Contrary to popular belief security and privacy are not synonymous. This misconception appears to have been exasperated by the media reporting of the high profile privacy breaches that have occurred over the last couple of years.
Privacy is only concerned with personal information. Personal information is information about an identifiable, living individual. It may include information for which additional steps or knowledge is required in order to identify an individual. It is also concerned with much more than protection of personal information, for example it includes the reason and method of collection, and restrictions on the use and disclosure of information.
On the other hand, information security is concerned with the protection of all information and information assets that have value to an organisation (e.g. intellectual property, commercial contracts, official information) and considers other security attributes in addition to confidentiality (e.g. whether the integrity is assured or staff are able to be held accountable for their actions).
While security and privacy clearly have a relationship with each other it is important to understand that security cannot address all aspects of privacy. The Privacy Act 1993 contains 12 principles that any individual or organisation (defined as an agency within the act) collecting, using and storing personal information must meet. The following provides a high-level overview of each principle. (Note: the Privacy Commission provides a more detailed overview of the principles here or you can download the Privacy Act 1993 here):
1. Purpose of collection of personal information – personal information must not be collected unless it is for a lawful purpose and it is necessary to collect the information for that purpose.
2. Source of personal information – personal information must be collected directly from the individual concerned unless collection is covered by one of the exceptions.
3. Collection of information – individuals must be made aware that personal information is being collected, the purpose of its collection, whether it is voluntary or mandatory to provide it, the consequences of not
providing it and their rights to access and correct the information collected and held about themselves.
4. Manner of collection of personal information – personal information must not be collected using unlawful or unfair methods and must not intrude unreasonably on the personal affairs of the individual concerned.
5. Storage and security of personal information – reasonable steps must be taken to protect personal information from loss, and unauthorised use, disclosure and modification.
6. Access to personal information – individuals have the right to access information collected about themselves unless there is a valid reason to withhold such access.
7. Correction of personal information – individuals have the right to request corrections to the information collected about themselves.
8. Accuracy of personal information to be checked before use – reasonable steps must be taken to ensure that personal information is accurate, complete, relevant, up to date and not misleading before it is used or disclosed.
9. Personal information not to be kept for longer than necessary – personal information must not be kept for longer than required for the purpose for which it was collected.
10. Limits on use of personal information – personal information must not be used for any purpose other than that for which it was collected.
11. Limits on disclosure of personal information – personal information must not be disclosed unless it is in connection with, or directly related to, one of the purposes for which it was obtained unless it is covered by one of the allowed reasons.
12. Unique identifiers – unique identifiers must not be assigned to individuals unless this is necessary for the efficient delivery of services.
As we can see only Principle 5 Storage and security of personal information is related to information security. The other principles cannot be addressed by information security as they are about the behaviour of the individual or organisation collecting, storing and using personal information. To address the other principles organisations need to develop policies, guidelines and processes that clearly define and place limits on their collection, use and disclosure of personal information. This means that individuals and organisations that collect personal information should perform a Privacy Impact Assessment (PIA) for each of the services they deliver that requires them to collect and use personal information (the PIA Handbook can be downloaded from here). They are then able to use the PIA to identify and document how they will meet their obligations to comply with the Privacy Act.
With that said, let’s look at where information security can help. Principle 5 states “An agency that holds personal information shall ensure –
(a) that the information is protected, by such security safe-guards as it is reasonable in the circumstances to take, against –
(i.) loss; and
(ii.) access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
(iii.) other misuse; and
(b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.”
For many individuals and organisations, meeting their obligations under Principle 5 can seem overwhelming because of the requirement for them to take ‘reasonable’ steps to protect the information they collect. Some are fazed by the non-prescriptive nature of the principle. The two most common questions I receive when trying to help our clients identify what security controls they require to address this principle are:
• What is considered reasonable?
• Is our idea of what is considered reasonable the same as the Privacy Commissioner’s?
These are not easy questions to answer as reasonable is a subjective term. However, I believe that what is reasonable in this context is for the individual or organisation that is collecting and using personal information to identify and assess the information security risks associated with how they collect, store, process and share it (whether it is in a physical or electronic format) so that they are able to identify the controls (both behavioural and technical) required to appropriately manage them.
Ultimately whilst it is possible to have security without privacy, it is not possible to have privacy without security. To put it another way, security is one of the enablers of privacy. However, to meet the principles in the Privacy Act individuals and organisation have to do more than just protect the information they collect.