5.5 Privacy and Sensitive Data Concepts

Privacy and Data Breaches

Privacy impact assessment (PIA) = method for identifying and assessing privacy risks throughout the development lifecycle of a program or system

Data Classifications

Proprietary = data unique to an organization, property of an organization, like trade secrets

PII - personally identifiable information = information that can be tied back to an individual

PHI - protected health information

Enhancing Privacy

Tokenization - replacing sensitive data with a non-sensitive placeholder

Data minimization - minimal data collection, only collect data that are necessary

Data masking - obfuscating some of the data

Anonymization - make it impossible to identify the data

Diffusion - one character change in the plaintext should correspond to multiple changes in the cipher text

Data Roles and Responsibilities

Data owner - accountable for specific data, responsible for the quality of the data Data controller - manages the purpose and means by which data is processed Data processor - processes data on behalf of the data controller, usually third-party Data custodian/steward - responsible for data accuracy, privacy, security, data maintenance