Are information security and data protection the same thing?
While data protection is linked and often comparable with information security, the two are not identical. Charlotte Lewendon, information management, governance and risk manager at the Guinness Partnership, explains why.
Information security is essentially protecting all information (both manual and electronic) and information systems from unauthorised use, disclosure, disruption or modification, in order to provide:
- confidentiality (i.e. restrictions on access and disclosure)
- integrity (i.e. no improper information modification or destruction)
- availability (i.e. ensuring timely and reliable access to – and use of – information)
The Data Protection Act (DPA) is concerned with the protection of personal and sensitive personal data and is therefore a division of information security. As we are all aware, the DPA makes specific reference to information security under its list of data protection principles, but the two terms are often used together, which can create confusion.
Example: As part of an information risk assessment, an organisation is considering what controls are needed to protect its corporate website from hacking. It wants to maintain the integrity of the information that the organisation has proactively published. The website does not publish or collect any personal data but alteration of the information on the website could cause a reputational impact if was misleading or defamatory. Information security controls would need to be considered – but not the Data Protection Act.
Understanding the difference between the two is very important when making decisions about the controls you are putting in place to protect information. Recognising the difference is also vital when conducting risk assessments and privacy impact assessments, or understanding the impact of a breach and the potential to report to the information commissioner.