How to balance Data Collection and Data Privacy
But how much data is too much? When does data collection start compromising data privacy?
Raising more eyebrows, the company also admitted that its staff in China can access the private data of Australian TikTok users.
In other words, not only was TikTok collecting too much data, it was also potentially compromising the privacy of that data.
It’s not unusual for organisations to collect more data than they need. However, this practice has serious implications: data over-collection is a security and compliance risk.
Therefore, the question organisations need to answer is this:
With the business demanding more and more data, how do you balance the need for both data collection and data privacy?
First, let’s define some important concepts.
Last year, TikTok rang alarm bells when analysis of its source code revealed that the video social media company collects “excessive” amounts of data. According to the study, the app requests almost complete access to the contents of the user’s phone while the app is in use, including calendar, contact lists and photos, which is “significantly more” than the app needs.
Raising more eyebrows, the company also admitted that its staff in China can access the private data of Australian TikTok users.
In other words, not only was TikTok collecting too much data, it was also potentially compromising the privacy of that data.
It’s not unusual for organisations to collect more data than they need. However, this practice has serious implications: data over-collection is a security and compliance risk.
Therefore, the question organisations need to answer is this:
With the business demanding more and more data, how do you balance the need for both data collection and data privacy?
First, let’s define some important concepts.
Protecting and securing data
Data Privacy vs Data Security
The first thing to note is that data privacy is not the same as data security.
Data privacy focuses on how data is collected, used, and shared, whereas data security focuses on how data is kept safe from the many external and internal threats that exist.
Let’s think back to TikTok.
When responding to the concerns about who could access Australian user data, executives at TikTok stressed that strict protocols are in place to protect it.
They claimed that access was tightly restricted and subject to robust controls and safeguards, including encryption for certain data. The level of approval required for access was based on the sensitivity of the data according to the internal data classification system.
As TikTok executives explained, “The purpose of these processes and protocols is to ensure data is only ever accessed by those who require it to allow our business and our service to function.”
On the surface, it seems like they were doing everything we’d ask for data security.
So it’s data privacy that is the real issue here.
The report states that the app has been built without focusing on data privacy – “most of the permissions and device information being collected are above necessary for the application to function.” and the data collection practices were labelled as “overly intrusive”.
Understanding the laws on data privacy
The Australian Privacy Act
Data privacy is based upon the premise that personal identifiable information belongs to an individual and that the individual has the right to determine what, how, when and to whom their information is shared or communicated (which explains why the TikTok revelation was seen as controversial by many).
Increasingly, legislation and regulations are promoting more individual control, more consent, and greater transparency around the use of personal data.
Australia is no exception – we have strict laws on data privacy. The Privacy Act 1988 sets out to protect the handling of personal information about individuals, and includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector.
The Privacy Act provides 13 Australian Privacy Principles (APPs), which apply to government agencies and private sector organisations with an annual turnover of $3 million or more.
The APPs form the basis of the privacy protection framework in the Privacy Act, and deal with all stages of processing personal information, setting out standards for the collection, use, disclosure, quality and security of personal information.
As organisations seek to collect and hold consumer data, they must pay attention to the latest data privacy laws and implement systems and processes to meet their legal obligations.
Striking the right balance
The role of good data governance
Data governance is key to striking a balance between data collection and data privacy. Think of good data governance as the foundation for everything else that follows.
Data governance is a collection of policies, frameworks, procedures, people and culture that ensure the effective, efficient and reliable use of data to support your organisation in achieving its objectives and vision.
In other words, it’s where data collection, data privacy and data security come together.
If you don’t have good data governance in place, you cannot apply data privacy and security controls effectively, which means there’s no assurance that data is private, secure or protected.
Good data governance ensures you manage the unique risks and security challenges at every stage of the data’s life cycle: collection, storage, access, usage, sharing, maintenance, archiving, and disposal.
It enables you to track who has access to your data consistently and efficiently, understand your data’s compliance with privacy laws and other regulations, isolate the areas where data is most vulnerable, and know how you can ensure its security.
With robust data governance, you can effectively ensure that data privacy and data security remain top priorities as you collect more data.
But the value of data governance starts before you have collected the data – a critical part of data governance is to ensure that you only collect personal information that is reasonably necessary for your business in the first place.
Build the right foundations
Make data governance your priority
As more data is collected and shared, you need to make sure you have the right policies and protocols in place to only collect the data you need from consumers, and protect it.
0 Comments