Data security, privacy and confidentiality have always co-existed as important topics in their own right and as related concepts. The average person has no idea how they’re different. And why that difference is important for your compliance.
Before explaining how they’re different and where they overlap, let’s remove some of the annoying jargon. When we refer to security, privacy and confidentiality in this post, they’re all related to data (digital). Data protection, information security, cybersecurity, web or digital security, are all same-same in this context; referring to how data is secured.
And if you're wondering the relevance to your compliance program, here it is in the standards you may be considered or getting asked about:
- Security standards: SOC 2 Common Criteria/Security, ISO 27001, HIPAA, CSA STAR, IRAP, FedRAMP, HITRUST
- Confidentiality standards: SOC 2 Confidentiality, ISO 27001, CSA STAR, IRAP, FedRAMP
- Privacy standards: GDPR, CCPA, CSA STAR, SOC 2 Privacy, ISO 27701, HIPAA, HITRUST
What is security?
Most commonly referred to as information security or cybersecurity, is related to the system and organisational safeguards that protects data from falling into the wrong hands. That includes storing the data in secure locations, ensuring only authorised personnel have access to the relevant systems and networks that host the data, and that there are adequate protections to prevent deliberate or accidental security breaches. Security is a foundational concept that supports confidentiality and privacy objectives. You can’t say you keep data confidential or meet privacy standards, if the data is not secure to begin with!
What is confidentiality?
Data confidentiality is often considered the same as data security. But beyond the foundational system and organisational safeguards, confidentiality is focused on how data/information is classified and handled. That includes digital or physical forms and applying protections and restrictions that fit the level of sensitivity of the data. That is, recognising not all data is equal, and not all levels of protection should be either. The levels of sensitivity can and should be defined in different ways to fit the context. What’s important is that it reflects the nature of the data collected, processed and stored, and how that data needs to be handled accordingly to its sensitivity. For example, here’s three levels of sensitivity as examples:
- Company confidential data: Product roadmap, financial performance, and internal process documentation that can be shared with everyone within the organisation but not outside of it;
- Restricted data: Board meeting minutes, company strategy and business planning documentation that may be restricted to the executive leadership team;
- Classified data: Information that carries heightened security or repetitional risks that may be highly restricted on a limited needs to know basis;
Access to any non-public data should follow the concept of least privilege; that is it should only be accessed by those that need it with a legitimate business need. But you’ll see from the examples above that confidential data comes in different forms and varying levels of sensitivity that should also be considered in how that data is handled and the level of rigour applied to preventing it being accessed by unauthorised people.
What is privacy?
Here’s the one that stumps a lot of people. If data is already secure, and you’re already handling in line with its level of sensitivity; what else is there?
Personal data rights! This isn’t just about securing the data. Or even protecting it in accordance with its level of sensitivity. It’s recognising that the owner of the data, and the person that determines what’s appropriate to do with the data, is the person that the data relates to. And of course that becomes a lot more subjective and complex than security and confidentiality. That’s why privacy is based on principles and driven by regulation that is set by governments representing the people.
The scope of privacy is generally limited to data that is personally identifiable. That is, from the data itself and any surrounding data that could be accessed with it, that the person whose data it is can be identified from that data. Most privacy standards and regulations recognise that if the data is anonymised, in some cases pseudoanonymised, then it’s no longer within the scope of required privacy practices or relevant privacy risks.
Privacy is an evolving topic, with new regulations being developed around the world and to different standards in each country. Most of those recognise a central set of principles that users should consent to their information being collected, be informed how their data is used, and have the ability to make requests related to their data. Some regulations go further in relation to the terms of sale of data, ability to transfer data without barriers (data portability), and how any data breaches need to be handled and notified.
Why are the three topics related and important to understand?
All businesses need to consider all three topics. Every business has data that - at the very least - causes reputation damage if it’s not secured. And confidential data related to its own activities that in the wrong hands can harm their interests. And handles the personal information of its own employees that have privacy rights protected by regulations.
But taken a step further to where these three topics become critically important; is when you’re a service provider to other companies. Those three risk areas extend to those customers. In modern times with high public expectations, highly competitive business environments, and large fines and sanctions for neglecting personal data rights, there’s a low appetite for using service providers that can’t prove they keep data secure, confidential and protect the privacy rights of data subjects.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.