A brown hat with the text "LDH consulting services" next to it.

Tip of the Hat

22 November 2019

You Say Security, I Say Privacy...

Welcome to this week’s Tip of the Hat!

You might have seen the words “security” and “privacy” used interchangeably in articles, blog posts, and other areas of discussion surrounding protecting sensitive data. Sometimes that interchange of words further complicates already complex matters. A recent article by Steve Touw explores the confusion surrounding encryption and redaction methods in the CCPA. Touw breaks down encryption and redaction to their basic components which shows that each method ultimately lives in two different worlds: encryption in the security world, and redaction in the realm of privacy.

But aren’t privacy and security essentially the same thing, which is the means of protecting an asset (in our case, data)? While both arguably have the same goal in protecting a particular asset, privacy and security are different in the way in which they approach risk assessment and evaluation. In the scope of information management:

Security pertains to actions that protect organizational assets, including both personal and non-personal data.

Privacy pertains to the handling, controlling, sharing, and disposal of personal data.

Security and privacy do share key concepts and concerns, including appropriate use, confidentiality, and access to organizational assets (including personal data).
Nonetheless, implementing security practices doesn't necessarily guarantee privacy; a quote that makes the rounds in privacy professional groups is “You can have security without privacy, but you cannot have privacy without security.”

An example of the above quote comes from when you log into a system or application. Let’s use staff access to the integrated library system for this example. A login allows you to control which staff can access the ILS. Assigning individual logins to staff members and ensuring that only those logins can access the staff functions in the ILS is a security measure. This security measure protects patron data from being inappropriately accessed by other patrons, or others looking for that data. On that point of using security to protect privacy, so far, so good.

Once we get past the login, though, we come to a potential privacy issue. You have staff logins, which prevent unauthorized access to patron data by the public, but what about unauthorized access to patron data by your own staff? Not every staff member needs to have access to patron data in order to perform their daily duties. By leaving staff logins to have free reign over what they can access in the ILS database, you are at risk of violating patron privacy even though you have security measures in place to limit system access to staff members. To mitigate this risk, another security measure can be used – assigning who can access what through role or group level access controls. Most ILSes have a basic level of role-based access controls where systems administrators can assign the lowest level of access needed for each role, and applying these roles consistently will limit the instances of unauthorized access to data by staff.

All the security measures in the world, nonetheless, will not mitigate the risk of privacy harm to your patrons if your ILS is collecting highly sensitive data in the first place! These security measures don't prevent you from collecting this type of data. This is where privacy policies and determining what data needs to be collected to meet operational needs come into play. If you don’t collect the data, the data cannot be breached or leaked.

It's clear from this example that both privacy and security have parts to play in protecting patron privacy. Understanding these parts – where they overlap, and where they diverge – will help you through building and maintaining a robust set of data privacy and security practices throughout your organization.

ALA Annual Conference Reminder

If you are heading to ALA Annual this month, don't forget to stop by booth #844 to say hi! Thank you to Equinox Open Library Initiative for making exhibiting at ALA Annual possible for us. Give us a ping if you will be at Annual and would like to talk more about LDH can do for your organization.

For those who will be at the Exhibit Hall Grand Opening on Friday, June 21st, we will have laptop stickers! Below are the two designs that will be available: a hat sticker and a hexagon sticker.
Two stickers: one hexagon sticker with a brown hat, and the other a brown hat.
Subscribers to this newsletter don’t have to wait until Annual to get their stickers – reply to this email and we will mail a few stickers your way. Stick them to your laptop, your door, your water bottle, or any other place where you want to tell folks that you care about library privacy and to "Follow The Hat." Many thanks to Scott Carlson for creating the sticker design.
Have a question or topic that you want us to write about? Email us at newsletter@ldhconsultingservices.com!