Privacy is a deeper, broader and more complex than it might appear, blending personal, organizational and societal issues. Privacy means different things to different people. Privacy and information security have a lot in common but each goes further.
Personal information is both sensitive and valuable, hence the associated information risks deserve to be identified, evaluated and treated in the same manner as other information risks.
Compliance with privacy laws and regulations such as GDPR should be a non-issue if the organization takes privacy seriously. However, there are specific obligations that need to be identified and satisfied.
From an individual’s perspective, privacy is mostly about people retaining control over their own personal information (e.g. being able to restrict its use and onward disclosure).
From the organizational perspective, personal information is acquired, processed and exploited for various business purposes - hopefully within the bounds of privacy laws, regulations and ethics.
Our primary concern in this security awareness module is to help workers (staff, managers and specialists) appreciate and fulfill their respective obligations under privacy policies, laws and regulations (such as GDPR, CCPA and HIPAA), mostly by maintaining the confidentiality of personal information in their care. However, integrity and availability of personal information are also relevant considerations, ensuring that personal information is reasonably complete, accurate and accessible for legitimate business and personal purposes.
- Introduces privacy, providing general context and background information on privacy concepts;
- Expands on the information risks and security controls applicable to personal information;
- Emphasizes the legal, regulatory and ethical compliance aspects – particularly given the punitive financial penalties available under GDPR;
- Motivates workers to think - and most of all act - in the best interests of data subjects (first) and the organization (second), for example: taking privacy seriously (this is no trivial matter); complying with privacy policies, regulations and laws, plus ethical and social norms; avoiding risky or inappropriate activities that might unduly compromise privacy; respecting data subjects’ privacy rights and reasonable expectations; and reasonably expecting or demanding that their own privacy rights are respected as well.
Consider your learning objectives in relation to privacy. Consult and collaborate with your Privacy Officer (if you have one!). Take into account the particular laws and regulations that apply to your organization. Consider any privacy incidents, breaches or near-misses you have suffered - plus those that might be ongoing right now but have yet to be noticed and reported.
Work with colleagues to spread the word about this topic. Privacy is pertinent to:
- Everyone regarding their own personal information, privacy rights and expectations;
- Workers handling or accessing personal information at work, such as those in HR, company medics, and managers;
- Management in general, given the governance, direction, oversight, compliance and risk management implications;
- Information owners, risk owners, application owners etc. for privacy-relevant IT systems, services and business processes;
- The Privacy Officer or equivalent and colleagues. They should ideally get directly involved in planning and delivering the awareness content, for example checking that the materials and messages support and comply – rather than conflict – with applicable policies, laws, regulations and practices;
- IT in respect of personal data stored, processed and communicated on IT systems and networks;
- Cloud Service Providers for cloud apps involving personal data, and other third party information service providers such as HR, tax and legal services (suppliers should have their own privacy policies, procedures, controls, awareness and training programs in pact, but it may be worth prompting your relationship managers to ask them a few questions this month);
- Information Risk and Security, plus Risk Management, Legal/Compliance and Audit;
- Facilities and Physical Security e.g. concerning cleaning rest rooms and other private areas, monitoring workers and visitors on CCTV systems, and personal information held in the card access control systems etc.;
- Anyone who has personally suffered a privacy breach, identity theft or similar, or is close to someone who has.