As I read last week about data breach at the University of Maryland and now about Indiana, what can be said about the relationship between privacy and security? I left the conclusion out of yesterday’s post. Consider this one an addendum.
Information management is what must be said, and done. It is the bridge between human practices and technical safeguards. It is what connects “information” and “technology.” It is the higher business order of these two necessary components, privacy and security, to the comprehensive institutional goals of effective and efficient governance, compliance and risk management. It is the whole that is greater than the sum of parts such as, on the one hand: data inventory and harmonization of practices that for sensitive information including but not limited to personally identifiable data that instantiate notice, transparency, relevancy and administrative, logical and physical security; and on the other, classifications of data tied to appropriate technological safeguards, rules regarding authentication and authorization, device maintenance and hygiene, and optimized network operations.
Comprehensive information management takes into account different types of security breaches: human error in categorization of data or configuration of devices; criminal fraud; persistent nation-state threats, as a whole, not in parts. Functionally, in terms of roles and responsibilities, information management generates common purpose among those people and offices that touch it in various capacities: legal counsel, risk management, compliance, privacy and security subject matter officers, information technology personal (across the board, not simply “security” and “policy” officers), academic and administrative unit heads, data stewards and custodians.
Conceptually, it makes sense of the diverse “data sets” that deceptively appear in our imaginations to exist separate and apart from each other, for example, “H.R.,” or “student” or “financial data,” or raising the perspective level up a notch, “research” and “administrative” data. In fact, these types of data often flow together through centralized enterprise administrative systems. The greatest risk colleges and universities countenance in “security” or “privacy,” surely must be our conceptual distinctions that do not play out in the reality of our technical systems and functions. Higher education’s mismanagement of information can often be traced back to this gap. Lack of awareness of how this gap continues to plague best, and I really mean best, practices is the root problem. Moreover, it is one rooted in this on-going, made-up tension between “privacy” and “security,” and the inversion of one for other in terms of means and ends.
No one single practice name will make a system perfect. With all the efforts in the world, the breaches that occurred at Maryland or Indiana or hundreds of other colleges and universities around the country might still occur. Well-intentioned people are too flawed, even the best software can malfunction given multiple mechanized and human dependencies, and ill-intentioned people often have the emotional drive that gives them the edge in this multi-faceted competitive game. Nevertheless, for the sake of base line compliance, for the reputational goal of effectiveness and efficiency, for the ideological one of supporting our missions, we must strive for greater degrees of mastery over our intellectual property, institutional information, research data, faculty and student work product.
Vocabulary matters. It matters because it is a reflection of our thinking, and how our thinking gets translated into policies, procedures, and practices. If ten years ago or more, our challenge was all about “security,” and then in the last five years or so we have shed more light on “privacy,” may we now elevate our vocabulary to manage well our information.