Privacy vs. Data Protection vs. Information Security
In previous posts, we talked about general aspects of what is privacy and who cares that. Two important terms in that field are “privacy” and “data protection.” While the first one is very common in the literature, the other is used in the European Union (EU) laws and regulations. Also, some ICT professionals often use “data protection” and “information security” as synonyms. Then, do these terms (“privacy,” “data protection,” and “information security” ) mean the same? If a company offers you a service with the most advanced security mechanisms, is the company ensuring your privacy?
There is a discussion about the difference between “privacy” and “data protection.” According to Francoise Gilbert, the use of a term depends on the country and the idiosyncrasies of the languages spoken[1]. While in the USA the term "privacy" seems to prevail when identifying the rules and practices of processing1 of personal data, in the EU the term “data protection” seems to be used to refer the same definition. Furthermore, the translation of "privacy" to foreign languages changes its meaning. A clear example is that the term “privacy” cannot easily translate into French, so the closest translation is “intimité” (intimacy in English) and it is not accurate. For this reason, the European Union uses the term “data protection” instead of “privacy” to refer to the protection of privacy right respect to the processing of personal data [2].
It is important to highlight that in this context “privacy” and “data protection” have the same meaning. As mentioned above, both refer to the protection of privacy right respect to the processing of personal data. However, the “privacy” term in other contexts has a broader scope and includes autonomy, intimacy, and self-determination features. Solove D. in [3] presents a taxonomy of privacy and Finn et.al. in [4] explains seven types of privacy. I encourage you to read them!
I am in the European Union, so I will use the term “data protection” in this discussion. Some ICT professionals use the terms “data protection” and “information security” as synonyms because both of them prevent unauthorized access, use, disclosure, modification, and inspection of information. Then, they assume that can use the same tools to ensure both "data protection" and "information security." In turn, a final user usually thinks that if "information security" is guaranteed, “data protection” is guaranteed too. However, this assumption is not correct. For example, Facebook can send periodical news advertising that they are using advanced information security mechanisms (something like “we created easy-to-use security tools that give you more control”). It doesn't mean proper "data protection" 2. Some months ago, Facebook was tracking non-users and logged out users for advertising purposes in Europe. Computers of users were tracked without their consent. Evidently, it breaches one "data protection" principle because the 1995 EU Data Protection Directive defines that personal data “must be collected for specified, explicit and legitimate purposes…”, and a criterion for making data processing legitimate is that a person has unambiguously given his consent. This example clearly shows that “information security” and “data protection” are not the same thing. In other words, even though the company use SSL to guarantee a cipher communications, use two-factor authentication, etc., your "data protection" could be breached.
One difference between "information security" and "data protection" is that the former is impersonal and the latter is personal. According to NIST “information security” means the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability [6]. As you may note, this definition does not specify a particular form or type of data, so we infer that "information security" attempts to protect any form of data (e.g. physical or electronics) and any type of data (personal or non-personal data). On the other hand, “data protection” attempts to protect our privacy right respect to the processing of personal data. Personal data is any information relating to an identified or identifiable natural person. It implies that personal data is not only an individual name, identity card number, passport number or social security number, but also is a birthday, diagnostic health information, GPS position, IP address, behavioral profile, ethnic origin, religious beliefs, location derived from telecommunication systems, and so on [5]. You might think this is an insignificant difference, but this difference requires the "data protection" fulfills some objectives that have a broader scope than "information security."
Another difference between "data protection" and "information security" is that the sensitive nature of personal data imposes, through several laws and regulations, “data protection” requirements which extend beyond “information security” requirements.“Information security” implements security controls (safeguards or countermeasures) in order to provide confidentiality, integrity, and availability of the information [6], whereas “data protection” implements controls in order to ensure consent and choice, purpose legitimacy and specification, collection limitation, data minimization, use, retention and disclosure limitation, accuracy and quality, openness, transparency and notice, individual participation and access, accountability, and information security [5]. We can see as “information security” is necessary to fulfill one “data protection” principle, but the others are uncovered for it.
But, be careful about think we can ensure compliance of “data protection” without considering “information security”. Recently, Yahoo said hackers stole data on 500 million users in 2014. Its security systems were compromised and hackers breached the confidentiality of information. At first glance, this case seems just an "information security" breach; however, it is also considered one of the biggest violations of people’s "data protection." But, why does it breach "data protection"? The reason is hackers stole personal data including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions. Of course, passwords decrypted could be used by crackers (bad guys) to compromise the security of the services where you used the same password (e.g. to stole money, trade secrets or know-how information). But at the same time, your personal data will be sold to third parties (good guys), and they will send unwanted advertising to your mailbox, or you will receive a call to offer an exclusive deal for your birthday (remember third parties have your name, email, telephone number and your birthday).
Maybe “bad guys” vs. “good guys” (mentioned above) could be another slight difference between "data protection" and "information security" because the motivation to "steal data" is different.
Finally, let me say that if you are ICT professional, the distinction between data protection and information security is important because the threats, vulnerabilities, impact, controls, and risk management process in both cases are different, too.
References:
[1] F. Gilbert, “Privacy v. Data Protection. What is the Difference?” 2016. [Online]. Available: http://www.francoisegilbert.com/2014/10/privacy-v-data-protection-what-is-the-difference/. [Accessed: 27-Oct-2016].
[2] European Parliament, “Directive 95/46/EC,” Off. J. Eur. Union, no. L281/31, pp. 31–50, 1995.
[3] D. J. Solove, “A taxonomy of Privacy,” no. 477, pp. 477–560, 2006.
[4] R. L. Finn, D. Wright, and M. Friedewald, “Seven Types of Privacy,” in European Data Protection: Coming of Age, no. January, Dordrecht: Springer Netherlands, 2013, pp. 3–32.
[5] ISO/IEC, “Iso/Iec 29100,” vol. 2011, 2011.
[6] R. Kissel, “Glossary of Key Information Security Terms Glossary of Key Information Security Terms,” Nist, vol. NISTIR 729, no. Revision 2, 2013.
1 The term processing of personal includes collection, organization, storage, alteration, retrieval, use, dissemination, and erasure. These operations could be automatic or not [2].
2 In fact, you may have noticed that there are two configuration panels: one of them to security settings (code generator, login alerts, public key, etc.), and the other to data protection settings (who can look your phone number, who can see your posts, etc.). Also, there is a data policy (privacy policy) that we must read!
About Danny Guamán
Ph.D. student at Technical University of Madrid (Spain). Auxiliary professor at Escuela Politécnica Nacional (Ecuador). Current interests: Privacy in Cloud Computing and IoT.
- More Posts(3)
Privacy vs. Data Protection vs. Information Security por dsguaman está licenciado bajo una Licencia Creative Commons Atribución-NoComercial-SinDerivar 4.0 Internacional.
Molly Cooper
Privacy in 2020 is a very important topic. It is worth paying attention to data security and taking all possible measures, because too many corporations collect our personal data and make money from it. More about all of these concepts can be found here https://utopia.fans/blog/data-privacy-vs-data-protection-whats-the-difference/ . Because you can inadvertently get confused in the difference between the concepts of privacy, data protection and even more so information security.