In order to have a clearer understanding of the issue, it is necessary to understand the definition of the terms "data security" and "privacy" and the relationship between the two concepts. Data or Information Security, as most are probably aware, can be described as the protection of personal information. The security axiom "confidentiality, integrity, and availability" is likely familiar to most readers. It is ensuring that the data is protected from unauthorized use or access, that it has not been changed or altered, and that the data is available for use when it is needed.
Privacy, on the other hand, is a much more complex issue. The earliest legal definition of privacy is "the right to be let alone" and was coined by Samuel Warren and Louis Brandeis[i] in 1890. For all intents and purposes, this is the definition that drove United States privacy laws until the recent past. This vague definition is now inadequate to deal with the technological aspects of privacy today. For most, privacy can now be defined as "the appropriate use of information." In other words, appropriate privacy practices entail using the data in a manner that is consistent with the consumer's original intent when that information was provided.
It is not uncommon to hear the two terms used interchangeably, as though they are so interconnected as to be synonymous. This misunderstanding is not only unfortunate, but it can be extremely costly for organizations. It is possible to have adequate security without appropriate privacy practices. However, it is not possible to have good privacy practices without robust data security measures. How can this be?
Security is a component of privacy. It is one measure to ensure that consumer data is not subject to unauthorized access or misuse. There are a number of privacy frameworks available for reference. The Federal Trade Commission has published its Fair Information Practice Principles[ii], which outline five primary tenets of privacy. They are as follows:
The Organization for Economic Co-operation and Development (OECD) has a much more robust guideline designed for companies engaged in cross-border data flow[iii]. Its purpose was to help smooth out some of the disparities between national legislation on privacy practices. These guidelines can be seen in emerging international data privacy laws. These guidelines were first adopted by the organization in 1980, far pre-dating anything that the United States has done with respect to the protection of personal information. The OECD found that "automatic processing and transborder flows of personal data create new forms of relationships among countries and require the development of compatible rules and practices" and "that transborder flows of personal data contribute to economic and social development." For these reasons, and others enumerated within the guideline, the guidelines were developed in order to overcome any hindrances to the data flow that might preclude development.
The OECD Guidelines on the Protection of Privacy and Transborder Data Flows contains a number of Principles that organizations should follow in order to comply. Some principles are similar to those in the FTC Fair Information Practices, but are a bit more far reaching. They include:
Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more