Stupid question? Perhaps. Important question? Definitely. We constantly talk about 'information security' and even 'information governance', but we talk about 'data protection'. What exactly is 'data security' then? What is the difference between information and data, and why does it matter?
We might well ask.
The problem at the root of this is that businesses have a large about of information they want to keep secure, but information is stored in 'data bases', programmers refer to 'data', and the UK government in particular likes to talk about 'data' protection. For example, take the UK Data Protection Act 1998 which talks about securing people's personal data, or the Financial Services Authority (FSA), who not so long ago issued guidance on Data Security in Financial Services.
At the same time, many businesses use the two words very differently: Whilst there are no hard-and-fast rules, you might expect an Information Security function to have a wider remit than a Data Security function - and an Information Security Officer would most likely have a remit encompassing information policy and governance (as far as it relates to confidentiality of information), whereas a Data Security Officer is more likely to be a security administration role.
To consider the difference between data and information question with greater clarity, we turned to the fountain of all understanding - the English Dictionary; but only to be disappointed.
Data is defined as:
"Information in raw or unorganized form (such as alphabets, numbers, or symbols) that refer to, or represent, conditions, ideas, or objects.2
Meanwhile, the definition of information is stated as:
"Raw data that has been verified to be accurate and timely, is specific and organized for a purpose, is presented within a context that gives it meaning and relevance, and which leads to increase in understanding and decrease in uncertainty."
These basic definitions create a fundamental question: organisations hold data for the purpose of applying it, or there would be no reason to hold it. Data may be held out of context in individual systems, database tables, log files and so on, but only for the purpose of combining it with additional data-sets to make it meaningful.
In order words, all data held be the enterprise qualifies as or will need to qualify as information. If it won't, it should presumably not be held.
If your organisation has any data that is:
- not accurate or timely (i..e lacks integrity or is obsolete)
- not specific and organised for a purpose (i.e. cannot be used)
- not within a context, or cannot be put in context by linking it with other data-sets, or
- does not provide understanding or reduce uncertainty
... then you have some storage space being wasted, and an information governance question unresolved.
In effect, in order to be of any commercial value data must be or become information. In particular, personal data, in whatever way it is stored or maintained, is almost certainly also personal information.
The Data Protection Act 1998 supports this statement. In order to qualify as personal data under the DPA 1998, data must be 'personally identifiable' - in order words, it must largely meet the above criteria for information.
Personal data according to the DPA 1998 is:
"Data which relates to a living individual who can be identified:—
- from that data, or
- from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller"
In other words, personal data is personal data in context - or personal information. The requirement for the person to be living means the DPA definition of personal data is actually narrower than a definition of personal information. Perhaps the Data Protection Act 1998 would have been better named the Personal Information Protection Act (though arguably Governance would be a better word than Protection)?
At the end of the day, all the confusion is just a matter of semantics. In an organisational environment, there should surely be no practical difference between the two. The answer then is pick one and stick to it. Don't have an information security function and a data security function. Have an information security function and an information security operations function. Don't have an information security policy and data security guidance. Riskmonkey's preferred term: Information Security. In a business, all data is information - any that isn't would not fall within the terms of the Data Protection Act in any case.
The Government, it seems, is not always right. Roll on the Information Governance Act... though what it should say is another question entirely. Answers on a virtual postcard, please.