Blurred lines...

Yesterday I attended the afternoon session of the Data Protection Officer (DPO) briefings organized by the National Privacy Commission (NPC) in line with its initiative of enabling and empowering DPOs in the fulfilment of their functions as required by R.A. 10173 or the Data Privacy Act of 2012 (DPA for brevity).

One thing that struck a chord in my mind is the seeming blurring of lines between the domains of data privacy and information security. It’s not that achieving the objectives of data privacy and information security are mutually exclusive goals…they are in fact highly aligned with one another, and both concentrated on a single focal point…that is, the privacy of a data subject. The differences lie in that data privacy and information security look at individual privacy from two distinct perspectives, the former, from the perspective of legal compliance and as a right of an individual, the latter from the perspective of technical compliance/ international standards, and as a duty or obligation to protect the right the privacy of an individual and conformity with those international standards.

The point is, while focused on the same subject matter, that is, the personal information of an individual, the concepts of data privacy and information security are not really synonymous…and the question I am getting to is that: is it the actual intention and direction that both concepts be merged into a single regime of data protection where both terms can be interpreted to refer to virtually the same overall idea…when strictly speaking…they are distinct ideas in themselves?

I thought about this as one of the resource speakers, a former colleague, gave an introduction to the Data Privacy Act and the idea of data privacy, and the application of the concepts of confidentiality, integrity, and availability to data privacy. Confidentiality, Integrity, and Availability (CIA), certainly by no coincidence, is the bedrock of the ISO 27000 series of international standards governing information security, and the mantra of information security professionals and practitioners.

Confidentiality is defined as by ISO/IEC 27000:2016 as the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. It is not difficult to apply this concept to data privacy, as the goal is the same, that is, to protect the information of a data subject, with data privacy looking into the intrinsic nature of personally identifiable information being kept private unless consent is given to disclose said personal information, or under circumstances in which the law allows said information to be disclosed. Confidentiality as defined by ISO 27000 is extrinsic in nature as it does not, in essence, care about the inherent nature of the information whether it is susceptible of disclosure or not, but whether a person or entity having access to that information is authorized to do so or not.

Integrity and availability are defined as the property of accuracy and completeness, and property of being accessible and usable upon demand by an authorized entity, respectively, by the same ISO/IEC 27000:2016. These concepts do not necessarily have a direct correlation with data privacy, which is anchored on lawful processing of personally identifiable information or any information where there is an expectation of privacy, but this is indeed debatable once the discussion includes the data subject’s inherent right to data access and correction. Additionally, Sec. 11 (c) of R.A. 10173 specifically references the accuracy of personal information while Sec. 20 (c) (1) likewise mentions safeguards to maintain the availability of computer networks. This in effect, whether the legal phrasing is express enough or not, seemingly places information security and the entire CIA universe under the ambit of data privacy, and further, under the jurisdiction of the National Privacy Commission.

Consolidation of jurisdiction over data privacy and information security under an overall framework of data protection is not necessarily a positive or a negative, but it does raise some questions which seem innocuous at first glance, but may potentially lead to a slew of Pandora’s boxes once we scratch the surface:

1. For organizations that already have Chief Information Security Officers (CISOs), Information Security Managers, Information Security Officers or the like, should the role of Data Protection Officer (DPO) default to them? Conversely, if it does not, and the role of DPO falls to another, how do we deal with the overlapping accountabilities and responsibilities between a DPO and say, a CISO in the same organization?
2. Clearly, there exists a legal obligation on all organizations and institutions, whether public or private, to comply with the provisions of the DPA. As such, is the direction towards all of these entities to pursue compliance and certification with an international standard on information security, specifically the ISO 27000 series? If not…shouldn’t this be the direction, to make this compulsory for all...the same way ISO 9001 is, at least for government agencies, considering that this may be the easiest way to ensure compliance with the DPA by default?
3. For entities that are already ISO 27001 certified, is the Information Security Management System (ISMS) Gap Analysis considered a substitute for the Privacy Impact Assessment (PIA) required by the DPA? Is the existence of an approved and certified ISMS Manual considered a substitute for the Privacy Manual required by the DPA? For intents and purposes of the law, is ISO 27001 certification considered compliance with all the requirements of the DPA?
4. For entities which are not yet ISO 27001 certified, does that mean that they have to pursue two distinct tracks insofar as ISO certification and DPA compliance is concerned? For example, is there a need for separate ISMS Gap Analysis and PIAs? Is there a need for separate ISMS and privacy manuals? Asked another way, can the same be combined in a single initiative?
5. Insofar as NPC jurisdiction is concerned, are all breaches, including those covering integrity and availability, even those in which no personally identifiable information is directly involved or compromised, reportable to the NPC? (It would appear to be so under Sec. 29 of the DPA);

The last question is pretty significant. It would seem that the DPA and the NPC, and by extension, DPOs, are not just limited in scope to issues involving privacy per se, but to the entire overall data protection framework, including information security and all its subtopics as well, everything from physical security (surveillance cameras, physical access devices) to virtual security (access management, cryptography, identity management) to cyber security (firewalls, network security devices, intrusion detection and prevention), and so on.

Personally, I’m not sure if the vast majority of DPOs…or for that matter, even the NPC is ready for this all-encompassing framework. But if this is indeed the way things are headed in this jurisdiction, all of us in this discipline need all the help we can get.

For discussion purposes. Any inputs are appreciated.

(First posted on Facebook group Privacy.PH last August 31, 2017.)