Privacy vs Security

Recent news of high-profile data breaches, such as the SingHealth cyber attack, and the online disclosure of over 14,000 HIV patient info, have hogged the headlines in Singapore. Larger-scale data leaks in other parts of the world, such as those from Uber and Marriott, show that private data kept by large companies are not as securely stored as one might think. Indeed, it seems that Privacy and Security are difficult to achieve today.

Privacy and Security are often used synonymously, when they are, in fact, different but easily confused concepts. Basically, Security is about preventing unauthorized access to something, while Privacy is about controlling how personal data is used. Here, personal data includes things like name, NRIC number, medical records, educational and employment info, as well as biometrics (such as fingerprint, iris, or face images). Interestingly, one's residential address is not considered personal data. See this PDF file for further clarification.


The following table illustrates the difference between Privacy and Security:

Case (A) is the SingHealth incident. It is primarily a security violation that also breaches patients' privacy. If, instead, the hacker had broken into a veterinary hospital and stolen the medical records of dogs and cats, then it would just be a security violation; no privacy breach, because no personal data was compromised. Case (A) shows that the main defense of any system containing personal data is computer security. You cannot protect the privacy of data if you can't secure it well.

Case (B) is a State's nightmare and may have severe consequences, but it is not a privacy breach. Weapon secrets are not personal data.

For another example, consider when a burglar breaks into your house and steals some cash from your drawer. The break-in is a security breach, but unless your face or signature appears on the stolen dollar bills, there is no privacy breach. Money is not personal data.

Case (C) used to be common in Singapore, until the Personal Data Protection Act came along in 2012 and put a stop to it. The purpose of such a publication was to inform the winners to claim their prize, but it revealed far too much. By comparison, the current practice of publishing just the last few digits of the NRIC number, along with the name, is sufficient to notify winners, but preserves their privacy. Note that if the first few digits of the NRIC number were published instead, then the person's age would be revealed (because, since 1968, the year of one's birth is encoded in the first 2 digits). This would again be revealing too much info.

Incidentally, Case (C) is also the HIV data leak that the Ministry of Health suffered. There is no security breach because the person who copied the data was authorized to access the data in the normal course of his work. It became a privacy breach the moment he disclosed the data in an unauthorized manner (eg, by passing the data in a thumb drive to another person not authorized for access).

Case (D) highlights the subtleties of privacy in social media. There is no security violation because no one hacked into your Facebook account. There is no privacy breach either, because you willingly disclosed your own personal data (ie. your photo).

The situation changes if your photo shows Jane in the background (and she is clearly identifiable). Unless you had obtained Jane's permission, your photo breaches Jane's privacy. This is true whether you know Jane or not. By similar reasoning, your privacy is breached when you get captured in someone else's photo, and that photo is uploaded to Facebook without your consent.


Stay tuned for more blog articles about Privacy ...