"An extraordinary thinker and strategist" "Great knowledge and a wealth of experience" "Informative and entertaining as always" "Captivating!" "Very relevant information" "10 out of 7 actually!" "In my over 20 years in the Analytics and Information Management space I believe Alan is the best and most complete practitioner I have worked with" "Surprisingly entertaining..." "Extremely eloquent, knowledgeable and great at joining the topics and themes between presentations" "Informative, dynamic and engaging" "I'd work with Alan even if I didn't enjoy it so much." "The quintessential information and data management practitioner – passionate, evangelistic, experienced, intelligent, and knowledgeable" "The best knowledgeable, enthusiastic and committed problem solver I have ever worked with" "His passion and depth of knowledge in Information Management Strategy and Governance is infectious" "Feed him your most critical strategic challenges. They are his breakfast." "A rare gem - a pleasure to work with."

Tuesday 30 July 2013

Privacy by Design


Making data privacy considerations an everyday affair
If there’s one good thing to come of the recent furore over Edward Snowden’s revelations about the US National Security Agency PRISM system, it’s that the issue of data privacy has been given some serious attention of late.

Much of the focus in the media has been in relation to the potential impact on personal civil liberties, as well as the complicity of major companies in allowing the NSA to have access to their data (BTW in my view, the dismissive comments to the effect that PRISM is only accessing “metadata, not data” is a diversionary and obfuscating tactic – the information that’s being collected can tell the NSA a lot about people’s activities…)

So data is in the public eye for a wee while. All to the good, and it’s great to see the debate still continues. But from practitioner’s perspective, what can we do to make data protection and privacy more actionable within our companies and organisations?

Recognise the impact
Firstly, you to recognise that (outside of the USA, at least!), failure to manage data privacy can have a material impact on your business:

Recognise that it’s preventable
These types of issue are almost always due to some level of error or systemic failure.

Understand what data you’ve got
You’ve got to have an up-to-date catalogue of your information holdings. In my earlier post on Information Asset Management, I discuss the need for an Information register as a building block of effective Data Governance. 

Not only does the Information Asset Management process help drive better understanding of the utility and value of your data, it also supports improved management of privacy issues by helping you understand the nature of your data and identifying which data sets have privacy implications.

Classify for Privacy
Organisations have specific obligations to address data privacy matters and provide duty of care in accordance with the relative privacy principles and legislation in their jurisdiction.

The specific classification expectations are normally laid out as part of the definition of the principles, and will typically follow a scheme similar to that laid out by the New South Wales Government, viz:

Privacy Classification
Conditions
PERSONAL – HIGHLY SENSITIVE
Personal information (data) that includes details of ethnicity, union membership, sexual preference and/or medical conditions, or as otherwise indicated by the individual as being particularly sensitive.
PERSONAL
Information (data) that contains information or an opinion about an individual whose identity is apparent or can be reasonably ascertained from the information or opinion.
PERSONAL –DIRECTION TO WAIVE
Personal information (data) where the Privacy Commissioner has made a direction to waive or modify the application of one or more of the Information Principles.
(Note: decisions to waive occur rarely and are usually temporary)
OTHER NON-PERSONAL
Information (data) otherwise held that does not meet the above criteria.

Identify who is accountable
Easy to say, hard to do sometimes! 

The questions of ownership and stewardship for data often remain unresolved. This is not just true for the specific aspect of data privacy, but in more general terms of explicit accountability for data.

As with any other aspect of data governance, ownership of the data needs to include an explicit expectation that any Privacy issues will also be proactively managed. (I’ll aim to elaborate on the question of ownership and accountability for data in a future post…)

Service Delivery considerations
The Australian Government Cloud Computing Policy provides both government agencies and industry with guidance on the approach to cloud computing, and identifies consideration factors when procuring cloud-based services. Any solution(s) will need to appropriately balance criteria such as:

  • Value for money (including fitness-for-purpose);
  • Adequate security;
  • Delivering better services;
  •  Improving productivity;
  • Achieving greater efficiency;
  • Developing a more flexible workforce.

The expectation of “adequate security” should be made with reference to the Privacy considerations noted above (as well as other good data management considerations such as sensitivity, IP and Ethics).

Note to that such guidance is equally applicable when considering non-cloud data systems provisioning and application hosting services.

Implications of US Legislation
The US PATRIOT Act of 2011 asserts claims on data that is either stored on US-located services, or operated by US companies, while additional data hosting issues and effects are raised by law enforcement powers identified within instruments such as the US Foreign Intelligence Surveillance Act (FISA) of 1978, Protect America Act of 2007 and FISA Amendment Act of 2008.

These legislative measures also have significant implications and risks for non-US entities hosting data in the US. (See also the excellent paper by UNSW Cyberspace Law and Policy Centre Data Sovereignty And the Cloud )

In the current climate, I suggest that non-US organisations give very serious consideration to the question hosting of data with privacy implications, and that in most circumstances, such data should not be stored in public cloud-based solutions (e.g. such as those provided by Google, Dropbox, iCloud etc.)

Final thoughts
First and foremost, it’s really a case of applying the KISS principle – make it easy for people, and they’re more likely to follow through. (For more and entertaining thoughts on simple solutions to difficult problems, see the excellent TED Talk by Rory Sutherland…).

That means:
  • Think “value” not “compliance”
  • Register your information assets
  • Classify for privacy
  • Accountability is imperative
  • Plan early and embed into business practices
  • Triggers for Privacy should be triggers for Data Governance

Some further online resources that you may find useful to help get you started:

1 comment:

  1. South African Protection of Personal Information Bill is also a good framework for managing personal information. PoPi incorporates many elements from previous EU, US and Australian legislation
    http://www.justice.gov.za/legislation/bills/B9-2009_ProtectionofPersonalInformation.pdf

    ReplyDelete