The Difference Between ‘Security’ and ‘Privacy’ Jobs – And Why IT Matters
Today, there’s no such thing as the ‘ideal background’ for a privacy professional. Privacy is an interdisciplinary field and candidates for privacy professional roles have diverse experiences. Job advertisements tend to reflect this. For instance, BHP advertised in March for a Data Privacy Specialist candidate with “tertiary qualifications in information systems, law, finance, accounting, engineering, science and technology studies, computer science or a related discipline or equivalent experience.” Data security and data privacy are interrelated – but they are very distinct fields that require different skills and knowledge. So, what is the difference between security and privacy – and does it matter?
What is the difference between data security and data privacy?
Data security refers to the measures taken to prevent data from unauthorised access, loss and disclosure. It also extends to availability and the idea of resilience, recovering if something goes wrong. Data security, often now referred to as cyber security, has gained heightened prominence through data privacy laws that include data breach notification obligations.
Data privacy comes from one of the fundamental human rights recognised by many liberal democracies, the right to privacy of home, family life, thought and communications. It is also linked to the right to freedom of speech. Through this lens, privacy focuses on the collection, storage, use, access, transfer, deletion, and disposal of personal information. Data privacy establishes principles (such as fairness, accountability and transparency) that must be used by private and public entities when dealing with personal data, to ensure that human rights are maintained. Security, and the idea that entities need to make sure that they protect the personal data they hold, has always been part of the foundational data privacy principles. Increasingly, jurisdictions are implementing privacy laws that dictate that personal information needs to be kept securely, both physically and online, as well as laws that outline how personal information can and should be managed.
How does privacy relate to cyber security?
It is important to note that robust data security isn’t all that’s required to meet privacy obligations in Australia or globally. While organisations certainly need to secure the personal information they hold, they need to meet broader privacy requirements relating to collection, usage, correction, and deletion of information too. They also need to make sure they provide notice, handle complaints and respond to users’ requests to exercise their rights (such as the right to access, correct or delete their personal data).
In some jurisdictions, particularly those that do not have robust, comprehensive privacy laws that protect the broad range of processing person data (such as the US), data breach notification laws have acted as de facto privacy laws. This has led to the conflation of security and privacy.
Privacy and Cybersecurity for Service Providers
For many organisations, particularly those that provide SaaS or other services, like storage or data processing, their most important privacy obligations may be to ensure the security of the data they hold. Those organisations may not be directly responsible for the collection or use of the data they host, but they are responsible for ensuring that that data is secure from unauthorised access, loss, or disclosure. In practice, this elevates the importance of data security. It is more likely that, when looking for a cyber security manager, this sort of organisation may also expect that that person have good privacy knowledge. This may be particularly as it relates to the use of technical solutions to support privacy requirements of the service or platform.
The cyber security manager will also be expected to have good knowledge and skills in responding to data breaches, particularly where there may be notification obligations.
What does this distinction matter for privacy professionals?
Even if you are working for a non-technology organisation, a privacy role requires you to know and understand the difference between security and privacy when it comes to data and personal information. To achieve this, you need to understand IT and you need to understand the law and compliance. Here’s an example that demonstrates why this distinction matters:
We often see companies with immature privacy programs hand over a network map when we ask the company to undertake a data flow mapping exercise. The two are not the same. A network map outlines the IT infrastructure, while the data flow map outlines the rationale for data collection, storage, transfer, usage, and access.
Companies that rely on network maps, instead of a complete data map, may be inadvertently collecting or otherwise using personal data in a manner that is not consistent with the law – or what they have outlined to their users in their privacy policies. This can lead to compliance issues.
While you need to be aware of the difference, you don’t need to be an expert in both fields. The reality is that you can seek counsel from legal privacy experts or defer to your IT department’s expertise in building a robust cyber security program – as long as you’re alert to the difference between the two fields.
Certifications for Privacy Professionals from Privacy108
Specialised certifications for privacy professionals aid in the development of interdisciplinary knowledge. They allow you to develop real-world skills so you can speak natively about privacy to stakeholders from various backgrounds.
The BHP job advertisement we mentioned in the introduction for this article listed relevant privacy certifications as ‘highly desired’, specifically any of these certifications:
- Certified Information Privacy Professional (CIPP),
- Certified Information Privacy Management (CIPM),
- Certified Information Privacy Technologist (CIPT),
- Certified Information Systems Security Professional (CISSP),
- Certified Information Security Manager (CISM),
- Certified in Risk and Information System Controls (CRISC), or
- Certified Information Systems Auditor (CISA).
Why are these certifications increasingly being sought? Because privacy certifications equip you with the real-world skills you need to uplift organisational privacy maturity.
Privacy108’s lead instructor, Dr Jodie Siganto, is one of Australia’s leading privacy professionals – with significant experience in information security as well as developing organisational privacy governance and ensuring compliance with local and global privacy laws.