Privacy
That is, what don't you need to know?
Lockstep's angle on privacy
Privacy and digital identity management are to a very great extent two sides of the same coin.
As a digital identity expert, Lockstep's Stephen Wilson has spent a decade and a half helping organisations work out what they need to know about someone to do e-business with them. Along the way he realised that the key to protecting privacy is knowing what you DON'T need to know! Lockstep's privacy practice is based around that practical perspective.
Privacy is so much more than security
While most business people appreciate that good privacy compliance requires good information security, many organisations still struggle to identify tangible privacy controls; i.e. practical IT and e-security design features that pro-actively protect privacy and improve the organisation's privacy posture. As with security, privacy is now subject to special technical governance requirements, but there is a grave risk that an overly compliance-oriented approach can be expensive and ineffective. Businesses must be careful they can still 'see the wood for the trees'.
Lockstep understands the detailed implications of privacy on the IT function. We have delivered privacy advice and design services to such clients as:
- The Victorian Department of Health
- The Department of Foreign Affairs
- Australia Post
- The Office of the [Federal] Privacy Commissioner
- The Victorian Department of Justice
- The Department of Health and Ageing
- The Australian General Practice Network
- NSW Human Services Agencies' "HSNet"
- CSIRO
- other state government agencies
- other federal government agencies.
Lockstep's privacy services include trust & privacy strategy development, Privacy Impact Assessments (PIAs), and training in Privacy Enhancing Technologies (PETs).
Bridging a gap
Most privacy advisers come from a legal and/or policy background, and look at privacy through the lens of compliance, or public policy. That's perfectly fine of course, yet the compliance perspective can fall short of engaging IT projects in their formative stages. To build privacy in, you need to understand in detail what privacy means for informatics requirements, architecture, software design, and security.
IT professionals sometimes underestimate privacy because they have long been told that "privacy is not a technology issue". They can presume that if they have security covered, then privacy will follow, and in any case, it seems to be someone else's responsibility! But many times we've seen this viewpoint morph into complacency, which in turn leads to privacy vulnerabilities in information systems that aren't then detected until it's too late.
Some examples help to illustrate the gap:
1. Security is not the same thing as privacy. Consider two highly secure organisations A and B, and suppose that A wishes to share data about its customers with B. Let's assume A and B are both secure to the highest standards. Then what's the problem? Simply, it doesn't matter how secure is B; under the law, personal information about A's customers cannot generally be transferrred to B without those customers being informed, and without strict limits being placed on what B can do with it. Disclosure, or Secondary Usage, are not automatically OK just because the receiver is "secure".
2. Equally, secrecy is not the same thing as privacy. Too often the mistake is made that personal information found in the public domain can be exploited without the individuals' knowledge. But information privacy law doesn't much care where personal information comes from; the law doesn't even use the terms 'public' and 'private'. If information is identifiable, then there are limits on what an organisation can do with it, no matter how it was obtained.
Lockstep Consulting is able to bridge the gap between 'technology' and the 'business'.
"Privacy Engineering"
A truly unique offering of ours is what we call 'Privacy Engineering', a privacy-by-design approach that generates tailored, practical guidance for ICT architects, designers and project managers so they can build privacy controls into their systems. We work closely with our clients to fine-tune local design practices, building privacy controls in (as opposed to hoping 'audit' them in). Privacy Engineering protects customer relations, pro-actively uncovers privacy problems, saves money by solving problems sooner, and enhances compliance. Special focus areas include audit logs and transaction histories, web forms, change management processes, and databases.
A little more detail on the approach is given in Babystep 14.
More sophisticated PIAs
We believe our PIAs are more technologically sophisticated than most. We focus on discovering issues and identifying privacy controls in a timely manner, as part of systems design. Many PIAs, even if they manage to uncover significant technical issues, are conducted too late in the development life-cycle to make a real difference.
Advocates for Privacy Enhancing Technologies
As digital identity experts, Lockstep has also led they way in articulating a positive and robust vision for Privacy Enhancing Technologies. On this point, Stephen made a detailed submission to the 2005 Senate Inquiry into the Privacy Act, looking closely at intelligent authentication, smartcards and biometrics.
Sister company Lockstep Technologies undertakes award-winning R&D into innovative PETs.
Track record
Stephen's experience in privacy is summarised in profile below, and his publications in the field are gathered at the privacy section of the Lockstep library. He has also made numerous submissions on privacy to government nquiries into the Privacy Act, the ill-conceived Human Services Access Card, and spyware.
