For IT managers, privacy is a two-edged sword. On one edge, everybody’s privacy seems to be in more danger than ever before.
87 million people had personal information taken legally from Facebook which was then used by Cambridge Analytica to create psychologically targeted political ads. The location of your mobile phone can be tracked precisely, and the information is often sent to dozens of private firms, from whom it can be purchased. Facial recognition technology is getting better and more widely available.
On the other edge, IT managers are responsible for carrying out the IT aspects of their own organizations’ privacy policies. Here, the concern may be whether the organization must comply with privacy regulations, and, if so, how much effort it will take to achieve that compliance. Note the irony here. Does it depend on which side of the privacy divide, individual or corporate, you are on?
Confidentiality vs. Privacy
I suspect that many organizations have put off identifying what privacy data they have, because of the perceived amount of effort involved. Fortunately, you can reduce the effort of privacy compliance, let alone having a good ethical position, with one simple step: Make a clear distinction between confidentiality and privacy. As we will see, protecting privacy in IT is much less demanding than protecting confidentiality.
Privacy is “freedom from damaging publicity, public scrutiny, secret surveillance, or unauthorized disclosure of one’s personal data or information.” Confidentiality means “the state of keeping or being kept secret or private.” Confidentiality can apply to anything designated as confidential. Privacy applies to entities controlling knowledge about themselves.
In IT practice, data in need of protection for privacy reasons is data about individuals. The National Institute of Science and Technology’s (NIST’s) recent Privacy Framework makes this distinction. It says, “The Privacy Framework approach to privacy risk is to consider privacy events as potential problems individuals could experience arising from system, product, or service operations with data, whether in digital or non-digital form, through a complete life cycle from data collection through disposal.” They also provide a nice diagram illustrating the distinction:
As the diagram shows, only a portion of what you must protect in the name of security – the intersection of the two circles – must be protected in the name of privacy. You don’t have to wade into documents and determine which are confidential, for example.
All you must do is to find all the personally identifiable information, plus information that can be combined to identify somebody. This includes things like:
Social Security numbers
Social media posts
Two of these, email addresses and IP addresses are “involuntarily” collected in the sense of coming into your organization’s possession as the result of the operations of email systems and websites. If you do no more than use them in those contexts, they are not likely to be a problem. Putting them into a CRM system, however, is something quite different.
CGNET is putting together a more comprehensive guide to developing a privacy protection program. I’ll announce it when it’s ready.