It’s no secret that I believe privacy is going to be a major issue of discussion and chatter this year. As part of our first monthly newsletter, Keep Secure focused on user privacy and how to stay safe online. We’ve also chatted a bit about it in our security tasks for 2019 post. (https://www.keepsecure.ca/blog/this-year-dont-get-zucked/)
About the middle of last year, GlaxoSmithKline (a pharmaceutical company) announced a partnership with 23andMe (a personal genomics and biotechnology company), and later moved to buy them. For most of us in the security field, this was an obvious outcome for the service 23andMe. By itself, it added (in my opinion) little value to an individual user. The summarization of all of that data, however, proved to be worth quite a bit to drug companies who want to conduct research using your data. (https://www.businessinsider.com/dna-testing-delete-your-data-23andme-ancestry-2018-7). According to some reports, 23andMe had about 5 million customers, resulting in about $60 per customer record. Not bad I guess.
At Keep Secure, many of our customers have/retain personally identifiable information on their clients in order to conduct business. Because of this, we enter into many discussions around privacy, it’s impact, and what controls need to be in place to adequately protect the data. While laws around the globe vary on exact details, most privacy regulation is based on the Fair Information Practice Principles(FIPPS). Here are a couple of resources to get started with FIPPs.
According to PIPEDA information (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/) these principles can be summarized as follows:
An organization is responsible for PII under it’s control.
The purpose for which the PII data is captured must be identified at time of collection.
Consent is required for collection, use , or disclosure of PII.
Organizations should only collect the data it requires.
PII can only be used for the purposes identified upon collection.
Organizations have a duty to ensure PII used by their system is as accurate as possible.
PII data should be protected relative to the sensitivity of the information.
Organizations must make detailed information about its policies and practices readily available.
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information.
Any individual shall be able to challenge an organization’s compliance with relevant laws.
Like security concerns, privacy concerns should be addressed at all phases of product development lifecycles, from architecture/design all the way to implementation. Also like security, privacy controls can span people, process, and technologies. Productions and solutions should be secure by design, and the should have privacy by design as well.
In the opening chapter of the O’Reilly book, “The Architecture of Privacy” (http://shop.oreilly.com/product/0636920033714.do), the authors list a series of questions that should be considered when starting to address privacy concerns.
These questions are definitely food for thought when designing your solution. Answering yes to any of the above questions does not mean that you should not go ahead with your idea, it just means that you will need to strongly consider how to mitigate various privacy risks along your journey.
This is an area that Keep Secure plans to focus on more in 2019. If you need help with understanding your privacy exposure, please do not hesitate to reach out.
Shamir is a Microsoft Most Valuable Professional (MVP – Azure) and has extensive experience building solutions in the cloud, from strategy to deployment to automation