Privacy related data should all be protected by the strongest means possible in the sense that it is protected based on its sensitivity, writes Andreas Wuchner, IT risk manager for Novartis Pharma AG, in his blog.
It is important to notice that in most privacy legislation, "sensitive data" and "personal data" have specific and different meanings. There is an obligation to protect personal data even when it is not sensitive personal data.
Whenever the topic protection of personally identifiable information (PII) comes up, the term "adequate protection" get used sooner or later. But what does this mean and what is adequate?
Adequate protection is not a series of compliance checkboxes you can check off easily and you are done. To define "adequate" a well-defined process is needed. Adequate for one data element may not be adequate for another piece of PII.
There are a couple of issues going along with the process of defining adequate protection. The NIST institute prepared a special list for its agencies explaining the risks they see.
However adequate protection is defined, the goal is to illustrate clearly how to protect sensitive information. Today the term PET (privacy enhancing technologies) is used to mark information technologies allowing the customer to reach this goal of protection. There are a variety of definitions out there about PET, of which I only want to mention a few.
- ICO UK: that exists to protect or enhance an individual's privacy, including facilitating individuals' access to their rights under the Data Protection Act 1998
- EU IC: help to design systems in a way that minimises the collection and use of personal data and facilitates compliance with data protection rules
- IPC Canada: preventing the unnecessary or unlawful collection, use and disclosure of personal data, or by offering tools to enhance the individual control over her/his personal data
- OECD: ranging from tools that provide anonymity to those that allow a user to choose if, when and under what circumstances personal information is disclosed
In short, the PET should technically secure the PII in a way that a change in local legislation cannot violate the former ideas for using and protecting personal data. PET stands for a range of different technologies to protect personal data within information systems. They provide many functions, including:
- Preventing unauthorised access to communications and stored files
- Automating the retrieval of information about data collectors' privacy practices and automating users' decision-making on the basis of these practices
- Automating audits of data collectors' privacy practices; filtering unwanted messages
- Preventing automated data capture through cookies, HTTP headers, web bugs, spyware, etc.
- Preventing communications from being linked to a specific individual
- Facilitating transactions that reveal minimal personal information
PETs can be anything from encryption to anonymisation tools, cookie blockers, P3P technology for privacy policies. A PET symposium runs every year. Much of this technology is reviewed by universities and privacy think-tanks as well as government agencies.
The Europe's Information Society Thematic Portal is a dedicated portal where you can keep track what is going on in this space.
KPMG produced a document for the Dutch parliament some time ago about its view of PET. This document is available on-line.
Even if PET has been out there for some time, it is still far from being a clear and easy-to-understand standard. The PETs of the early years are all point solutions and are all very user centric. There is no big service provider out there which I am aware off offering PET services today. Academia and industry is still actively involved in research into this space.
Actual PET architectural models are trying to combine the user-centric approach with a service provider solution. The future will classify, select and protect sensitive information and not necessarily make it anonymous them any more. Growing technologies such as cloud-based services will support this trend. The whole PET approach is maturing and approaches such as P3P prove this positive trend.
One question which is open for me at the moment is around the financials. From what I have seen so far, I am not convinced that there is a real business case for PET technologies. It goes without saying that we need to do everything possible to protect our sensitive information, but without an incentive and in a tough economic climate, I wouldn't be surprised if
As in many areas of security the real issue of privacy is only partly a technology one. Most of the issues I have seen so far were about people, and they are mostly on education and about processes. The lack of universal standards and also the fact of missing certifications make it even harder to do the right thing sometimes.
Read more on privacy at ITRiskSpace.