Information privacy relates to confidence and trust in a company. The more you protect it, the more you enhance the confidence and trust levels of your company.
This is the view of Ritasha Jethva, head of information privacy at Absa, speaking at the ITWeb Security Summit, taking place at the Sandton Convention Centre, yesterday. “Information privacy is all about protecting customers, employees, business partners, and shareholders' personal information.”
She said the information life cycle has become core with the roll-out of information privacy at Absa. She defined the life cycle as how companies handle the acquisition, storage, use, sharing, disposal and archiving of data within the business.
“We all typically execute on all aspects of the life cycle on a day-to-day basis without realising it.”
Things are moving at a rapid pace, she said, explaining that companies are slowly moving out of the use of paper-based forms, and becoming increasingly electronic.
“Companies are currently in the process of moving from a manual, form-based capturing system to an electronic capturing format, but there is still the need to capture data.
“Now, however, the influx of information comes to you in various forms, through application forms, online media, and call centres,” she said.
Safe keeping
Jethva highlighted the need to store information, from application forms to the storage of data in database systems. She said this information is starting to become more regulated, such as the banks having to comply with FICA and the National Credit Act.
“With the use of data, we need to ensure there are tight access controls in place to ensure that the right people have access to private information.” Jethva said there needs to be a focus on the secure transport of data, especially when that information is going to a third party.
“Companies can be reliant on third-party companies to handle the processing of data,” she noted, adding the information can be delivered to those third parties by a variety of means. These include external hard drives, removable flash media and DVDs, outside of e-mail and the use of the Internet.
However, she warned that most of these devices are personal devices, and not owned by the business, meaning companies need to govern the use of these items.
“Third-party management means you ensure the privacy gap assessments occur on all third parties performing actions across the information life cycle,” she said.
Jethva noted that customers are entrusting their personal information to a company, and that it ultimately falls on the company to ensure that information is kept secure. “The company retains liability over the data, and are accountable for a breach, even if a third-party is the cause for the data loss.
“With outsourcing you don't lower your risks, you only add to or increase your risks surrounding information privacy.”
Cleaning house
According to Jethva, the destruction of data relates to how information is purged from the working environment when it is no longer needed. She gave the example of laptops that need to go through the proper sensitisation processes to ensure they are clean of corporate data.
Jethva highlighted the need to focus on the joiner-leaver process, which comes under the HR department's control. This allows companies to see who has access to what data, as well as restricting access to data once an employee leaves the company.
She added that the destruction of information is also applicable to the use of paper. “The secure bin concept removed bins from the office, instead replacing them with large bins where papers are securely disposed of, often with it being shred on site.” She explained that this prevented dumpster diving as being a potential source of leaked information.
Lastly, with archiving, there is a contradiction: “With privacy, the more information you have, the larger your risk. However, for a business to make an informed decision, you need to have more information for access to analysis and trends information.”
Visibility is key
“Privacy must be defined and agreed upon at an executive level and then published and effectively communicated through various training and awareness interventions,” said Jethva.
“People need to understand what privacy means. Training and awareness are paramount, and must be staggered and prioritised.” She added that the executive and management members must first understand the importance of privacy, before that communication is filtered down into the organisation.
Initiatives should be simple, easy to remember, and personal, she noted, adding that employees need to know their data is also apart of the data set. They will be more aware of their actions surrounding data if they know they are also at risk, explained Jethva.
“Incident management is key, and needs to be encouraged within the organisation. Incidents can include the loss of laptops, misplaced flash devices, lost staff files, stolen tapes, or incorrectly mailed documents.”
She added that incident management is less about what happened, and more about how you respond to the incident.
“Privacy pushes the boundaries of security mechanisms, and extends itself into the domain of both business and IT processes. Security can be in place without privacy, but privacy cannot be in place without security,” she concluded.
Share