If you are a Twitter user, you might have noticed the popularity of the hashtag #PrivacyAware. This momentum is caused by Data Privacy Day organized every year by the National Cyber Security Alliance (@StaySafeOnline). It began in the United States and Canada in 2008, as an extension of the Data Protection Day celebration in Europe.
2017’s theme was the ‘respecting privacy, safeguarding data and enabling trust’.
At, we followed this event closely and have participated in similar events including #ChatSTC, a personal data responsibility movement and Women in Privacy.
Privacy is a fundamental component of security. Security vendors assist clients in protecting their data, and also support them by offering tools to develop internal processes and politics to complement their practices. One example of this is that we recently added a Governance Tool to our ArkAngel Platform, which allows our customers to visualize how certain controls can help them score better against CIS Critical Security Controls.
Today, I’ll cover the fundamental principles of privacy behind the ISO 29100 standards. These principles are also supported by many of the national privacy laws across the globes, such as PIPEDA, and the General Data Protection Regulation.
What is meant by this principle is that when you are collecting data about a person, or an organization, you have to obtain their consent to do so. But not just any type of consent; “informed” consent.
This means the individual understands the rights that he has in terms of choosing to refuse the collection, but also the consequences of granting consent. This simply means that individuals must give the option to opt out where possible and redact comprehensible terms for clients when you require their consent. Is acceptance by online customers of Terms and Conditions really meeting the threshold for a legal consent? This has been the subject of intense debates in the last few years.
So you have obtained the consent to collect the information, is that enough?
Not really. You have to ensure that you are collecting information that is consistent with applicable laws and that you communicated that purpose to the subject. If you need to process sensitive data, further explanations are needed.
This leads us to the next principle; the data collection must be limited to the purpose identified under the previous point. Ask yourself, is the collection necessary to fulfill the purpose? Even in terms of risk management, by collecting as little as possible, you limit the amount of data that can be subject to a breach.
At HSS, for instance, when processing logs as part of our Managed Security Services, ArkAngel, our proprietary platform, only collects the logs that are needed to fulfill the security purposes. ArkAngel has protocols that allows it to store only the information that is critical and avoid collecting inefficient information.
Under this principle, you should create access controls based on the need-to-know principle. Only employees that need the information should have access to it. This relates to SANS Critical Security Control 5, which is covered by our Governance Module as part of ArkAngel.
This can be summarized easily; if you don’t need it, delete it and if you need it, store it safely. If possible, you can anonymize the data or lock it (archiving, securing and exempting the information from further processing). Retention periods are subjects to legal requirements (such as those pertaining to tax purposes). To avoid data breaches and evaluate how accurate your storage procedures are, many of our clients opt for penetration testing which is required under many standards, such as PCI DSS.
This applies most importantly to corporations that store data which can affect natural persons, such as financial institutions. The data stores have to be reliable, this means that your end-users should be able to correct it, if inaccurate. This may require the implementation of control mechanisms.
This means establishing procedures and policy accessible to customers, but also understandable. When your clients have a choice about which data should be processed, they should know about it. For instance, a loyalty program may require clients to disclose some information which is not mandatory. They should be informed that they can opt out of certain questions and still adhere to the program.
Under this principle, subjects should be able to access their files. A frequent example of this is a patient that wants to consult its health record. Make sure to set up controls so that access to a specific record does not allow this subject to access other personal information that belongs to another entity or person.
Under this principle, organizations are required to reduce the risks associated with the collection and storage of personal information.
This means that audits and risk assessments must be conducted to evaluate the quality of the measures in place. It also involves the implementation of controls within the realm of information security.
IT Governance consulting services can help organizations navigate this principle and most organizations have Chief Information Officers that are in charge of overseeing this process.
The last principle requires organizations to be compliant with applicable standards and legislation. This exercise involves the applicability of the ten other principles but may require further action depending on the industry in which the corporation conducts business. Compliance is best assessed by external and independent supervision mechanisms, such as privacy risk assessments conducted by a trusted third party.
If you were to evaluate your organization’s performance in terms of privacy based on these principles, how well do you do?