By Chris Cronin, ISO 27001 Auditor, Partner
The ever-increasing demands from laws and regulations to protect personal information comes with confusion about what exactly our protection responsibilities are. One source of that confusion is in the use of the terms “privacy” and “security.” While “privacy” and “security” are both common terms used in laws, regulations, and security standards, they mean very different things and they are managed very differently. In fact, the difference between the two has a lot to do with what organizations are capable of controlling.
Regulations make a clear distinction between privacy and security. For instance, HIPAA imposes a “Privacy Rule” and a “Security Rule.” Gramm Leach Bliley requires compliance with a “Privacy of Consumer Financial Information Rule” and a “Safeguards Rule” both of which are enforced by the Federal Trade Commission. Non-U.S. countries commonly refer to “Data Protection” in terms of privacy and security as different, but equally important concepts.
But what do these two terms mean? “Privacy” refers to an organization’s responsibility to use personal information only for purposes that people approve of. If I am gathering personal information from people who believe I am only using it to provide a service, such as setting doctor appointments, I may not also send that information to a researcher or pharmaceutical marketer. On the other hand, “security” means that I must put safeguards in place to ensure that the confidentiality, integrity, or availability of information is not compromised.
If the distinction is still not clear we can also put it this way: Privacy means that you must not willfully provide personal information to others unless the owner agrees to it. Security means that you must prevent information from being compromised through accident or malicious intent.
But we’ll try to make the distinction even more basic. Privacy; don’t do bad things with personal information. Security; guard personal information so others don’t do bad things to it.
So why do regulations require both privacy and security? The answer largely relies in location. In the U.S., privacy largely protects against nuisance and commercial abuse. In the rest of the world, privacy is meant to prevent systematic discrimination. Think of the legacy of genocide to understand this rationale.
But perhaps the most relevant distinction between privacy and security relies on agency. In terms of privacy, an organization that retains personal information is fully in control of its decision to sell or provide that information to third parties. If they decide to make money by selling their customer’s financial information to a marketer, they have made a (bad) decision of their own volition. Privacy rules tell us not to do that.
Where security is concerned, however, an organization must reduce risks of someone else’s act – intentional or accidental – that compromises the confidentiality, integrity, or availability of information.
As a result of this last distinction privacy rules and security rules are enforced differently. If we control our use of personal information in our care, then an explicit privacy ruleset that tells us what we may do and what we may not do is sufficient guidance. But our lack of control over security issues requires that we think of risk instead of explicit rules. We can’t foresee all acts that others may inflict on personal information in our care. So security rules require us to think about the likelihood and impact of the threats we can see.
The laws and regulations that we are governed by may seem arbitrary, but there is an underlying logic that makes them meaningful. The distinction between privacy and security causes us to distinguish between what we can control, and what we can only reduce the risk of. This is at the core of accountability, and one that we should keep in mind as we plan our compliance and security efforts.
Interested in learning more? Visit our Resource Center.