January 28 is Data Privacy Day. Throughout the months of January and February, the EDUCAUSE Cybersecurity Program will highlight higher education privacy issues. To learn more, visit our awareness campaigns page.
Privacy and Security
You often hear that an institution can implement good data security without considering privacy, but an institution cannot have good data privacy without considering security. Whether you believe this statement to be true, it reveals the close relationship between privacy and security. The two terms are often mentioned simultaneously, though perhaps more often one term is used with the other implied in its use. For the layperson at your institution, the term "data security" may include the need to keep certain information private and consequently the need to keep it secure. But what are the real objectives of these two functions?
Goals and Objectives
Data privacy is generally focused on the use and governance of personal data and personally identifiable information. Data security is generally understood to focus on protecting data from impermissible access. With these objectives in mind, it seems that privacy truly is difficult to address without considering security to some degree. Although good data privacy encompasses more than just securing data — beginning up-front with what information your institution collects, all the way to how your institution uses that information — it also must include how to secure the data appropriately to safeguard against impermissible access and/or use. However, since information security professionals are rarely the individuals at your institution collecting or even using the sensitive information they are asked to secure, they may have no direct control or influence over the privacy implications of collecting and maintaining that data. So how do you implement good business practices to achieve each goal and support the other if the objectives are slightly different?
Building a Solid Working Relationship
A good working relationship between the privacy office and the information security office is an important piece of the data privacy puzzle. Regular communication between the privacy officer and information security officer is vital. This communication will build a mutual understanding of each other's interests and concerns, which will make it more likely that both individuals are promptly informed of any issues. The information security officer should know just enough about data privacy to be dangerous, and vice versa. So, what can you do at your institution to build this relationship?
- Regular meetings: The privacy officer and information security officer should consider scheduling regular meetings, outside of any projects or other meetings both individuals may attend, to discuss current pursuits and goals and keep each other apprised of any potential issues identified in their daily work.
- Information sharing: When obtaining professional resources, guidance, and other information, each function should share that information with the other so both stay current on issues affecting the areas of data privacy and security.
- Joint messaging: To further promote the idea that data privacy and security should be considered together when dealing with personal or other sensitive information, consider issuing joint messages and other guidance on topics that have both privacy and security implications.
These are a few activities that may help build the appropriate relationship between data privacy and security. But no matter how you go about it, it is important to continue to work toward developing and maintaining this important partnership for an effective privacy accountability program.
Gary F. Miller Jr. is Director of Compliance and Privacy Officer at The College of New Jersey.
Matt Cesari is Information Security Officer at The College of New Jersey.
© 2018 Gary F. Miller, Jr. and Matt Cesari. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.