Permissions and Privacy in User Data

Privacy has overtaken security as a top concern for many organizations. For IT professionals, the difference between privacy and security may not be apparent. Protecting sensitive data from the prying eyes of malicious users seems to be an obvious goal of application security. But privacy is more than just protecting sensitive data. Privacy is also the users’ ability to keep their data private, no matter if the data is considered sensitive or not. Giving users the ability to control who has permission to see their data and who does not have permission is an important goal of privacy.

How to Ensure Personal Data Is Kept Personal

Many IT professionals today are unaware of exactly how to ensure users’ data is kept private, or even how to determine if the users’ privacy has been violated. Relying on a member of the IT team to “know it when they see it” is not a scalable way to ensure their users’ privacy. Often, IT staff are not subject matter experts concerning the data their organization is collecting. If the sensitivity of the data is not documented and privacy standards have not been explained to everyone who works with the data, it creates an opportunity for incorrect assumptions to be made concerning what data needs to be protected, when it needs to be protected, and where it needs to be protected.

Executing a Data Classification Policy

One of the benefits of working in a governmental or military environment is the thoroughness of data classification documentation and processes that define the secure usage of sensitive data. A member of an IT staff working in these environments does not have to make any decisions about the sensitivity of the data, minimizing the opportunity for incorrect assumptions to be made. But when an organization does not have a well-defined and consistently implemented data classification policy, it can lead to software that violates their users’ privacy, such as the exposure of a mobile phone user’s geolocation data through an app the user has installed.

Document all Sensitive Data and Create a Privacy Policy

Well implemented application security can help an organization to keep users’ data private, but security alone cannot ensure the data remains private. By thoroughly documenting the data sensitivity collected from users and by creating a privacy policy to define how that data will be protected, an organization can begin to minimize the risk of inadvertent exposure of their users’ data.