Data protection and security

Security is a necessary but not sufficient element to safeguard rights and freedoms of people regarding personal data protection. In addition, if security measures are not aimed at protecting said rights but to achieving other objectives, they may actually pose a threat to freedom.

Just imagine for a moment that we are walking down the street and we are approached by someone who claims to have a lot of information about our family. A stranger who might tell us, for example, that he knows our children, their names, the school they attend and their friends’ names. He tells us about their trouble with certain courses and gives detailed advice on how we should help them, he shares their secrets in detail and all the problems they have recently had with some classmates, whom he knows as well. And not only about our children, but also about our partner, relatives, friends...

That same person says that this is just a small part of the information he has, but we do not need to worry:  He is doing the right thing for us and all such data are safe in his power. He has all necessary certifications that ensure there will be no problem which may jeopardize the confidentiality, integrity and availability of the data he has.
Would the fact that a stranger had all the information about our family, down to the smallest personal detail, although theoretically safely, reassure us? Until now, the answer in the forums where this question has been made has always been negative, and the shared, general feeling is that some sort of interference in family life, in our privacy and personal matters is happening. Furthermore, so much security in the processes of storing and collecting these data, our data, would frighten us, as we cannot expect data security to replace data protection. Unfortunately, we are familiar with the historical fact that security and fundamental rights did not always go together.

Data protection is a human right that was born linked to the Universal Declaration of Human Rights proclaimed by the United Nations General Assembly in 1948 with the objective of safeguarding human dignity, and as an instrument to fight oppression, impunity and affronts to human dignity. This right is aimed at protecting human dignity from the invasion that the collection and excessive processing of personal data entails. Its goal is to establish a framework of guarantees that makes it possible to exercise fundamental human rights and freedoms and to prevent the use of personal information from being indiscriminately used against such rights and freedoms that are inherent to every human being.

Article 12 of the Universal Declaration of Human Rights clearly states the goal of this fundamental right:

12 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

The Declaration of Human Rights also states the need to extend the rights and freedoms it provides to every person, and this is declared in article 2:

2.1. Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.

2.2. Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty.

The right to data protection inherits this need to protect in a special way any information regarding people that includes information on the race, colour, sexual orientation, religion, political opinion with the aim of allowing the human rights to be applicable to everyone, regardless of these factors. Information security does not protect people from the potential abuse they may suffer as a result of these factors.

Information security is aimed at keeping integrity, availability and confidentiality by using technical material and organisational resources that are suitable and proportionate to achieve one or several goals. These may be diverse: ensuring business continuity, the State’s security, avoid fraud, preserving institutional image or, for example, guaranteeing privacy.

The technical and organisational measures to guarantee personal data security are part of the guarantees that make it possible to implement data protection effectively. But for such measures to be truly privacy-oriented, the selection and implementation of information security is an additional step in the process of applying data protection principles. The process of managing the right to data protection begins by establishing the lawfulness of the processing and continues with the application of the principles of loyalty, transparency, purpose, proportionality, accuracy, limitation, application of rights, proactive responsibility and, finally and arising from the requirements established by the implementation of all the previous ones, the security measures.

Under no circumstance is information security a previous element, nor can it precede or replace the rest of the principles. The analysis of information security is not the starting point for the effective implementation of data protection in an entity, but the last stage in the process of implementing a privacy policy, as information security does not care about fundamental rights. Fundamental rights are taken care of by data protection and security is made available to data protection in the path to attain the lawfulness of the processing. The technical and organisational measures needed to ensure the confidentiality, integrity and availability of information must be aimed at implementing data protection principles to guarantee the rights and freedoms of individuals in a State governed by the rule of law, even beyond a potential breach of the rule of law. Information security is a necessary but not sufficient resource to guarantee the fundamental right to the protection of personal data.