Thursday, June 17, 2010
"Data Security" and "Data Protection" are terms which seem similar and have been regarded as interchangable by many. Ask an IT manager if his organisation is complying with the data protection law and he will say "Yes, we have all the data security measures in place."
In his mind, the security measures his organisation has taken (e.g. backups, data masking, passwords) with regard to ensuring that data is kept safe from corruption and that access to it is properly controlled is "data protection" - or, "data security", if you like.
For example, many organisations feel that if they perform an information assurance process, they have completed a similar process to that of a privacy impact assessment. This is not the case.
Whilst an information assurance process will enable an organisation to show compliance with the data protection law, this process does not take into consideration of the wider issues of whether a particular project should be implemented from a privacy point of view. It does not ensure that external privacy concerns are identified and addressed or whether a particular marketing campaign is compliant with the data protection rights of individuals.
The point to note is that "data security" is a subset of "data protection". It is the part which helps an organisation to comply with the security measures that must be taken as prescribed in the Belgian data protection law and EU Directive. These security measures are to keep the personal information received safe. It does not however, cover the broader aspect of the data protection law which has introduced an obligation for transparency concerning the use of personal data. This transparency is revealed when the organisation (data controller) exercises its crucial duty to inform its customers (data subjects) of the types, purposes and every single processing of their personal information, and provides them with the means for exercising their rights under the data protection law.
The duty to inform can be seen as part of an exchange of information - an organisation wants, needs personal information and so, in return for personal information, must provide the necessary information as to the use of the personal information it requests for.
Look at the principle at its simplest - you cannot take something belonging to another without giving your reasons for it.
Hence, the conclusion is that "data security" plays an important role alongside the "duty to inform" and the "provision of straightforward means for data subjects to exercise their rights" in ensuring that the data protection law is complied with and privacy upheld. These subsets together make up the circle of the correct use of personal information i.e. "data protection".
Category: