Information Privacy vs Information Security. Not the same, and why organisations need both
Information Privacy and Information Security are the same thing right? Or at least pretty similar?” This is a statement we often hear. It is not only not true, but it’s a belief or a misunderstanding that can expose your organisation to risk or damage.
On the 21st of January 2019 France’s data protection agency (CNIL) issued a $57m USD against fine Google for a breach of the European Union General Data Protection Regulations (GDPR). The CNIL stated that: “Google failed to fully disclose to users how their personal information is collected and what happens to it. Google also did not properly obtain users’ consent for the purpose of showing them personalized ads”.
Privacy advocacy groups noted that the maximum fine applicable could be as high as $4.7bn USD. While Google, for its part, is appealing the fine.
It is not the purpose of this blog to offer an opinion on the rights and wrongs of this case. That’s for the courts to decide. However, the case is a good example of why Information Privacy and Information Security are different, and why an information Privacy Breach can be as, or more damaging than an information security breach.
Information security is focussed on ensuring only those appropriately authorised can access and amend data, and making sure it’s available when needed.
Information Privacy refers to data collected about individuals. It includes Information security, but it’s also focussed on making sure that data has been collected, used and shared lawfully and for the purposes intended. Information Privacy also allocates rights to the individuals (the data subjects) whose data has been collected.
Information security is about protecting the data from those who should not have access to it or whom might change or damage it. Often, but not always, these are external risks or threats. Information Privacy is about how your organisation uses that data. Most often, but again not always, these are internal risks or threats.
The CNIL sanction against Google centered around how the data was used by Google. There was no suggestion that Google had failed to secure the data appropriately. However, the fine was imposed because in CNIL’s view Google had breached the privacy rights of the data subjects particularly with regards consent. Unless its appeal succeeds Google will be at least $57m USD worse off, and might consider itself lucky the fine wasn’t substantially larger.
For those organisations who collect, use and disseminate data, and let’s face it that’s most if not all organisations, there are two lessons in this.
Firstly, if your organisation collects any type of data that can be used to identify individuals then it must widen its scope of view and action beyond security and into privacy. It is not enough to make sure the data is protected, it must also examine the actions the organisation is taking and ensure that the data is being used correctly.
The second lesson is far subtler. When dealing with Privacy and Security programs it is easy to focus on the external threat, the external hacker who can steal our data, who is outside our control and who can make a devastating and very public impact with it. It’s a scary concept that needs and deserves attention.
However, it’s also very easy to forget or lose focus on the internal threats, which are perceived as less threatening . However if our organisation is not using our data subject’s information the way in which it should, then those threats, while less obvious, and less scary can be just as damaging.
In our next blog:
In our next blog we will discuss strategies that organisations can use for both Information Privacy and Information Security in Australia, the Asia-Pacific, Europe and Globally. In the meantime, if you would like further information feel free to contact us here at Astrum.