"What is the difference between privacy and security?" is often the question that we're asked as security or privacy professionals. Some of us may believe that you can’t have one without the other, while others may argue that you can have security without privacy, but you can’t have privacy without security. I tend to be in the first camp as I will make my case in this article but I mainly believe this because a lack of privacy can also lead to passcode or access information disclosure which can then lead to a breach of security and disclosure of other private data.
This article is as much about the difference between privacy and security as it is about their interrelationship.
What is Security?
The 3 main objectives of security are confidentiality, integrity and availability of data and systems as defined by major security certifications. These objectives are achieved with the deployment of technical and operational controls to ensure that the data is safe from unauthorized access and use, reliable, accurate, and available for use when it is needed. Chief Information Security Officers (CISO) normally design strategies and plans to achieve these objectives with the right balance of technical solutions, identity and access management processes, and well educated employees. One of the main steps that CISOs take to reduce security risks include educating business unit personnel about collecting the absolute minimum and necessary data needed to run the business, ways to keep the data safe at all times, and destroying the data as soon as it is no longer needed.
What is Privacy?
Privacy principles vary depending on the specific regulations by country but mainly they address the appropriate use and protection of information while defining and ensuring consumer rights and business obligations. For example, businesses should have privacy notices that communicate to customers and users about their policies and procedures related to the protection of information they collect from customers for business transactions or use of their services. These notices must address why, where and how they collect their information, for what business use or purpose, and how they intend to maintain and protect the data. For example, some companies may notify customers that they collect address information for product shipping purposes only, therefore, they cannot share with or sell the information to others unless they also communicate this business practice in their privacy notices prior to the practice being implemented.
There are 10 generally accepted privacy principles which define "the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information." These general principles cover most global privacy regulations with minor variations. From this list we can see that to some extent privacy of consumer information is dependent on security and security is dependent on the privacy of access credentials and rights to various systems and data.
1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies, notices, and procedures.
2. Notice. The entity provides an honest, transparent, and complete privacy notice (Notice) about its policies and procedures and identifies the legitimate purposes for which proportionate personal information is collected, used, retained, and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains consent with respect to the collection, use, and disclosure of personal information. This applies to anonymous transactions, use of pseudonyms where practicable, and opt-out of data sharing with third parties.
4. Collection. Entity describes the collection process such as what, why and how data is collected and the entity only collects the minimum personal information for the purposes identified in the Notice with the appropriate data owner consent.
5. Use, retention, and disposal. The entity limits the use of personal information for the purposes identified in the Notice and for which the individual has provided consent. This includes the use of unique identifiers. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals information about their personal data as well as access to review and update their information, including, the option to challenge the entity's compliance.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the Notice and with the consent of the individual, and, after making sure the third party complies with data protection principles.
8. Security. The entity protects personal information in all its forms against unauthorized access with necessary means whether technical or operational.
9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and has procedures to address privacy related complaints and disputes.
The Relationship Between Data Security and Data Privacy
To put everything into perspective, we must emphasize a few things:
1. Regulations drive privacy initiatives,
2. Security and privacy help each other achieve their goals, and
3. Technology alone can not solve our security and privacy challenges.
While the discussion around the difference between privacy and security is a complex and lengthy one, it is worthwhile to summarize that the security objectives of confidentiality, integrity, and availability ensure privacy when these objectives are applied to the personal information of customers and users. And, privacy of privileged access rights and credentials ensure the continued security of all business data.
With the proper training and experience, industry professionals can address privacy and security with a consolidated role. In fact, this may even be a requirement with the European General Data Protection Regulation.