The next in the list of factors to consider for IT and business synergy is “Privacy”. It is a term that is often misunderstood and categorized together with Security. Although there are some intersections between security and privacy, the two are not synonymous.
Let us start with a definition of “Privacy” – according to Oxford dictionary -privacy is a state in which one is not observed or disturbed by other people. It is a simple enough and easy to understand definition. How does it relate to business and IT. The aspects of privacy that are most relevant to business are information or data privacy.
Data privacy is related to the collection and usage of data in any form, expectation of the affected party, and the laws and regulations surrounding these. As the usage of digital media and devices and internet increases, we are knowingly or unknowingly disseminating a lot of information about ourselves. Some examples are Name, Address, Date of Birth, Credit card information, Interests, Friends, Location etc. A related aspect is the concept of “PII” or Personally Identifiable Information.
“Personally identifiable information” (PII) is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. The abbreviation PII is widely accepted in the US context, but the phrase it abbreviates has four common variants based on personal/personally, and identifiable / identifying. The generic term used outside of the US is more often “personal information”.
The entity that collects information uses it for some purposes, like performing a transaction, and then stores the information. The storage of such information for a specific time period may be required by law in some cases. The collecting entity may use the collected data for purposes like marketing, analysis, data mining and gleaning trends. They may also share the data with third parties, either for profit or otherwise. Such information is very valuable and parties would either like to buy such information or get the information by other legal or illegal means.
The protection of such information is very relevant, specially for certain industries like Healthcare and Financials. Also, how to manage and handle data privacy is very location dependent, e.g. the European Union is very strict about data privacy and its laws are amongst the strictest overall with respect to data privacy. The EU has strict Data Protection Directive and rules regarding transfer of personal data to third countries (countries outside of the EU).
The United States on the other hand has been more lenient towards privacy concerns – but that has been changing recently as well. The US takes a more sectoral approach with certain sectors like the health care that are highly protected with guidelines like HIPAA (Health Insurance Portability and Accountability Act).
The emerging economies are also finding their own path regarding privacy concerns with the growth of internet, digitization and mobile devices. The differing levels of data privacy requirements across different locations increases the challenges of meeting the requirements of concerned parties.
Bottom line is that persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners ( people whose data has been collected). This is where IT comes into play along with the processes to safeguard the data. There are few key aspects here:
- PII must be carefully safeguarded
- PII must be protected at rest and in transit
- Data must be carefully analyzed and maximum effort must be spent in safeguarding the more critical data like the PII.
Some of the tools and techniques used for protecting Privacy are:
- Encryption of data in motion and in storage is very important to keep the data protected end-to-end. The same holds for encryption of emails and other communication.
- Authentication and Authorization to ensure that data access is only granted to the entities who claim to be who they are and have a need to access that data.
- Data loss prevention
- Logging and Audit
- Privacy enhancing Technologies (PET) like the ones that minimize the collected data, increase anonymity and unlinkability, achieve informed consent.
The above list is by no means exhaustive and other security and governance related tools and processes may be considered as well.
The concept of Data Privacy ( as you can judge from the above information) is quite complex and growing in complexity and importance with the growth of internationalization and digitization.