By Arthur Moses Opio and Nsanzimana Gilbert

Picking up from the previous two discussions on Building Blocks for Effective Cybersecurity Organizational Framework and The Principles of Zero Trust Architecture, yesterday on the 5th May, 2022, NITA-U had yet another interesting discussion on "What you Need to Know about Privacy Engineering"

Key concepts emphasized in the discussion included a deep understanding of what personal data is, and why it is necessary to keep its privacy. 

What is personal Data

Personal data is any data that one can look at and identifies who the person is. It includes name, home address, email address, identification card number, location data, phone number, date of birth, photo, CCTV footage, racial or ethnic origin, etc.

Some factors that necessitate privacy engineering in this era are increase in volume and complexity of data, data traveling rapidly across companies and jurisdictions, less paper trails to record data movements, and the Data Protection and Privacy Act.  

The principles of the Uganda's Data Protection and Privacy Act 2011 include data accountability, fair and lawful lawful, adequate, quality, transparency, technical and organizational measures for data privacy.

Understanding Privacy Engineering 

The speaker for the day defined Privacy Engineering as;

"Privacy Engineering is the practice of building tools and processes that apply privacy protections to personal data" -Emmanuel Mugabi

Privacy engineering is about embedding privacy in development. It is not the system's primary purpose, but it is a key component of the design process.

"Privacy Engineering helps to bring into actualization whatever a company says in their privacy policy or notice" -Emmanuel Mugabi

Privacy Engineering Framework for Information Systems and Applications

3 Main Privacy Engineering Objectives

1. Predictability

Enabling reliable assumptions by individuals, controllers, and processors about personal data and its processing by an information system. It is more of making sure that you have enabled reliable assumptions for your clients.

2. Manageability 

Providing the capability for granular administration of personal data including alteration, deletion, and selective disclosure.

3. Disassociability 

Enabling processing of data or events without association to individuals or events without association of individuals or devices beyond the operational requirements of an information system. 

When it comes to producing information for research, statistical reporting, it is important to deal with de-identification of personal data before using it for marketing.

While concluding the discussion, Emmanuel Mugabi called upon everyone to adopt privacy engineering which saves a lot of headache, risks, and friction between users and organizations.

"Privacy engineering is at the nexus of legal, policy, engineering, and product" -Emmanuel Mugabi

The next topics of discussion are outlined in this program you can check it out and mark your calendar. 

Follow these key social media handles on Twitter @DICTSMakerere  @NITAUganda1  @NITAUgandaED  @CERT_UG so that you do not miss out on key information regarding the cyber security webinar series.

Let us build the human firewall, we are better off safe than sorry.

#InfosecUG #BeSafeOnlineUG