Privacy came to the fore last week, at a very interesting ISSA NL event.
Where we discussed the prevalent Confidentiality-Integrity-Availability approach (where impacts mandatorily regard the data subject(s), not you the processor, as the data subjects are legally owner of their info …!) and whether those three actually cover privacy aspects sufficiently.
Well, we did conclude that for now, CIA is ‘still’ the common denominator. But … hey, Auditability might be added, as that’s a sort-of requirement throughout privacy protection. And Effectiveness and Efficiency – of the data handling! – have a place as well, being representative of proportionality and legal-grounds-for-the-privacysensitive-data-handling-in-the-first-place (i.e., real purpose / purpose limitation!); if you collect more than very, very strictly necessary, you’re culpably inefficient in a hard legal sense, and at least part of your data handling is not effective.
But should we add Privacy as yet another factor ..? Does it have value in itself? Initially, I thought so, as the common CIA somewhere will always have lost its connection to information value, e.g., through the Bow Tie effect and other deviations (lagging) from modern developments.
So, as said, Privacy may be covered by CIA. But, … with specific deviations of interpretation.
Because, I guess, the different perspective. Not you as the data processor or controller are whose interests count, but the data subject’s, and note that personal data does include all data that indirectly may be led back to identifiable individuals. Even if very indirectly so …!
Thus, Confidentiality regards not you keeping secret that you have some data point on anyone, but the data subject’s knowledge and very strictly opt-in consent that you have the data in the first place. Plus the usual about the strictest of strictest Need to Know; its proper set-up, actual detailed implementation, maintenance of currency throughout, and thourough disposal by the book.
And, Integrity for holding the actual value, not only bit-wise correctness. Leading to the data subject’s right of correction, and possibly deletion.
And so with Availability. You should take care to have the data points available or ‘not available’ (deleted) when the data subject would want that. Not for your purpose, but for the data subject to use hisr own data. Not available for personal scrutiny and correction: Big, huge No-No.
Are you without any right to harvest data for marketing purposes …? Indeed you are. Whichever way you turn it, a Hobson’s Choice for the user doesn’t clear your duties…! Signing away one’s data subject rights e.g., in Terms&Conditions fine print, is a black list thing; in the EU one can not sign away one’s rights period
Hm, I’ll come to a conclusion so far. Which is that the P has some very distinct flavours with regards to CIA. But it still ends up relying on the concepts, not standing next to them I guess.
You also feel this one’s To Be Continued? Feel free to send in your comments!