Information Security and Information Privacy are often confused with each other. It is important to understand the differences, and in some cases, the similarities.
Information security vs. information privacy.
Consider a window in your home. It is a vulnerability, as nefarious persons could break it and enter your home, but people could also just look through the window into your home. Putting bars on the window would be a security measure, as it may help prevent someone from breaking into your house. Putting a curtain or blind on the window, would stop people from looking through your window. This would be a privacy protection measure.
Legislation vs. best practices.
In many cases, Privacy is legislated, whereas Information Security (InfoSec) is mostly just the application of best practices. There are of course exceptions. Privacy is not legislated in every country in the world, but it is legislated in North America and the European Union. Information security is legislated in some industries, and in general, there are some information security laws in countries such as the USA and Canada, but they are largely based on what is legal and illegal with regards to industrial secrets and espionage. If you are a small to medium business in North America, you are not likely to find any legislation that tells you what you can and cannot do regarding information security for your company. You should note that PCI (Payment Card Industry) is not legislated, but is simply a set of rules and guidelines put in place by a consortium of financial institutions.
Procedures for Information Security and Privacy Breaches.
Procedures for Information Security and Privacy breaches are however legislated in many countries, including the USA, Canada and the European Union. Depending on which country, state or province your company operates in, is incorporated in, or is otherwise subject to the laws of that jurisdiction, you are required to report any incident where the personal information of your clients has been breached or disclosed without authorization.
Personal Health Information.
Personal Health Information (PHI) is legislated more than regular personal information. So-called ‘regular’ personal information is usually confined to information that allows an individual to be identified. Examples of this include full name, address, date of birth and social insurance/security number. PHI, on the other hand, is legislated to the point that the owner of the PHI, must give explicit consent to how their Personal Health Information is used, disclosed and disposed of.
Deterrence and Prevention.
Information Security is largely a set of best practices that deter or prevent nefarious persons from entering the network of an organization, or prevent staff from disclosing confidential or proprietary information to those outside the organization, or to those inside the organization who should not have access. Privacy however, is all about specific information as it relates to an individual, not the organization or its information assets.
Bottom Line: Information Security and Information Privacy Go Hand-in-Hand.
A Privacy Program is not very practical without having an Information Security Program in place. This is especially true when it comes to personal information. While an Information Security program is required to protect all of an organization’s assets, a Privacy Program is largely designed to protect personal information. Without an InfoSec program that includes access control, for example, personal information could be made available to inappropriate persons and therefore a breach of privacy legislation could occur.
Would you like to understand more about how Privacy and Information Security affects your organization? Give us a call and we can provide an assessment of where your strengths and weaknesses lie.