Hydrasight notes renewed vendor and media hype in regard to the potential role of technology in the context of securing the privacy of individuals and so-called 'privacy breaches'. However, we believe that the issue of privacy cannot be addressed by the IT organisation (ITO) to any great extent. Hydrasight believes privacy remains a societal issue requiring greater focus on policy and business process than on technology.
During the last decade, an increasing focus on the protection of electronic data of individuals has occurred within many legislatures at a regional and national level (e.g., European Union, California, Australia, Singapore). In many regards, from an IT perspective, the key focus has so far been on the unauthorised disclosure of sensitive or personal information stored by an organisation. More specifically, much of the focus has been given to the increasing notification requirements and/or financial penalties associated where 'breaches' of confidentiality occur. More generally however, the ITO has focused on the electronic privacy of the individual and their identity (i.e., avoiding unauthorised use, modification or disclosure). This trend has occurred across a variety of differing legislative/regulatory environments and has also caused confusion and complexity for international organisations.
While security and privacy are generally considered together, Hydrasight notes that national security often operates in complete contradiction to the privacy and confidentiality of the individual.
In addition, from a regional perspective, we note that the Asia Pacific view generally does not place as high a value on individual privacy relative to the needs of the state (e.g., Singapore, Hong Kong). Finally, we believe that technological advancements will, for the foreseeable future, continue to place societal/legislative pressure to review and/or amend privacy legislation.
In the broader view, Hydrasight believes privacy is a societal issue requiring equal (or greater) focus on organisational policy and business process than on technology. It also requires continued monitoring of societal trends and refinement of technology application where appropriate (e.g., social networking (refer "Trends (and fallacies) in electronic social networking: part 1 - Asia Pacific"). While technology can help enforce policies to some degree, it simply assists in compliance and reduces risk rather than eliminates it. Privacy will therefore continue to require business- driven leadership and direction from the executive, Human Resources and Legal teams far more than from the ITO. Moreover, Hydrasight continues to believe that there is no such thing as perfect security (refer "Got Security Culture?") and that the complexities inherent in ‘defining security’ will persist despite the outcomes of any legislative change. As such, and in the context of technology risk related to privacy, the ITO must be seen as assisting to reduce the risk of accidental disclosure of sensitive and/or personal electronic data as well as the automation of policy associated with appropriate and defined business processes (refer "Picking battles in the war against information leakage").
As Hydrasight has previously noted, we believe that the application of technology cannot practically ‘solve’ the key issues associated with ensuring privacy for both government and non-government organisations. There are however discrete applications of technology that we believe must continue to be applied to the protection of sensitive data whether related to the individual and/or organisation. Moreover, organisations must ensure that they continue to monitor ongoing technology advancements in information security—as well as changes in societal trends and behaviours—so as to ensure organisations maintain an acceptable level of protection while prudently mitigating addressable privacy risks.