Privacy related data should all be protected by the strongest
means possible in the sense that it is protected based on its
sensitivity,writes Andreas Wuchner, IT risk
manager for Novartis Pharma AG, in hisblog.
It is important to notice that in most privacy legislation,
"sensitive data" and "personal data" have specific and different
meanings. There is an obligation to protect personal data even when
it is not sensitive personal data.
Whenever the topic protection of personally identifiable
information (PII) comes up, the term "adequate protection" get used
sooner or later. But what does this mean and what is adequate?
Adequate protection is not a series of compliance checkboxes you
can check off easily and you are done. To define "adequate" a
well-defined process is needed. Adequate for one data element may
not be adequate for another piece of PII.
There are a couple of issues going along with the process of
defining adequate protection. The NIST institute prepared a
special list for its agencies explaining the risks they
see.
However adequate protection is defined, the goal is to
illustrate clearly how to protect sensitive information. Today the
term PET (privacy enhancing technologies) is used to mark
information technologies allowing the customer to reach this goal
of protection. There are a variety of definitions out there about
PET, of which I only want to mention a few.
- ICO UK: that exists to protect or enhance an individual's
privacy, including facilitating individuals' access to their rights
under the Data Protection Act 1998
- EU IC: help to design systems in a way that minimises the
collection and use of personal data and facilitates compliance with
data protection rules
- IPC Canada: preventing the unnecessary or unlawful collection,
use and disclosure of personal data, or by offering tools to
enhance the individual control over her/his personal data
- OECD: ranging from tools that provide anonymity to those that
allow a user to choose if, when and under what circumstances
personal information is disclosed
In short, the PET should technically secure the PII in a way
that a change in local legislation cannot violate the former ideas
for using and protecting personal data. PET stands for a range of
different technologies to protect personal data within information
systems. They provide many functions, including:
- Preventing unauthorised access to communications and stored
files
- Automating the retrieval of information about data collectors'
privacy practices and automating users' decision-making on the
basis of these practices
- Automating audits of data collectors' privacy practices;
filtering unwanted messages
- Preventing automated data capture through cookies, HTTP
headers, web bugs, spyware, etc.
- Preventing communications from being linked to a specific
individual
- Facilitating transactions that reveal minimal personal
information
PETs can be anything from encryption to anonymisation tools,
cookie blockers, P3P technology for privacy policies. A PET
symposium runs every year. Much of this technology is reviewed by
universities and privacy think-tanks as well as government
agencies.
The Europe's Information Society Thematic Portal is a
dedicated portal where you can keep track what is going on in
this space.
KPMG produced a document for the Dutch parliament some time ago
about its view of PET. This
document is available on-line.
Even if PET has been out there for some time, it is still far
from being a clear and easy-to-understand standard. The PETs of the
early years are all point solutions and are all very user centric.
There is no big service provider out there which I am aware off
offering PET services today. Academia and industry is still
actively involved in research into this space.
Actual PET architectural models are trying to combine the
user-centric approach with a service provider solution. The future
will classify, select and protect sensitive information and not
necessarily make it anonymous them any more. Growing technologies
such as cloud-based services will support this trend. The whole PET
approach is maturing and approaches such as
P3P prove this positive
trend.
One question which is open for me at the moment is around the
financials. From what I have seen so far, I am not convinced that
there is a real business case for PET technologies. It goes without
saying that we need to do everything possible to protect our
sensitive information, but without an incentive and in a tough
economic climate, I wouldn't be surprised if
As in many areas of security the real issue of privacy is only
partly a technology one. Most of the issues I have seen so far were
about people, and they are mostly on education and about processes.
The lack of universal standards and also the fact of missing
certifications make it even harder to do the right thing
sometimes.
Send feedback and comments either directly on the
blog or via
e-mail.
Read more
on privacy at
ITRiskSpace.