Security vs privacy - what's the difference?
This is the first in a series of blog posts from our Information Security Lead Marise Alphonso, where she talks about some of the information security issues facing the not-for-profit sector.
There has been much in mainstream media recently on data breaches involving the disclosure of personal information across the health, finance, legal, education and retail sectors.
Personal information is any type of data that can be used to identify an individual – such as names, addresses, ID card numbers, location details, IP addresses and health-related data.
Organisations have a responsibility to securely manage the information entrusted to them by customers and the public.
The Notifiable Data Breaches scheme effective in Australia from February 2018, applies to organisations that have obligations under the Privacy Act (1988) where notification to individuals is necessary if their personal information is involved in a data breach.
Since its inception, a total of 964 data breach notifications have been received by the Office of the Australian Information Commissioner.
The leakage of personal information to unintended recipients points firmly to a violation of privacy. Privacy is a fundamental human right that empowers us to live the lives we choose without interference and infringement on our choices.
Every time we make an online purchase, visit a certain location or sign up to receive a service we provide data to a third party.
Data and the technologies used to process and share it can and must be used for economic, social and environmental good as was discussed at a World Economic Forum panel in January 2019.
This is where the link emerges between privacy and security – where security relates to the practices on how the personal information collected is securely used, shared, stored and accessed.
Organisations have a responsibility to securely manage the information entrusted to them by customers and the public.
To provide services, not-for-profits may hold large amounts of personal information and hence have a duty of care to ensure it is appropriately protected.
Security is a holistic approach to managing the processes, people and technology that work in tandem to improve the cyber risk profile of an organisation.
Taking a data-centric approach to security using a methodology developed by Telstra - The Five Knows of Cybersecurity – is a good starting point.
Since every organisation will have a different business model and hence risk profile, it is important to address security with a risk-based mindset where the most efficient use of available resources is prioritised to address risks that could impact the business.
Security is not a state, but rather a process that must be continually addressed due to the evolving cyber threat landscape, changes in business environment, advances in technology and legal and regulatory requirements.
With the continuing trend in digital transformation, industry, government and academia are looking to address the ethical use of data while not stifling innovation.
These are considerations that must be built into products and services and not bolted on to ensure privacy and security are key foundations of the global digital economy.
Have questions on how data security and privacy are being addressed within your organisation? Check out this useful resource from Justice Connect.
Please note the use of the word ‘security’ in this article encompasses information security, data security and cybersecurity.