Fundamentals of Privacy
It’s no secret that I believe privacy is going to be a major issue of discussion and chatter this year. As part of our first monthly newsletter, Keep Secure focused on user privacy and how to stay safe online. We’ve also chatted a bit about it in our security tasks for 2019 post. (https://www.keepsecure.ca/blog/this-year-dont-get-zucked/)
About the middle of last year, GlaxoSmithKline (a pharmaceutical company) announced a partnership with 23andMe (a personal genomics and biotechnology company), and later moved to buy them. For most of us in the security field, this was an obvious outcome for the service 23andMe. By itself, it added (in my opinion) little value to an individual user. The summarization of all of that data, however, proved to be worth quite a bit to drug companies who want to conduct research using your data. (https://www.businessinsider.com/dna-testing-delete-your-data-23andme-ancestry-2018-7). According to some reports, 23andMe had about 5 million customers, resulting in about $60 per customer record. Not bad I guess.
At Keep Secure, many of our customers have/retain personally identifiable information on their clients in order to conduct business. Because of this, we enter into many discussions around privacy, it’s impact, and what controls need to be in place to adequately protect the data. While laws around the globe vary on exact details, most privacy regulation is based on the Fair Information Practice Principles(FIPPS). Here are a couple of resources to get started with FIPPs.
https://en.wikipedia.org/wiki/FTC_fair_information_practice https://ethics.berkeley.edu/sites/default/files/fippscourse.pdf
According to PIPEDA information (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/) these principles can be summarized as follows:
Accountability
An organization is responsible for PII under it’s control.
Identifying Purposes
The purpose for which the PII data is captured must be identified at time of collection.
Consent
Consent is required for collection, use , or disclosure of PII.
Limiting Collection
Organizations should only collect the data it requires.
Limiting use, Disclosure, and Retention
PII can only be used for the purposes identified upon collection.
Accuracy
Organizations have a duty to ensure PII used by their system is as accurate as possible.
Safegaurds
PII data should be protected relative to the sensitivity of the information.
Openness
Organizations must make detailed information about its policies and practices readily available.
Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information.
Challenging Compliance
Any individual shall be able to challenge an organization’s compliance with relevant laws.
Like security concerns, privacy concerns should be addressed at all phases of product development lifecycles, from architecture/design all the way to implementation. Also like security, privacy controls can span people, process, and technologies. Productions and solutions should be secure by design, and the should have privacy by design as well.
In the opening chapter of the O’Reilly book, “The Architecture of Privacy” (http://shop.oreilly.com/product/0636920033714.do), the authors list a series of questions that should be considered when starting to address privacy concerns.
- Does this technology interact with personally identified or identifiable information?
- What is the technology supposed to do with the data?
- What could the technology do with the data?
- What are the potential privacy concerns?
- How can you configure your privacy building blocks to address those issues?
- Is your solution creating or storing new types of data that might expose new facets of an individuals life?
- Would exposure of said information cause embarrassment, lead to stigmatization of or discrimination against the individual, or even just inconvenience or annoyance?
- Does the creation and/or use of the collected data change the balance of power between individual, businesses or governments?
These questions are definitely food for thought when designing your solution. Answering yes to any of the above questions does not mean that you should not go ahead with your idea, it just means that you will need to strongly consider how to mitigate various privacy risks along your journey.
This is an area that Keep Secure plans to focus on more in 2019. If you need help with understanding your privacy exposure, please do not hesitate to reach out.
About Shamir Charania
Shamir Charania, a seasoned cloud expert, possesses in-depth expertise in Amazon Web Services (AWS) and Microsoft Azure, complemented by his six-year tenure as a Microsoft MVP in Azure. At Keep Secure, Shamir provides strategic cloud guidance, with senior architecture-level decision-making to having the technical chops to back it all up. With a strong emphasis on cybersecurity, he develops robust global cloud strategies prioritizing data protection and resilience. Leveraging complexity theory, Shamir delivers innovative and elegant solutions to address complex requirements while driving business growth, positioning himself as a driving force in cloud transformation for organizations in the digital age.