04 Dec 2008
A strategy to encourage businesses and public-sector bodies to build privacy guards into their IT and management systems from scratch was launched last week by the Information Commissioner.
The Privacy By Design scheme aims to discourage organisations from bolting on information security as an afterthought and instead to build it in from the start.
Information Commissioner Richard Thomas, who recently received new powers and a pay rise, said technology must play a key part in privacy protection especially as the amount of personal information being stored by organisations such as banks, retailers and healthcare providers continues to increase rapidly.
“Although we have seen massive change in the capability of organisations to exploit modern technology that uses our information to deliver services, that has not been accompanied by a similar drive to develop new effective technical and procedural privacy safeguards,” he said.
A holistic lifetime approach to privacy will make controls stronger, simpler to implement and harder to bypass, said Thomas.
But there are a number of barriers preventing organisations from implementing privacy-enhancing technologies (PETs) and taking a privacy-by-design approach. There is a lack of awareness of the importance of the issue at an executive level; traditional risk models often ignore the importance of personal information; and increasing use of collaborative technology means more and more data is being shared in an uncontrolled way.
These problems could be solved by committing to PETs, but organisations are wary of using specific products for fear the technology may become out of date – increasing use of service-oriented architecture, Web 2.0 and cloud computing will add to these fears. But further research and regulator-approved standards could help solve these problems, according to the Information Commissioner.
“Successful initiatives should be developed into practical standards, and buyers encouraged to demand better privacy functionality from vendors,” says the report.
There are a number of technologies that can help:
Many privacy experts agree that user-centric identity management frameworks may represent the strongest tool yet for protecting personal information.
In this model, users carry all personal information themselves and grant limited access to organisations that must come to the user to access the information they need. In this way firms cannot pass data on to a second organisation – they would have to approach the user independently – and are able to obtain only the exact details they need.
Stuart Room, a partner at law firm Field Fisher Waterhouse, said organisations that do not keep up to speed with technological development could find themselves in trouble. “The law requires you to take account of these things, and some of them are already on the market,” he said.
Watch our video roundtable
For more on the Privacy by Design strategy and the issues surrounding
privacy-enhancing technologies, watch Computing’s video roundtable and listen to
the views of two experts in the field – assistant information commissioner
Jonathan Bamford and privacy lawyer Stuart Room. The video is available at:
www.computing.co.uk/tv
The benefits of collaborative technologies such as cloud computing are indeed compelling, creating a centralised method to access shared data, significantly lowering costs and reducing data centre space, power and cooling. However, organisations must realise that accountability for valuable business data cannot be as conveniently outsourced.
Companies could be exposing themselves to a business continuity disaster. In many ways cloud computing resembles the Application Service Provider (ASP) model that was prolific prior to the dot-com crash, and a lot of those providers are no longer around.
We must remember that management will always be responsible for protecting company and customer data. It is therefore essential when moving towards cloud computing that businesses consistently ensure the health of the cloud-provided services. This includes gaining complete confidence that the cloud provider is a viable, stable business with assurances and protections, such as comprehensive risk and security defences in place, to safeguard business data.
Alongside guarantees from the provider, businesses must also ensure that they have an alternative strategy in place in the case of any disruptions or loss of connectivity to the cloud-based service. This includes awareness of any of the provider's fallback plans and commitments that may jeopardise valuable information. Businesses also need to bear in mind that any interruptions to cloud computing providers may have to be dealt with on both a short- and long-term basis, depending on the nature of the disturbance.
Whilst the benefits of moving to the cloud are evident businesses must be aware of what they are getting into, and be able to mitigate the risks.
Yours sincerely,
Dwayne Melancon
VP Corporate & Business Development
Tripwire
www.tripwire.com
Posted by: Dwayne Melancon 15 Dec 2008
I was especially heartened to read about Information Commissioner Richard Thomas urging organisations to put privacy protection at the top of their procurement and development criteria for 2009. Implementing protection holistically makes controls stronger, simpler to implement and harder to bypass, yet there is still a lack of executive level awareness about controls needed to secure sensitive data in the cloud or shared through new collaborative technology.
Day-to-day events such as new hires, relocations, transfers, promotions, and terminations - which in the current climate are rife - all require heavy administration support to ensure that proper user access rights are established and maintained. A business-focused approach to identity management enables companies to automate processes for user administration to ensure that the right people have access to the right data and resources, even in the most complex modern cloud-based environments.
Company executives wouldn't discuss sensitive information on a crowded train and would shudder at the thought of ex-employees being able to walk out of the office with handfuls of customer data, but until privacy and security concerns are considered ahead of implementing any new technology, sensitive data will continue to leak out of organisations at an alarming rate.
Stuart Hodkinson, General Manager, Courion
Posted by: Stuart Hodkinson 12 Dec 2008
Have your say on this article
Newsletters
Latest stories from Privacy
Latest videos
You may also like
Privacy jobs
Will Facebook be able to continue its success as a public company?
Garry Sidaway, director of security strategy at Integralis discusses the current threats to enterprises, and how they should protect themselves
Rubbish in... rubbish enterprise. Why proper data management is so important (video, 6 min)
This Forrester report compares the costs and benefits of legacy email and productivity software with Google Apps
Upcoming Events
The implementation of robust, relevant digital strategies is more crucial than ever to the success of insurance businesses
Date: 01 Mar 2012
Time: 09:00am
A showcase of the latest in the information content and management
Date: 20 Mar 2012
Time: 09:00am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
