In the modern world, almost everything there is to know about you is available online. Your medical records, your education and work history, your family connections, maybe even a few shameful secrets, are very likely to be digitally stored somewhere.
In previous articles, we’ve looked at data security as a way that you (and your business) can help protect your data from would-be criminals. But what about when there is a legitimate need to share data – for example, asking your school to send you your graduation records so that you can include them in a job application? Or your doctor sending your medical records to a pharmacist?
The pandemic has also impacted the idea of data privacy for regular citizens. In Australia, people must use an app on their phones to “check in” to any business they visit, and this data has then been used by police to solve crimes, which has prompted some groups to decry the check-in app as a violation of data privacy.
Today we will explore Data Privacy starting with the three core principles, and examine how you should think about your privacy with an increasingly online society.
What is Data Privacy?
Data Privacy is a broad term that can cover and cross into many different areas of internet security, but for the purposes of this article we are mainly concerned with data privacy as the relationship between the collection, storage, and dissemination of data.
Essentially everything that you do on the internet requires sending and receiving data. For example, when you make a search on Google you send your data (the search terms, as well as your location, device) and receive Google’s data (the list of search results).
Data Privacy looks at this action and asks “who should be able to view this data?” Obviously, both you and Google need to see it, but what about the owners of the websites who showed up in the search? What about researchers studying online patterns of behaviour? Or advertisers? Or the police, should your search be for something illegal?
Answering the question of “who should be able to view this data” is (unfortunately) never as obvious as it may seem. To make it easier, both for users as well as for companies and public officials, it helps to look at the 3 core principles of Data Privacy: Transparency, Legitimate Purpose, and Proportionality.
You may have even seen this in action with “accept all cookies” type messages in recent years, thanks in large part to the General Data Protection Regulation (GDPR) act in the UK. If you have, then you undoubtedly also know how infrequently these policies are actually read and understood in full by the user.
This is the fundamental flaw with being simply “transparent” about how you share data. If you know your users won’t take the time to understand what you are doing, it doesn’t really matter how open you are about it. That’s why it’s important for digital services to also follow the next two principles:
Sometimes also referred to as Purpose Limitation, the principle of Legitimate Purpose refers to the idea that any data collected or shared by an online service should only be done for a clear and specific purpose that is beneficial to the user.
Basically, organisations should only collect user data for a specific purpose, clearly state what that purpose is, and only retain data for as long as necessary to complete that purpose.
This may sound like a limiting factor, but many online services are set up to extract as much data as possible under the guise of providing the “best-possible” service to users. Take our Google search example from above – is it necessary to share your location, what device you are using in order to complete a simple search?
Obviously not, however by using this information Google can provide a search result that is more specific to you: whether that’s using your location to show businesses near you, your previous search history to show you a more specific result to a generic question, or to make sure the sites shown will all display correctly on your device.
The third principle of Data Privacy is Proportionality – the idea that any data collected should be limited to the smallest amount of data required to complete the service. Also known as Data Minimisation, this principle is mainly concerned with reducing the amount of data lost in a potential breach, and limiting the chance that incorrect data is collected.
Proportional data collection covers the amount of personal data collected, including the extent of processing involved, the period of their storage, and their accessibility. Keeping data collected restricted to only what is proportional to the service helps to limit what data is shared to only what is expected by the user.
While a Google search may provide better results when your previous search history data is present, can the same be said about sending an email? Imagine receiving an email from your coworker that included all the websites they had visited that day!
Should I be worried about my data?
The expectation of privacy from regular internet users, and the legal and political issues that arise from that expectation, are why Data Privacy is such an important topic. Many countries around the world have created their own Data Privacy laws, including the Data Privacy Act in the Philippines. These laws help to codify the principles of Data Privacy, and ensure safe and secure internet services for all.
With that said, you should always be careful about what you share about yourself online. When asked to provide information by a web service, make sure that the data requested is actually required to complete the service you want. Even when using email or social media sites, think about what information you post – if the worst should happen, would you want to share this with a complete stranger?
In the coming weeks we will be examining Data Privacy and the steps you can take to better protect yourself and your data online.