Why Invest in Privacy?

For companies and public organizations running on limited budgets, it can be difficult to see the benefits of investing in privacy. In our experience, executives and boards do not usually ask how privacy could help them; they ask what similar organizations are doing, and what the potential penalties of privacy violations might be. When these are the criteria for decision making, there is very little incentive to do more than the minimum standard. Once basic privacy policies and procedures are in place, it is easy for organizations to slip into complacency.

Yet privacy, information technology, and information protection experts are emphasizing that managing privacy risk is more important than ever. Organizations hold more digitized information than ever before, and the increased use of portable devices, shared systems, and online portals creates new opportunities for information theft and hacking. Recent business and world news illustrate how data risks have materialized in the form of major breaches of citizens’ personal data. Affected organizations, particularly in the public sector, are under pressure to make changes.

Contrary to the typical narrative in management, we would suggest understanding risk management as an investment rather than an overhead cost. We suggest three ways of understanding privacy risk management beyond the usual focus on the harms of data breaches.

  • Risk management is business process improvement. Many privacy or security risks can be solved through business process improvements. In our experience, many of the recommendations in risk assessments have to do with processes.  For example, a common issue with online portals is that the handoff between registration and billing for account holders is unidirectional: there is no process to confirm that registered users have paid their fees, or to suspend their accounts when their registration has expired. Filling this gap addresses the privacy issue of unauthorized portal access, and also generates revenue.
  • Risk management is automation. Similarly, if privacy or security risks are a result of manual processes that can be automated, risk mitigation can be sold as increased efficiency. For example, if two departments host their own data sets pertaining to user profiles, investing in an automated validation tool will eliminate redundant efforts and reduce errors requiring staff attention.
  • Risk management is a selling point for funding or investment business cases. Risk and compliance managers can show how risk mitigation is a differentiating factor in the eyes of external funders, clients, and business partners. Business cases for external funding or investment and responses to requests for proposals can cite risk management as a differentiating factor with regard to external competition.

These three principles can work for private or public sector, major or small organizations.  Risk management provides both product and service companies with a competitive advantage by differentiating them from others. Government organizations facing funding cuts can leverage process improvements to improve employee utilization and limit outsourcing.

Privacy is best understood as an investment factor that improves bottom lines and provides a competitive advantage. Such an approach changes the question from, “What is the minimum I have to pay to manage this risk?” to “What is my return on investment?”

A Threat and Risk Assessment Approach for Big Data

Current information security and privacy classifications are being applied with some difficulty to a Big Data environment, which in the context of the public sector involves the emergence of large databases and increased data sharing. Such databases are usually classified as high-risk, resulting in costly security safeguards. However, de-identification can drastically lower the actual privacy risk posed by information. Could mapping de-identification to risk classifications allow organizations to invest more wisely in security and take advantage of the opportunities of Big Data?

Threat and Risk Assessments (TRA) are commonly required for new Canadian government programs and other public sector initiatives in order to determine whether their information assets are being protected appropriately. Their focus is on security: examining the potential for harm if information is accessed, released, or used inappropriately; analyzing potential risks to information; and identifying appropriate lifecycle safeguards to protect information.

In 2005, the federal government released the Canadian Information Security and Privacy Classification Policy as a guideline for risk assessments. This system defines four risk levels, based on criteria such as potential threats to public safety, injury to individuals or enterprises, financial loss, and damage to government relationships and reputation. Appropriate safeguards are identified for each risk level. The Ontario Ministry of Government Services has since adopted these classifications as a guide for TRAs within the Ontario Public Service.

Applying these classifications to a broad variety of public sector contexts has led to a couple of significant problems, both related to the phenomenon of Big Data. The federal classification guidelines were clearly designed with a political context in mind: examples given for the various risk levels include cabinet documents, briefings, speeches, and contact information. At the provincial level, these classifications do not translate easily to contexts such as healthcare, where information is collected in large volumes and regularly shared between organizations. The first problem is that the large volume of information contained in healthcare databases results in a great potential for harm in the event of a breach; consequently, such databases usually are classified as high-risk. The safeguards mandated to protect high-risk information are costly, and with the emergence of Big Data, these costs are likely to grow exponentially. The second problem pertains to information sharing: not only is there a possibility that high-risk, classified information is being shared with parties with inadequate security safeguards, but the sharing of personal information raises a number of more basic privacy issues.

To resolve these issues, government needs to stop conflating privacy with security. On the one hand, it is possible for information to be protected by adequate security safeguards but to violate privacy law nonetheless. A significant issue in the healthcare sector has been that of cascading rights when organizations share personal health information for research purposes. While all of the organizations involved may have effective security practices, the information is often disclosed and used for purposes to which patients did not consent. Because shared information is stored in multiple locations, it is often also retained longer than mandated by privacy standards. On the other hand, it is possible to protect privacy without security. Sophisticated and efficient de-identification processes can remove identifying details from records containing personal information while preserving the utility of data for research. Properly de-identified information can be shared with only a minimal risk to privacy.

The distinctions between privacy and security have a couple of implications: first, process matters when it comes to protecting data. Excellent security safeguards will not ensure proper information management if privacy concerns are not integrated into business processes and practices. Second, de-identification can radically change information risk. Calculations of re-identification risk – the probability that an individual could be identified based on their (de-identified) data – provide an objective measure of privacy risk. When privacy risk is very low, fewer security safeguards are needed. Thus, mapping levels of de-identification to information risk classifications could enable much more efficient and effective investment in information safeguards. An approach that unites privacy and security with regard to risk classification could well be the means to unlock the opportunities offered by Big Data while containing the costs of information security.