| “Hastings” is not the answer. What’s
more, you should have no idea where King Harold went, because
only one person on the planet should know, and that person
is not you. The trouble with that question starts when the
unique person who is supposed to know cannot recall making
up the question, let alone the answer!
A private story
Data security, privacy and confidentiality are hot topics
these days within large companies and government organizations,
but also with the public at large - as cases of identity
theft multiply and concerns over invasion of privacy
grow. However, these did not really hit home with me
until one Sunday when I finally took the time to check
an investment I have made years ago and never bother
to check since. The details that interested me were available
only over the Internet. A low-tech device (i.e. well
preserved hand-written note) provided me with my id and
password, but the site informed me that for security
reasons, these two almighty pieces of information had
been revoked; I was invited to use another tried and
true device, the phone of the 7x24 call centre.
The operator warns me that she is about to administer
some questions for identification and security purposes.
The questions related to my name and date of birth did
not put any problems, but then, the next thing I hear is “Where
did King Harold go?” “Ha?” is all I can
answer and I almost see that checkmark for “suspicious
call” being crossed beside my name as I am failing
my own security test. This is the end of my interaction
with my money for the day. I am not prepared to give up
yet and I start enquiring frantically with members of my
immediate family on the whereabouts of King Harold. Now
I collect a number of blank but suggestive looks, so I
retreat to a safe place to meditate.
Vague memories start coming back: years ago, I had been
asked by my financial institution to set up my own non-trivial
question and answer in order to identify myself and protect
my assets. However, the magic answer continues to completely
elude me; worries about the state of my account are overtaken
by worries about the state of my mind. Next day I call
again and tell them upfront not to ask me anything about
King Harold. A sympathetic supervisor administers some
more sensible questions, which I am able to answer satisfactorily
and I am treated again like a valid human being. My money
was doing just fine, but how about this self-defeating
security procedure? Was my private information secure and
confidential? Yes, but to the point that I was locked out!
Privacy, Confidentiality, Security
Most people think they understand what these three words
mean, but then many use them interchangeably. The concepts
are related, however the differences should be noted
and understood, especially now that federal legislation
on the matter is soon to be enacted, and the requirements
are trickling down to a lot more levels where consumers
and businesses will be confronted with them on a regular
basis.
Privacy can be defined as the summum bonum of characteristics
of a set of data that makes it possible to trace an individual
based on that data. Very often, privacy is confused with
confidentiality; confidentiality is the understanding that
private data should not be disclosed for purposes other
than those for which it was collected. Data security refers
to the technical and procedural measures that prevent unauthorized
access to private data, from hackers to improper use by
the custodians of that data to old plain theft of the hardware
on which the data resides. Without proper security, data
confidentiality cannot be ensured.
Individuals do have the right to the confidentiality and
security of their private data; since confidentiality and
security lie in the hands of the many private companies
and governmental organizations with whom the individual
interacts, a uniform understanding and consistent procedures
are required. In Canada, Personal Information and Protection
of Electronic Documents Act (PIPEDA) will become law on
January 1st 2004.
Data privacy, confidentiality and security are not new
concepts, but the ever-increasing capabilities of acquiring,
corroborating and using data have heightened public concern
with who is using this data and how. The wide spread use
of the internet for all sorts of transactions and the resulting
trail of data, as well as techniques such as data mining
and data matching are tools of unprecedented power; they
can be used for legitimate purposes or not so legitimate.
Examples in the health care are the most notorious: one
could worry that his personal medical data could, without
his consent, be accessed and used by his insurance company,
who could then, say, withdraw service. Similarly, private
information collected by financial institutions, or information
collected by various government agencies could be used
in ways not initially anticipated.
Sometimes, the interests of the individual, of the society
as a whole, and the interests of businesses cross boundaries
in ways that can make one party or another vulnerable.
Not only legislation in the area of privacy has become
necessary, but so did the understanding of these issues
by the general public. It must also be understood that
security, confidentiality and privacy are not merely technical
issues, or issues that can be resolved exclusively by technical
means. Only a combination of technical sophistication,
comprehensive legislation and sensible business policies
can preserve the interests of all parties. Otherwise, we
would, sooner or later go the way of King Harold…
Tatiana Andronache is IT technical staff
for a large information technology company in Toronto, Canada.
She can be reached at tatiana.andronache@sympatico.ca
|
