken as a “given” by
the forum, which focussed primarily on the human aspects of security and
privacy risks; cultural, behavioural, policy and process concerns were
uppermost in everyone’s list of areas to address. I see this as a positive
shift towards a more mature (and realistic) approach to dealing with the issues
associated with protecting people’s personal data while also meeting the
changing needs of developing businesses.
Of course, all this is predicated on the premise that we
want to keep our personal information, well, personal. For an alternative
perspective on to privacy management, check out Hasan Elahi’s TED Talk….