Log in / Register
Home arrow Computer Science arrow The Privacy Engineer’s Manifesto
< Prev   CONTENTS   Next >

Security ≠ Privacy

Figure 2-3. Security does not equal privacy

Information security has three areas of focus, known as CIA: Confidentiality (i.e., preventing unauthorized access)

Integrity (i.e., ensuring the data is not altered without approval)

Availability (i.e., ensuring the data is accessible)

It uses logical, administrative, physical safeguards to ensure the CIA of the data is maintained. Aspects of security that do not overlap privacy include:

Defense in depth: A sophisticated firewall structure can protect personal information.

Data loss prevention (DLP): Discovering and monitoring the location and flow of sensitive data such as customer credit card data, employee PI, or corporate intellectual property.

Security information and event management (SIEM)

The Overlaps

The safeguards enable the “authorized” in the “authorized access and use” element that is a cornerstone the operational definition of privacy. This is the first overlap between privacy and information security.

In addition to the fact that both “information security” and “privacy” are data protection regimens, other areas of overlap are:

Integrity (information security) and accuracy (privacy) Availability (information security) and access (privacy) Accountability (both)

Confidentiality (when the data is both personal information and nonpublic)

Information security's focus on data integrity overlaps with privacy's accuracy requirement in that both target ensuring the data is not altered with authorization.

Information security's availability requirement supports privacy's access requirement because if the data is not available, they cannot be accessed.

Both information security and privacy doctrines require data owners and custodians to be responsible for protecting the data in accordance with the respective protection regimen, which is a form of accountability.

And when the information is both nonpublic and personal information, confidentiality supports privacy because nonpublic data need to be kept nonpublic.

The Disconnects

The reason there is not a complete overlap between privacy and information security is threefold.

First, privacy has a wider set of obligations and responsibilities than information security does, such as:

Collection limitation Openness Relevancy

Use limitation

This means there are things privacy addresses that information security does not.

The second disconnect is confidentiality. Because PI is not always nonpublic (consider the phonebook), the notion of confidentiality does not apply. Also, in a resource-constrained world, if the data is not considered confidential, they are not always “valued” and the necessary measures to ensure authorized access and use will be overlooked.

Third, and perhaps most important, while information security techniques can be privacy-enabling technologies (PETs) (which means they are tools that enable privacy) and are often necessary, these PETs can also become “feral” if applied incorrectly (i.e., in an invasive manner). This is why you can have security without privacy, but you cannot have privacy without security. This will be discussed further in Part 2.


The purpose of this chapter is to enable you to understand the nature of privacy and privacy engineering.

This is the foundation and context for the guidance—the explanation of tools and techniques—that makes up the remainder of this book.

If you follow the guidance in this book, you will be poised for success and you will have a set of tools you can use and configure to enable privacy, but the actual success will ultimately depend on how you tailor the guidance that follows to specific situations (i.e., the data, the processing, whose data, and specific jurisdiction, regulations, or best practices that apply) and how you configure the tools we are providing. Chapter 3 will discuss privacy and data governance concepts.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science