(This article was originally published in the iTech Supplement of the Times of Malta in April 2002)
Most organisations understand the importance of having a secure technological infrastructure. But what about the protection of personal data?
The Maltese Data Protection Act (DPA) poses various obligations on data controllers to ensure that proper safeguards are adopted in order that the processing of personal data they hold is secure.
Under the new data protection regime, any person who is acting as a data controller has to implement appropriate technical and organisational measures to protect the personal data that is being processed against accidental destruction, loss or any other unlawful form of processing.
The Act clearly defines a data controller as being any person, who determines the purposes and means of the processing of personal data, whether on a computer system or not. Examples of data controllers would be all employers holding employee databases, hospitals holding medical records of their patients, as well as agencies and corporate entities holding any kind of personal data of their clients.
The meaning of privacy is at times used interchangeably with other terms such as confidentiality or security. But the two are not one and the same. Data controllers have to understand that while privacy may subsume what is implied by confidentiality, it is a much broader concept than just keeping the data secure. Privacy also involves the right to be free from intrusions, to remain autonomous, and to control the circulation of information about oneself.
New Technologies – New Threats
New and emerging information technologies have lead to a massive growth in the amount of personal information that is available, especially with the widespread use of open networks such as the Internet. This trend increasingly jeopardises the privacy of the individual.
Privacy involves the right to control one's personal information, better referred to as 'informational self-determination'. Confidentiality and security are only means by which one attempts to protect personal information.
Data controllers must deploy procedural controls to protect the personal information they hold from a wide range of threats: inadvertent or unauthorised disclosure, intentional attempts at interception, data loss, destruction or modification as well as any attempts to compromise data integrity and reliability. Such controls should be meant to cover the full spectrum of data security, computer and network security as well as physical security.
Measures that enhance security enhance privacy; the two are complimentary. Simply focusing on security is not enough. While security is an essential component for protecting privacy, it is definitely not sufficient by itself.
Data Protection Principles
Privacy and Security would be achieved by an effective convergence between the data protection principles, as found in the new Data Protection Act and EU Directive 95/46 EC, together with industry standard security system designs that would correlate fair information practices. Such approach, using properly designed and architectured systems, should translate the essence of long established data protection principles into the technology both found in open networks as well as in closed systems.
Incorporating such a privacy impact assessment prior to the actual development of a new security system is therefore a must for this multi-disciplined approach. This would be followed upon completion by the implementation of fair information practices, eventually resulting in a much higher degree of privacy protection.
The Maltese Data Protection Act lays down principles that have direct consequences for the design and use of new technologies.
Apart from the 'data security' principle with which data controllers are obliged to implement appropriate security measures in order to be able to manage the risks imposed by the storage or transmission of personal data, the Act lays down other important principles. The 'finality' or 'purpose' principle that requires that personal data must only be used where necessary for a specific legitimate purpose.
PETs
Anonymity is a key factor to maintain privacy. Protecting one's identity is synonymous with preserving one's ability to remain anonymous. Technologies that provide authentication without divulging identity not only address privacy concern, but also provide much needed assurances to organisations regarding the authenticity of the individuals they are doing business with.
There are many examples of specific Privacy Enhancing Technologies (PETs) that are calculated to achieve a privacy-enhancing objective, encryption being the most relevant.
Privacy Enhancing Technologies do not always have to be sophisticated applications of cryptography, biometric or other schemes to hide the individual's identity. Some of the simplest techniques, such as access controls, for securing the confidentiality and proper handling of personal data, are part of this approach.
This is not a matter of novel technical development but of design philosophy: one that encourages as much as possible the removal of identifiers linked to personal data thereby anonymising the said data. Emphasis, from a design standpoint, must always be made on the protection of individual privacy.
The 'purpose' principle as found in the DPA is the underlying motive for the whole concept of PETs as it encompasses a variety of technologies that safeguard personal privacy, notably, by minimising or eliminating the collection or further unnecessary processing of personal identifiable data.
These technologies are often based on the use of the so called 'identity protector'. An identity protector may be regarded as an element of the system that controls the release of an individual's true identity to various processes within the information system. Its effect is to cordon off certain areas of the system, which do not require access to true identity. Several techniques can be used to introduce an identity protector into an information system. This includes encryption techniques involving digital signatures, blind signatures, pseudonyms and anonymizer services.
Security and Privacy
The process of building privacy into computer security systems begins by recognising the distinction between privacy and security. Introducing fair information practices into the process will by necessity broaden the scope of data protection, expanding it to cover both privacy and security concerns.
Data controllers will have to understand that appropriate security safeguards are not only a legal obligation imposed by the new Data Protection Act but also an organisational issue that should ensure that their system truly has the concept of protection of privacy. How Maltese data controllers react to the new information environment created by the Act still remains to be seen.
No comments:
Post a Comment