When talking with people about privacy and information security I often come across a common misconception – that there is nothing more to privacy than security, or that the two are roughly the same. In particular this often comes up in discussions around the use of cloud services where people seem to think that if they address security issues with cloud services, then there is nothing more to do from a privacy perspective.
We can view security and privacy as being two distinct but overlapping areas of concern. If we start with security, it should be clear that much of security has nothing to do with privacy. There is an awful lot of security that is outside the overlap with privacy. Specifically anything that has nothing to do with personal information – information about people or that identifies people – has nothing to do with privacy. On reflection we can see that much of security has nothing to do with protecting personal information: protecting commercial information; keeping services up and running etc.
What is less obvious is what aspects of privacy lie outside the overlap with security. When I talk about this I often describe the overlap between the two being about securing personal information from unauthorised use. The part of privacy that is not in the overlap I describe as being about authorised use (I know this is a little over-simplistic, but bear with me). It’s about what our authorised people should do and shouldn’t do with personal information.
The OECD guidelines on privacy give us a reasonable overview of the key aspects of the privacy area of concern. These principles are reflected in the privacy laws of many countries, including the EU and New Zealand. The principles are:
- Collection Limitation: that there should be limits to the collection of personal data, and that where possible this should be done with the person’s consent.
- Data Quality: that personal data should be kept accurate and up to date to the extent necessary for the purpose it was gathered.
- Purpose Specification: the purposes data is used for should be specified when it is collected, and it shouldn’t be used for other purposes.
- Use Limitation: personal data should not be used for any purposes other than those it was collected for (except by consent of the person or as required by law).
- Security Safeguards: personal data should be protected by reasonable security.
- Openness: there should be openness about what practices around personal data, whether and who holds it, and the uses it is put to.
- Individual Participation: individuals should be able to find out whether someone has their personal data, what data they have and get that data removed or corrected as appropriate.
- Accountability: people or organisations who hold personal data should be accountable for conforming with the principles for that data.
From this list we can see that only one of these principles (the fifth – Security Safeguards) sits within the area of concern of information security. The other principles really have nothing to do with security. They are all about the behaviour of authorised persons, and what kind of behaviour should be authorised.
As a friend of mine puts it – you can have security without privacy, but you can’t have privacy without security. Security should be seen as an enabler for privacy, but it is not sufficient – there is much more to privacy than that.