Privacy Considerations and Data Ownership with Third-Parties – CompTIA Security+ SY0-401: 2.2

When third-parties share data, there should always be a consideration towards privacy and data ownership. In this video, you’ll learn about protecting customer privacy and the disposition of stored data.

<< Previous Video: Interoperability AgreementsNext: Risk Awareness with Third-Parties >>


An individual’s privacy is an obvious concern, especially in the world of social media and the internet. These concerns are not only of personal privacy, but also privacy when you’re working as a professional. One interesting aspect of personal privacy are the laws that have been created in Europe, where some laws not only protect you at home, but also prevent your employer from tracking what you do while you’re at work.

In your organization you probably have a lot of information that you’ve gathered from your customers. This information also has privacy concerns, even information that seems very unimportant can be combined with other types of data to create privacy concerns. It’s also important when you’re working with a third party, that agreements are in place about the data and especially how the privacy of the data is to be handled.

It’s often said the data is the single most important asset in an organization. If you were to lose all of your data, you could simply close the doors. The company would no longer be in business. But with all of that data in place, it’s important to consider the privacy of that data. You first have to understand how you’re going to protect that data and keep it private. And then you have to consider what technical requirements are going to be associated with that protection.

There should also be a consideration of the physical controls– to keep people out of the physical room where those databases may be located. And from a third party perspective, it’s important to know what happens to the data once the business relationship is over. Is that information simply removed from the database? Does one particular part of this ownership have access and own the data itself, or do both sides continue maintaining and owning that data? These agreements should be in place from the very beginning, especially when working with a third party.

This meant that all of these searches had numbers associated with the users so that they could be tracked and the research could be done. This data was of course ideal to be able to understand about the types of searches that people were doing. But unfortunately, a number of searches themselves contained PII, or personally identifiable information. Although the name was a number, the information within the search allowed third parties to then determine who exactly was making that search. And very quickly, the New York Times was able to identify very specific users, and even contacted them.

For instance, they found that user 4417749 was Thelma Arnold, who was a 72-year-old widow who lived in Lilburn, Georgia. And they were able to see all of the searches that that user had done. And they did an interview with Thelma, and learned what she thought about her privacy and how this information was provided out to the internet.

Of course, upon seeing these types of correlations between the searches and the actual users, AOL pulled that information. But of course by then it was too late. And ultimately, the chief technology officer, the researcher, and the researcher’s supervisor were fired from America Online. This particular example, of course, underlines the importance associated with privacy, especially when data is provided to a third party.