Security versus privacy: How do we get the balance right?

Tuesday 29 September 2009

With spectacular losses of personal details by major organisations still fresh in the public mind, a new booklet, Assessing Privacy Impact, provides important insights from leading academics, industry experts and information regulators into the whole debate around who knows what about us, whether they need to, and the treatment of often sensitive data.

Published by the Economic and Social Research Council (ESRC), Assessing Privacy Impact summarises key presentations and open discussion involving a wide range of participants, at a special seminar organised in conjunction with the Cyber Security Knowledge Transfer Network (KTN) - the focal point for UK expertise in this area of activity.

Advances in computer technology have brought fingertip access to personal information, ranging from our age and where we live, to our financial, educational, medical and other records - even our DNA. A number of high profile and potentially serious examples of the loss of personal data with, as the booklet shows, a dramatic impact on levels of public trust.

There have been a series of regulatory and legislative requirements that have been set for business and state departments, with initiatives such as the Government's 2008 Data Handling Review, mandating the carrying out of privacy impact assessments (PIAs), which help organisations assess and identify potential concerns.

In Assessing Privacy Impact, Jonathan Bamford, Assistant Commissioner and Director of Data Protection Development at the Information Commissioner's Office (ICO), explains the thinking behind advice given in a new version of that body's PIA handbook.

Launched in June this year, it is designed to be a practical and comprehensive guide for organisations which are developing projects that might have implications for people's privacy.

Mr Bamford says that a PIA is not a regulatory assessment involving box-ticking, but "a process where you sit down at an early stage and think about what you are doing, and what you need to know."

In a foreword to Assessing Privacy Impact, Prof Ian Diamond, Chief Executive Officer of the ESRC says: "Whilst guidance from the Information Commissioner's Office is a good starting point on how to make assessments and meet the requirements of legislation, a range of questions still remains for businesses, large and small - whether data holders, or vendors who consult on security and privacy or supply privacy enhancing technologies.

"That is why the ESRC and the Cyber Security KTN organised a seminar to bring together academics, the ICO, consultants specialising in privacy assessments, and other organisations for which this is all very much a live issue." Tony Dyhouse, Director of the Cyber Security KTN, said: "Privacy is one of the most challenging aspects of security, because it affects everyone but is viewed in many conflicting ways. When handling sensitive data, it is vital to consider all possible issues at the outset and reach an informed decision about what data needs to be held, and the most appropriate safeguards.

"The publication of the Assessing Privacy Impact booklet is an important step in helping organisations to achieve this."

For further information contact

ESRC Press Office:

Notes for editors

  1. 'Assessing Privacy Impact' , published by the ESRC, is based on presentations and open discussion at a seminar held in London in June, 2009, in collaboration with the Cyber Security Knowledge Transfer Network (KTN). If you would like to receive a free copy of the publication please email knowledgeexchange@esrc.ac.uk
  2. The ESRC Public Policy Seminar Series aims to bring the best social science concepts and evidence into the policy arena and stimulate a discussion of how in the light of these insights, policy can be developed. The goal is to encourage evidence-based policy through an exchange between researchers and policy-makers. For forthcoming public policy seminars, please email knowledgeexchange@esrc.ac.uk
  3. The Cyber Security Knowledge Transfer Network (KTN) provides a single focal point for UK Cyber Security expertise, to collaboratively identify universal challenges and develop effective response, influence UK investment strategy and Government policy, accelerate innovation and education, harness and promote UK capability internationally and help improve the UK security baseline. Funded by The Technology Strategy Board, the Cyber Security KTN works with regional development agencies, devolved administrations and the research councils. It is managed by QinetiQ, a leading international defence and security technology company.
  4. The Economic and Social Research Council (ESRC) is the UK's largest organisation for funding research on economic and social issues. It supports independent, high quality research which has an impact on business, the public sector and the third sector. The ESRC's planned total expenditure in 2009/10 is £204 million. At any one time the ESRC supports over 4,000 researchers and postgraduate students in academic institutions and independent research institutes.