One of the common topics of discussion in the organization and social media is data privacy. When I was invited to give a short talk about how to keep things private, I realized that I had to explain that each stakeholder has its own responsibility to safeguard personal data. In this regard, I emphasized what best practices should be enforced following the People, Process and Technology framework.
I thank the DLSU Libraries for inviting me to the IamInfosmart Conference. The slide deck can be found here: Keeping it Private Protecting Your Digital Rights v1.0
Information Security and Data Privacy
I started the discussion with the premise that somehow, people are familiar with the common security mechanisms that are in place such as passwords or anti-virus. Even if these features are basic, they contribute to ensuring that data is secured. The mechanisms that we inherently implement help protect confidentiality, integrity, and availability (Isaac & Isaac, 2003).
Privacy, on the other hand, can be subjective based on geographic location or cultural norms. A more universally accepted definition is from Westin (1967) “Any information that an individual wants to protect from becoming public knowledge.”
Data privacy law’s intersection with information security in the Venn Diagram is the protection of personal data. Data breaches are prevalent nowadays due to the voluminous amounts of persona data being collected and processed while protection mechanisms are not fully in place.
So, how do we keep it private?
Keeping it Private: People
The people aspect of the discussion is crucial because we are all data subjects when we transact with businesses or government offices. The ways to protect our personal data are obvious and have been the subject of awareness training exercises. However, another angle often neglected is when we are unaware that we have violated the privacy rights of others. Two philosophical viewpoints of privacy are emphasized by Ebenger (2004):
- Privacy as Control Over Information – This is straightforward. Information should not be disclosed without the authorization of the information owner. Case in point: There’s an incident last June 2020 when a family tried to use six PWD cards to order food from a QC restaurant and gets cyberbullied. PWD cards were disclosed on social media and people, later on, spread the home address and other information about the family. The privacy question is not whether the PWD cards are legitimate or fraud. The privacy question is whether the family gave consent to share their IDs outside the scope of the restaurant’s purpose of identification. And the answer is no.
- Privacy as Tort (Prosser, 1960) – A tort is defined as a wrongful act or an infringement of a right. There are sub-categories here.
- Intrusion upon Solitude or Seclusion, or into Private Affairs – It says that it may be considered an invasion of privacy if the intrusion is not acceptable to a “reasonable person” Case in point: Last August 2021, the National Privacy Commission (NPC) ordered a takedown of 4 online lending applications since it is collecting so much data- including location, photos, etc. that are not necessary for its processing of online lending.
- Public Disclosure of Embarrassing Facts – It may be considered an invasion of privacy if you publicly disclose truthful private information that is not in the general public’s interest and the matter made public must be offensive and objectionable to a reasonable man of ordinary sensibilities. Case in point: Last Jun 2019, a series of leaked private photos of college students spread on social media, and a compilation of it were stored in cloud storage. It was found out later on that other students were the ones who uploaded the leaked pictures. The usual comment was: “They should’ve not done and they should know that things like these will end up in public. The point of the viewpoint however is: “Even if it is available publicly and I know that the content is something private, should I still view it? It doesn’t necessarily follow that if something is available, you should view it”
- Publicity in the False Light in the Public Eye – This is simply saying that spreading “fake news” against somebody is an invasion of his/her privacy. Case in point: There is a popular meme about plastic surgery with the caption “You can’t hide it forever.” It was a picture of a female model together with an intentionally altered photo of her children to make them look ugly. It was fake news but it spread like wildfire. It was bad mentally and emotionally both for the model and the kids.
- Appropriation of Name of Likeness for Advantage – This talks about using the name of somebody without his knowledge or consent. You are already violating the person’s privacy if you use his/her name for your advantage. For example, you are claiming that Actor X is using your product when in fact you are not sure if he just used it one time as part of a giveaway in an event.
Key Insights: People
- We have an individual responsibility to safeguard personal information.
- Think twice or thrice before taking a photo/video and posting it.
- It doesn’t mean that you can view it because something is available. Ask yourself, “Do I need to view it?”
- Remember, there are Rights of the Data Subject as defined in the Data Privacy Law (RA 10173)
Keeping it Private: Process
Why is it important to emphasize and discuss the process as well? Primarily, a lot of the breaches are caused by the failure of the organizations to properly secure the personal information they have collected. Take the following cases as examples:
- DFA Passport Tracking Data Leak
- ‘Data breach’ reportedly exposes 345K sensitive SolGen documents
- Jollibee delivery website suspended due to ‘vulnerabilities’
In all these cases, the data subjects have followed the required security standards that they have to do. It was the data controller or processor that failed to protect the data subject’s personal information.
There is a Data Privacy Mantra that organizations should take into consideration in their processes- “Do not collect what you cannot protect.”
Apart from not collecting what we cannot protect, we shouldn’t even collect data that we don’t need. This is a common ailment of organizations that are used to collecting so much information either because it is the template or for future use.
I shared the form that I accomplished for my PAGIBIG home loan. I was surprised that credit card information is asked even the expiry dates! During data process reviews, these items must be checked, questioned, and removed if necessary.
For my consulting engagements to organizations that are trying to comply with the Data Privacy Law, the easiest way for process owners to understand to filter data collection is through the data privacy principles – transparency, legitimate purpose, and proportionality (slide 32).
Then the Privacy Impact Assessment (PIA) is conducted with the following high-level steps:
- List down all activities in the organization that process personal information.
- Do you need to collect the information?
- What, where, when, and how do you collect the personal information? (The process owner must be able to answer these questions)
- They need to conduct PIA periodically and audits.
Process owners must also conduct a data lifecycle mapping where what happens to the data in each phase- Create, Store, Access, Use, Share, Archive, and Destroy.
I also emphasized the penalties for data privacy crimes defined in the law.
Key Insights: Process
- Check the reputation of the organization or application.
- Limit the data that you will share based on the need to know.
- You can always ask questions, assert your data subject rights or file a complaint to the Data Protection Officer (DPO).
- Organizations must be proactive, not reactive.
- Organizations must do their due diligence always.
Keeping it Private: Technology
For technology, I listed and shared some of the practices that data subjects can check, install, use and execute as an added layer of protection for each of the data life cycle phases:
- Data Collection
- Use a complex password.
- Advisable to use a password manager to manage the complex passwords (ex. KeePass or LastPass)
- Enable multifactor authentication if possible. (ex. GoogleAuth, MSAuth)
- Only provide the necessary information needed.
- Review privacy settings and choose
the most secured.
- Data Use (What we can do is mostly review and set the config settings)
- Is it stored in the cloud or some on-premise server?
- Do they share the data with third parties?
- Is the data masked or encrypted?
- You can specify the ones that you want to share.
- You can opt-out.
- Data Transmission
- Is the data encrypted when it is transmitted from your machine to the server?
- Certificate issues usually evident in mobile apps
- Check the certificate details in the web browser.
- Check the quality of the certificate in Qualys SSL Labs.
- Data Storage
- Are the data encrypted when it is at rest?
- Level of encryption
- Layer of encryption
- Disk encryption
- Database encryption
- Check for certifications given by reputable organizations on data security
- ISO 27001
- PCI DSS
- Data Deletion
- Data must be deleted when no longer needed.
- The more data that you have, the more protection that you need.
- Assert your Data Subject Rights! (Right to Erasure/Blocking)
Key Insights: Technology
- Organizations must ensure that they are implementing acceptable security practices to ensure that they keep the
- The scope of security must be clearly defined.
- Data retention and deletion must also be in place!
In summary, the discussion provided the users the good practices that they can observe so that the minimum security and data privacy features are enabled and in place. Apart from that, the culture of security and data privacy must be embedded both to the data controllers (usually the organization/management) and users. Another key takeaway is that certifications and technology alone cannot provide assurance that no data breach will happen. The usual case in point I always use is Equifax, an organization that has its own competent and competitive security team when they suffered a massive breach of over 100 million data subjects. They had the ISO 27001 (ISMS) certification when the breach happened.
Another important realization is that the data subjects have their privacy rights. We can assert our data rights to ensure that data controllers are complying with the law and that they are really protecting our personal information. Lastly, data privacy is a shared responsibility. We all have a role to play in the data privacy ecosystem.