When talking with people about privacy and information security I often come across a common misconception – that there is nothing more to privacy than security, or that the two are roughly the same. In particular this often comes up in discussions around the use of cloud services where people seem to think that if they address security issues with cloud services, then there is nothing more to do from a privacy perspective.
This week I was lucky enough to attend the New Zealand Identity Conference 2012: Managing Digital Identity in a Networked World. Organised by the Victoria University of Wellington, School of Government; The Office of the Privacy Commissioner; and the Department of Internal Affairs, it was held at Te Papa (The Museum of New Zealand) and pulled together identity and privacy experts from New Zealand and the rest of the world. I found it very interesting and valuable, so I just thought I’d post an overview here, and then explore thinking inspired by the conference in other posts.
A recent article on ReadWriteWeb reminded me of one of the more annoying sources of noise about cloud computing – the double standards of US government agencies and companies around cloud data residency. On the one hand US government agencies complain that other countries are discriminating against its cloud service providers by raising legitimate concerns about data privacy in the US, while at the same time as making Google create special government clouds which keep all data in the US.
As the cloud computing market matures, consumers of cloud services are beginning to realise that successful use of the cloud means more than just getting a cheap and convenient service. Two new documents from the European Union and New Zealand highlight the importance of covering off other factors when buying or using cloud services. The European Network and Information Security Agency (ENISA) has released a document – Procure Secure – which sets out guidelines on how to measure and monitor security of cloud computing services on an ongoing basis. The New Zealand Computer Society is facilitating a Cloud Computing Code of Practice, and has just released a draft for public consultation.
Talking and listening to Jim Harris of OCDQ Blog has got me thinking about data management. Specifically I’m thinking about the challenges facing data management in the New Zealand government sector – where I currently work. Initially when I started here, and saw some issues relating to data management, I thought: “yep, I’ve seen this before – the issues and the answers are the same as in the private sector.” Now that I have been working here a bit longer, I realise that this is only half right, that there are some issues that are specific to government (or the New Zealand government) and that some solutions common in the private sector cannot be straightforwardly applied here either.
One of the significant challenges facing data management in government is navigating the restrictions and constraints introduced by privacy legislation. Why does this matter and how does it impact data management? Well, to take just one example: you can’t create a single view of a customer (or citizen) if the interpretation of privacy law is that you aren’t allowed to match pieces of information about the same person if they are obtained for different purposes. I thought I’d write a series of short posts on this topic, starting with this one on why privacy is a bigger issue for government agencies than it is for the private sector.