Security

Privacy vs Confidentiality vs Security: What's the Difference?

It’s crucial for your IT staff to understand three concerns that overlap but are not quite the same.

Mike Chapple is a teaching professor of IT, analytics and operations at the University of Notre Dame.

Campus administrators and faculty understand the importance of protecting sensitive student information. The past two decades have brought us a variety of laws and regulations dictating how we handle student records, as well as a series of high-profile security incidents that underscore the importance of rising to meet these obligations.

As we discuss the criticality of protecting sensitive student information, we often throw around three terms: confidentiality, security and privacy. While many people use these terms interchangeably, they actually refer to separate but related concepts. Institutions seeking to mature their data protection practices will benefit from providing their constituents with a clear understanding of these interrelated concepts.

REMEDIATE VIOLATIONS: Get guidance on continuous compliance posture monitoring from CDW.

Confidentiality Protects Secrets

Confidentiality is one of the core concepts of cybersecurity. Simply put, confidentiality ensures that secret information is protected from unauthorized disclosure.

Protecting confidentiality is a responsibility shared between technologists and everyone else in the organization. Clearly, cybersecurity professionals and other IT staff bear the burden of ensuring that confidentiality controls are in place and functioning properly. However, it’s important to remember that everyone with access to sensitive information has a role to play in preserving the confidentiality of that data.

Most often, security breaches occur not as the result of a sophisticated technical failure but as the result of a mistake made by someone with authorized access to information.

As institutions work to achieve confidentiality goals, they may rely upon a wide variety of technical controls designed to prevent, detect and remediate confidentiality breaches. Many of these controls are designed to prevent breaches from occurring in the first place by restricting information access to authorized users.

For example, application access controls may limit the types of records that each user may see. Similarly, encryption technology protects sensitive information stored on systems or being transmitted over a network. Other controls seek to detect and remediate potential security breaches.

For example, data loss prevention systems monitor network communications for unauthorized transmissions of sensitive information and may intervene to block those communications from reaching unauthorized recipients.

Security is Broader than Confidentiality

Confidentiality is one of the foundational concepts of cybersecurity and is the requirement that most security professionals spend the majority of their time thinking about.

However, confidentiality is only one of three core concepts that together make up the foundation of cybersecurity work. The remaining two principles, integrity and availability, round out cybersecurity’s well-known “CIA triad.”

Integrity protects information from unauthorized modification. The most common example in an educational setting involves student grades.

If a student is able to gain unauthorized access to a learning management system and modify his or her own grades, that constitutes a violation of integrity.

Access controls are the major mechanism used to enforce integrity requirements.

Availability ensures that information is available for use by authorized individuals at the time they need it. Violations of availability may occur due to intentional attacks, such as the denial of service attack that crippled the learning management system at one university in 2015.

They may also arise from technical failures, such as the network outage that shut down technology at another institution for a week in 2018. Protecting availability is typically the work of technologists, who design fault-tolerant systems that can withstand component failures and implement backups to quickly restore service in the event of an outage.

MORE ON EDTECH: Should higher ed be worried about the Colorado Privacy Act?

Privacy Determines Authorization

Privacy is closely related to security and confidentiality but approaches data from a different perspective.

Confidentiality controls protect against the unauthorized use of information already in the hands of an institution, whereas privacy protects the rights of an individual to control the information that the institution collects, maintains and shares with others.

One way to understand the relationship between privacy and confidentiality is that privacy requirements dictate the types of authorization granted to information, and confidentiality controls ensure that people and systems meet those privacy obligations.

Privacy requirements typically arise in two forms. First, many institutions adopt privacy policies based on their own ethical sense of proper information handling. Second, a variety of laws and regulations impose privacy requirements on colleges and universities.

In the United States, the Family Educational Rights and Privacy Act (FERPA) grants students (or the parents of minor students) the right to access information contained within their educational records, request the correction of any information they believe is inaccurate and control the sharing of their records outside of the institution.

EXPLORE: See how universities are protecting both privacy and security.

Modernizing Faculty and Staff Training

In most institutions, IT staff already understand the importance of implementing strong privacy and security controls.

The biggest challenge is typically communicating the importance and nature of confidentiality and privacy requirements to the faculty and administrators who handle confidential student information on a day-to-day basis. It’s not unusual for institutions to require privacy training when faculty and staff first gain access to student records.

This usually involves a primer on FERPA requirements and scenario-based questions that help contextualize this information.

However, these training programs often fall short in two important areas. First, they often don’t include modern scenarios that reflect the digital nature of today’s higher education infrastructure.

The administrators of these programs can improve them by reviewing them carefully and updating the training to reflect the tools and technologies used in their modern computing environment. Second, these training programs are all too often one-time efforts.

More effective would be periodic refresher training to remind faculty and staff of their obligations and update their understanding of the privacy and confidentiality environment on campus.

Taking the time to modernize training will go a long way toward protecting the confidentiality and privacy of student information. After all, protecting student records is in everyone’s best interest.

izusek/Getty Images