What is Privacy?

privacy breachIt’s easy to assume that we are all on the same page about what privacy is. But, as information technologies, machine learning, social media, cloud services and the availability of data driven gadgetry increasingly bridge the privacy profession with cyber security, data analytics, risk management and others, it’s important to unpack the concept a little:

Privacy is considered a basic right or freedom that a person should be able to enjoy – for example, freedom from unnecessary intrusion into one’s personal life. It can be talked about in terms of a person’s home or the physical territory they occupy… their body… their communications… their information. One challenge with defining privacy – particularly in today’s connected and social world – is that everyone has a different point of view (or threshold) in relation to what they consider to be private. To many, privacy has morphed. It’s no longer really about the right to be left alone. Increasingly, it seems to be about the ability to exercise choice or control.

The world over, our understanding of privacy has been made more concrete by setting it out in law. Admittedly, privacy laws vary. Some are more robust than others, some are local, others… more global. Some focus heavily on principles, others have more teeth in terms of enforcement. But all allow the extent of what it means to “have privacy” to be understood by the broader community and by those with whom the community deals:  the public service, businesses, industry, academia and the like.

If we were to capture privacy in a sentence, something we can all digest…  privacy is about the protection of personal information in accordance with the law.

In our increasingly data-driven world, personal information is “money”. It’s a tangible 

asset. It’s essential for a for a host of business functions:

  • • selling a product
  • • delivering a service
  • • providing access to benefits
  • • identifying and solving problems
  • • informing and making decisions
  • • creating public policy, and so forth.

Personal information is both valuable and necessary for those in the business of building tech, and those in the business of deploying that tech. I’m talking about vendors and their sales teams, data analytics companies, municipalities exploring their opportunities in the growing “smart cities” arena, social media, government and more.

The ability to have such information – to collect it, store it, manipulate it, send it on to someone else – also imposes a responsibility. There is an implicit obligation to ensure that personal information is handled in a way that is fair and within the reasonable expectation of the person giving it.

In relation to the IoT sphere specifically… privacy presents a wonderful opportunity. Earlier I said that privacy is about protecting personal information in accordance with the law. It absolutely is. However, privacy is not just a compliance exercise. It’s not intended to be a roadblock to innovation or a drag on progress.

It’s a way of thinking. It’s about considering – or, rather, critically thinking about – what will happen to personal information at all stages of its lifecycle within a particular context. Maybe the context is narrow and limited in its application, like phasing out manual employee timesheets in favour of a smartphone app that handles the same functions … or maybe the context is broader, like deploying facial recognition in shopping mall touch screen directories nationwide.

Embedding a Privacy by Design approach in the overall deployment framework for IoT technologies means that personal information is rightly elevated beyond being associated only with its endpoint – like, when it has made money or provided insight into whatever your marketplace is. It again becomes associated with the person who provided it in the first place and with their right that it be protected. Privacy will sit prominently with information security, where risks and vulnerabilities will be identified and addressed at the outset, and at critical junctures thereafter. It will no longer be an 

afterthought. And it certainly will not be addressed at the last minute, or tacked on after the fact, in a desperate attempt to recover public confidence after a data breach, system failure or some other crisis.

If the necessary protections for personal information are well understood and managed in an IoT context, and steps are taken to ensure the community

  • · knows about it,
  • · has confidence that their information is secure and being appropriately used,
  • · has the ability to ask questions (and receive open, accountable answers)…

… then trust in a business, a brand, a product, an innovative way of doing things is much more likely to flourish.

Over the coming weeks and months, my colleagues and I at the Internet of Things Security Institute will be exploring privacy in greater depth. We will talk in terms of basics (such as defining what personal information actually means in an IoT context) and also explore specific privacy issues that can have significant impact on the successful deployment of IoT technologies. We will discuss the powerful relationship between privacy and security in organisational and operational contexts, and we will explore the concept of Privacy by Design and how it fits logically within an overarching security framework.


Nicole Stephensen is the Executive Director for Privacy and Data Protection at the Internet of Things Security Institute.