COMMUNITY BLOG - Nicole Stephensen - The art of talking privacy
The community blog posts are written by InfoSec professionals from diverse sectors who have kindly provided articles for free to support the demystifying of cyber.
Author: Nicole Stephensen
Position title: Managing Director and Principal Consultant
Organisation: Ground Up Privacy
The art of talking privacy…
I read a wonderful book last year. It has impacted my work immensely, leading to frank and fearless discussion, moments of clarity around responsible stewardship of data (the personal stuff, the stuff about you and me), innovative and elegant development of privacy-enhancing features in policy and technology… yet it had nothing to do with Privacy, which is the focus of my career and the subject of my passion. Nothing and everything, apparently.
Confusion can be off-putting. When previously I sought to engage with my peers, clients, professionals in complementary industries, there was undoubtedly confusion as to my purpose.
While there is a relatability about privacy to other disciplines, there is a danger in me showing up if you think I am here to tell you all about why privacy matters to me in a context… because that doesn’t serve you. I am, instead, here to explore why privacy matters to you and to enrich your work by giving you an additional reference point. This is particularly the case when talking about privacy with information security professionals.
Recently I have spent a lot of time working in the Smart Cities sphere. Digital governance. Internet of Things technologies. All things connected. All things social. Insights and trends. Data. Data. Data.
When our cities, our companies, our not for profits, our innovators, our vendors, our platforms start talking ‘data’, I am often brought into this discussion from a point in time. By the time I get there, the discussion is linear. It’s based on the idea that the data is the starting point in the conversation. What do we do with the data? How can we derive value from the data? How can we add more data to the data?
Now, if this data is special in some way – if, for example, it’s about a person or a group of people – the inevitable question will be asked (and, I confess, often I am the one asking…): “What about privacy?”
Keep in mind that we are already at a point in time in this discussion. We are focused on the business outcome… we are all about the data, the insights, the revenue, the leveraging. So, when the question is asked, those in the room often misunderstand what I mean. I say “What about privacy?”, and those in the room are hearing “How do we protect the data”? Good question! Entirely right! How DO we protect the data? Enter: all of you (security folks)! Enter: process. Enter: controls. Enter: building that big fence (whether physically or digitally) around that which we want to protect.
But here’s the thing: when we conflate the terms privacy and security, we end up focusing only on the data (as if ‘the data’ is the thing we need most to protect or worry about), instead of focusing first on our primary objective: the right of the community we serve to the fair and transparent handling of their information.
Additionally, in terms of project management and timelines, it’s clear that there is a deep need to agitate about privacy (not to be confused with security) earlier in the Smart Cities conversation. I’ll save my thoughts on that until we meet again.
Nicole Stephensen is Principal Consultant at Ground Up Consulting, a boutique firm she established in 2011. There, she provides capacity building and privacy by design services across government, private and not for profit sectors. Nicole is also the Executive Director for Privacy and Data Protection at the Internet of Things Security Institute (a pro bono position). She is co-author of the IoTSI Security Framework for Smart Cities and Critical Infrastructure and hosts a bi-weekly podcast, Privacy Matters.
In her nearly 20 years in the privacy profession, Nicole notably provided comprehensive drafting instructions on the structure, content and policy imperatives for Queensland’s first privacy law, the Information Privacy Act 2009. This law replaced the State’s previous administrative privacy regime which, from 2005-2007, Nicole had responsibility for implementing at a whole-of-government level. She began her career in Canada, with roles in privacy, freedom of information and information policy.
Nicole is a member of the International Association of Privacy Professionals (IAPP), and hosts the IAPP’s KnowledgeNet Chapter for Queensland. Prior to its incorporation into the larger IAPP in 2019, Nicole was also a member of the International Association of Privacy Professionals ANZ Chapter (iappANZ) where she sat for three consecutive terms on the Board.
Nicole additionally volunteers her time to: the international peer-review panel for the Secure Controls Framework (SCF), a US-based high-level privacy- and security-by-design framework created by industry experts and offered under creative commons; and, the Advisory Board for the Joe Alhadeff Digital Policy Centre (currently being constructed on Prince Edward Island, Canada), which is focused on issues of digital policy affecting children and young people, such as cyber-bullying, image based abuse and child exploitation.
COMMUNITY BLOG - guest author Nicole Stephensen - 30 January 2020