The Data Protection dilemma

Above: Microsoft’s Darren Mohammed. Photos by Mark Lyndersay

BitDepth#1190 for March 28, 2019

The challenges of data protection and privacy are actually the same problem, viewed from the quite different perspectives of companies that depend on vast pools of customer information to compete effectively and the individuals whose privacy is being incrementally stripped away to provide it.

At an event on Tuesday, Rishi Maharaj hosted a group of IT and legal professionals at an all day seminar that considered these challenges from the institutional perspective with more than a slight nod at the issues that face the individual users being asked to submit ever more robust profiles of personal information just to do business with online and nearline businesses.

So it was a bit surprising to find no representatives from the private sector at an event which spoke directly to the management and legal responsibilities that will be expected of them in caretaking their most valuable asset in 2019.

There were representatives from government ministries, NGC, the Hugh Wooding Law School and the SEC, which suggested a welcome appreciation in governance of the requirements that are likely to shape global data sharing in a post-GDPR world.

The General Data Protection Regulation 2016/679 has already influenced thinking outside its European implementation zone in legislation governing data handling.

Conversations about a Caribbean version of the legislation  are still in the very earliest stages but the broad requirements seem clear for businesses and governments right now.

Event host Rishi Maharaj worked on the Freedom of Information and Data Protection Acts in his 12 years in government service.

Rishi Maharaj

The two acts, he noted, encompass the essential challenge of data, the first dealing with transparency and accountability from the perspective of the individual and public, the other with management and government responsibility for collecting and storing that data.

He shared a personal experience moving required information from one local government silo to another, one comfortable with digital submissions, the other demanding copies of the stack of documents he had so painstakingly digitised.

The consequences of those silos of data gathering and the challenges of protecting data in multiple forms would recur doing the day’s deliberations.

He was joined during the day by Darren Mohammed, Microsoft Country Manager for TT, Dr Ann Cavoukian, Privacy protection expert, Margaret Rose-Goddard, an attorney with a focus on procurement governance and Shiva Bissessar, cybersecurity consultant.

Mohammed acknowledged Microsoft’s hope that the region would unify its efforts to create regional data protection legislation. The company has posted a statement on the need for more international agreement on general digital principles.

Meanwhile, Microsoft continues to work on reinforcing its central message, trust.

Mohammed said the company, which bet its future on cloud services and was doing quite well on that basis, is guided by a quote from CEO Satya Nadella, “Businesses and users are only going to embrace technology if they can trust it.”

The Microsoft manager had many messages for his audience, but at their core is the company’s willingness to fight, within the law to protect customer data from intrusions both legal and illegal while taking a determinedly hands-off approach to customer data sets.

“Microsoft has never given data to governments when requested,” Mohammed said. It’s an issue that’s at the core of their business model.

“Microsoft will become GDPR compliant with all territories, and will share its experience with its [cloud data retention] customers as part of its contractual obligation.”

To assist customers with the challenges of compliance, the company has introduced a software based Compliance Manager that monitors customer’s compliance with the expected norms of GDPR.

In cybersecurity alone, the company has invested a billion dollars in hard US cash in R&D and employs 3,500 security professionals, protecting against five million malware threats per month.

“Privacy is not about having something to hide, it’s about giving personal control to the customer over how they share their personal information.”

Dr Ann Cavoukian

Dr Ann Cavoukian, Distinguished Expert in Residence at the Privacy by Design Centre of Excellence, Ryerson University delivered her presentation via a pre-recorded video.

“People prefer to give their business to firms with good data hygiene,” Cavoukian said.

“Privacy is not about having something to hide, it’s about giving personal control to the customer over how they share their personal information.”

“Most privacy breaches remain unchallenged, unregulated and unknown,” she said.

Cavoukian urged businesses to drop the notion of win and lose models and a zero-sum game to embrace a positive sum model.

“It’s possible to do privacy properly and do business successfully with a win-win, positive sum outcome.”

Margaret Rose-Goddard, presenting via videoconference, interrogated the nuances in the conflict between the private interest in keeping things confidential and the duty to protect and the public interest in the right to know, the conflict between transparency and confidentiality.

Noting the general belief that once there is a private contract, it must not be disclosed and if it’s a public sector contract, it must be disclosed, Rose-Goddard explained that “Neither of these is exactly correct or absolute.

“What is of interest to the public and what is in the public interest can be quite different things,” Rose-Goddard said.

“What is of interest to the public and what is in the public interest can be quite different things.”

Margaret Rose-Goddard

“Just because it is reported in the media does not guarantee that it is in the public interest.”

Something that last week’s rash of “Buck” stories amply demonstrated.

Rose-Goddard urged businesses or government agencies to supply as much information as possible when responding to requests of Freedom of Information orders, redacting information that fell under the descriptive of confidential corporate information and trade secrets.

Citing a US legal precedent, she noted that, “The public interest is not one homogeneous undivided concept.”

She further warned that “There is no confidence in iniquity. You cannot use confidentiality to cloak wrongdoing.”

“People think that cybersecurity is an IT problem, but it’s an organisational risk management issue,” Shiva Bissessar said.

Shiva Bissessar

“It’s at the intersection of privacy and security that we find the protection of personal information.”

He warned of increased surveillance by governments, particularly those aligned with The Five Eyes, a coalition of official monitoring data sharing between Australia, Canada, New Zealand, the UK and the USA.

He took special note of the Assistance and Access Bill recently passed into law in Australia, which would require technology companies doing business there to give the government access to data on private devices or face hefty fines.

Such digital backdoors have proven to be a Pandora’s box, and access once established becomes a vulnerability that data poachers can exploit.

In another, rather more benign happenstance, the fitness app Strava revealed the location of hidden US military bases when the training routes of personnel appeared in areas believed to be empty.

The successful Sony hack, which cost the company billions in damage and lost revenue, was helped by a company which operated in silos.

“Information security is most effective in companies in which all employees are aware of threats, vulnerabilities and the impact of risky online behaviour,” Bissessar explained.

“Risks are threats that are enabled by vulnerabilities.”