Security as the Means to Consumer Privacy

Updated: November 24, 2010

In order to have a clearer understanding of the issue, it is necessary to understand the definition of the terms "data security" and "privacy" and the relationship between the two concepts. Data or Information Security, as most are probably aware, can be described as the protection of personal information. The security axiom "confidentiality, integrity, and availability" is likely familiar to most readers. It is ensuring that the data is protected from unauthorized use or access, that it has not been changed or altered, and that the data is available for use when it is needed.

Privacy, on the other hand, is a much more complex issue. The earliest legal definition of privacy is "the right to be let alone" and was coined by Samuel Warren and Louis Brandeis[i] in 1890. For all intents and purposes, this is the definition that drove United States privacy laws until the recent past. This vague definition is now inadequate to deal with the technological aspects of privacy today. For most, privacy can now be defined as "the appropriate use of information." In other words, appropriate privacy practices entail using the data in a manner that is consistent with the consumer's original intent when that information was provided.

It is not uncommon to hear the two terms used interchangeably, as though they are so interconnected as to be synonymous. This misunderstanding is not only unfortunate, but it can be extremely costly for organizations. It is possible to have adequate security without appropriate privacy practices. However, it is not possible to have good privacy practices without robust data security measures. How can this be?

Security is a component of privacy. It is one measure to ensure that consumer data is not subject to unauthorized access or misuse. There are a number of privacy frameworks available for reference. The Federal Trade Commission has published its Fair Information Practice Principles[ii], which outline five primary tenets of privacy. They are as follows:

  • Notice and Awareness: consumers should be informed as to what data is being collected and the methods used to effect that collection.
  • Choice and Consent: consumers should have the option of choosing the extent to which they'd like to share their data and how that data is to be used.
  • Access and Participation: organizations collecting data should allow consumers to review the data collected about them and to ensure its accuracy.
  • Integrity and Security: not only should organizations attempt to verify the data through cross-referencing, but the organization should also ensure appropriate administrative, technical and physical protections to prevent unauthorized access to the data.
  • Enforcement and Redress: organizations should provide consumers with a mechanism by which they can file complaints or disputes about the practices and by which the organization would then investigate those claims and enforce the privacy practices of the organization in question.

The Organization for Economic Co-operation and Development (OECD) has a much more robust guideline designed for companies engaged in cross-border data flow[iii]. Its purpose was to help smooth out some of the disparities between national legislation on privacy practices. These guidelines can be seen in emerging international data privacy laws. These guidelines were first adopted by the organization in 1980, far pre-dating anything that the United States has done with respect to the protection of personal information. The OECD found that "automatic processing and transborder flows of personal data create new forms of relationships among countries and require the development of compatible rules and practices" and "that transborder flows of personal data contribute to economic and social development." For these reasons, and others enumerated within the guideline, the guidelines were developed in order to overcome any hindrances to the data flow that might preclude development.

The OECD Guidelines on the Protection of Privacy and Transborder Data Flows contains a number of Principles that organizations should follow in order to comply. Some principles are similar to those in the FTC Fair Information Practices, but are a bit more far reaching. They include:

  • Collection Limitation: the collection of personal data should be limited, the individual in question should have knowledge of the collection, and the means used for collection should be fair, ethical, and legal.
  • Data Quality: the data should be accurate and appropriate to the purpose for collection. In other words, data should be collected simply to be collected.
  • Purpose Specification: organizations should be specific and clear about the purposes for which they are collecting the data.
  • Use Limitation: data should be used only for the purposes for which it was originally collected unless the organization has obtained the consent of the individual or they are being compelled to disclose the information by law enforcement entities.
  • Security Safeguards: reasonable measures should be in place to ensure that the data is not subject to unauthorized use or disclosure.
  • Openness: organizations should be straightforward about their data policies and any changes or updates to the policies.
  • Individual Participation: the individuals about whom the data is being collected should be able to access the data that is collected, review it, and to challenge data that may not be accurate.
  • Accountability: there should be some form of redress for organizations that do not adhere to the policies outlined.
Featured Research