Lifting the cover on privacy
Privacy, our security awareness topic for December, is a nebulous concept, more complex and involved than perhaps you might have thought if you accept that it includes concerns such as:
Compliance, obviously enough. Compliance with privacy or data protection laws and regulations was once described by Gartner as 'exceedingly complex', making it a significant challenge, especially for multinational organizations plus web-based companies and other with customers, suppliers and business contacts around the world. Workers' noncompliance with corporate privacy policies and procedures is another potential nightmare for management (with an obvious need for awareness - at least it is glaringly obvious to us!), while privacy-related contractual clauses concerning privacy and/or information security are hopefully not just put there to keep the lawyers occupied. Privacy is a substantial concern with professional services (such as outsourced HR or payroll) and cloud-computing services, particularly where personal data may be stored and processed in arbitrary global data center locations at the whim of the cloud infrastructure and load management systems. As if that's not enough already, laws, regulations, attitudes and practices in this area are constantly in flux. The EU General Data Protection Regulation GDPR and US-EU Privacy Shield are blazing hot topics right now, while we may be just moments away from breaking news on yet another massive privacy breach.
Human rights such as Article 8 of the EU Charter of Fundamental Rights:
Article 8
Protection of personal data
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
Personal space and safety with a biological, evolutionary basis in territoriality (e.g. wild animals actively defend their home range to secure a food supply and maintain a safe distance from threats, including others of their own species).
Personal choice includes maintaining control over information about us, especially things that we consider intensely personal and – yes – private. We all want to be able to determine how much or how little we reveal about ourselves or keep secret, plus how we reveal things (which brings up the context) and to whom. The excitement of playing ‘truth or dare’ stems from choosing to disclose private matters among friends, whereas the prospect of being forcibly injected with a ‘truth serum’ is scary.
Trust and ethics: when we disclose our personal information to another person or an organization, we implicitly expect and perhaps explicitly require them to take due care of it and protect our interests. We have little option but to trust them to do so, which raises issues of trustworthiness, assurance and ethics. There are things we’d reveal to our doctor or partner that we’d be extremely reluctant to disclose to others.
Cultural norms such as differing attitudes towards public nudity, shows of affection and sexuality, both between and within various nations, societies and groups
Last but not least, information risk and security. For example, there is a marked distinction between us willingly offering our personal information to someone, and their stealing or illicitly capturing it, perhaps without our knowledge or consent.
Taking such a broad perspective on the topic lets us focus on the aspects of interest, concern and relevance for each of the main awareness audiences:
- For the general employee/staff audience, the materials emphasize protecting personal information they may be handling at work. Persuading workers to treat personal data on customers, fellow employees etc. as if it was their own is a simple way to press home the need to take privacy obligations seriously. What to do if a worker spots or is informed about a privacy breach or other incident is another issue;
- For management, compliance, governance, strategies and policies are clearly relevant - for example the organization's preparedness for GDPR and Privacy Shield is a strategic matter for the business, particularly if the decision is made to seize the opportunity to align privacy with information risk management, compliance, business continuity etc. using an ISO27k Information Security Management System;
- For professionals and specialists, there are technology and compliance factors in relation to privacy, including practical challenges such as changing IT systems, websites, forms and business processes to bring them into compliance, encrypting portable devices and more.