Serious Privacy
The PICCASO award winning Podcast, for those who are interested in the hottest field of human rights and laws on the digital frontier. Whether you are a professional who wants to learn more about privacy and privacy laws, data protection, GDPR or cyber law or someone who just finds this fascinating, we have topics for you from data management to cybersecurity, from social justice to data ethics and AI and digital identity protection. In-depth information on serious privacy topics including interviews with privacy leadership, privacy culture, serious discussions, and more.
This podcast, hosted by Dr. K Royal, Paul Breitbarth and Ralph O'Brien, features open, unscripted discussions with global privacy professionals (those kitchen table or back porch conversations) where you hear the opinions and thoughts of those who are on the front lines working on the newest issues in handling personal data. Real information on your schedule - because the world needs serious privacy.
Follow us on BlueSky (@seriousprivacy.eu) or LinkedIn
Serious Privacy
Privacy on the Front Lines: A View from LA
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Privacy has never been so controversial! COVID-19 has sparked many discussions about privacy as the use of technology helps contain the spread of the virus. But with all this data being used to monitor contact, are the proper privacy protections being put in place? These and many other topics we discussed with Lillian Russell, Chief Privacy Officer for the County of Los Angeles.
Join us in this episode with Lilly to hear about challenges with a multi-generational workforce, managing remote work environments, and the prevalence of privacy non-experts. As someone who manages privacy in one of the largest metropolitan areas (third largest economy in the world) and who crosses every area of privacy in existence, Lilly brings an experienced and insightful voice to our current events.
Should you have any questions or suggestions, please reach out to us via seriousprivacy@trustarc.com, or via Twitter at @podcastprivacy. You will find K on Twitter as @heartofprivacy and Paul as @EuroPaulB.
If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!
From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.
You're listening to serious privacy by Trust Art. Please welcome our hosts Paul Breitbart and Kate Roy.
PaulWhile the US reports 22 million new people unemployed in four weeks, parts of Europe are slowly opening up again, after the peak of the coronavirus seems to have been reached. That doesn't mean, however, the end of mandatory working from home is already in sight. From a privacy perspective, the discussion seems to have turned to mobile apps that could possibly be used to contain the spread of COVID-19. This has even caused Apple and Google to cooperate, to build in new functionality into their operating systems to assist contact monitoring. But obviously, lots of data is still required, which in turn would require proper protections to be put in place. These and many other topics we look forward to discuss with Lillian Russell, Chief Privacy Officer for LA County. My name is Paul Greitbart.
KAnd I'm Kay Royal and welcome to Serious Privacy. So thank you for joining us today, Lily. I was absolutely thrilled to have you come on our podcast. And I hope that you're equally as thrilled about it because we're just going to have one of these unscripted conversations where we basically ask you everything. Now, I'm I'm going to disclaim that with LA County is one of the largest populated areas in the United States. It is quite often in international news and not just because Hollywood's there. It makes the news, it makes headlines, everyone's interested in LA County. And so everybody is like really, really hungry to get in and to ask you questions about LA County and what's going on. And you know what? That ain't going to happen. Sorry. We all have jobs and we want to keep our jobs and we want to make sure that you keep yours. And we know that this situation is rife with political right now. Not saying that that's going on in LA County, but just around the world, it is a hot topic. And so we're going to do our best to stay away from anything along that line. But we're going to start with the most controversial question at all. And that's going to be when you are not feeling your best and you know you've got to make an important presentation, what is your go-to color?
SPEAKER_01Color of the outfit. The deck or of my outfit? Oh gosh. Um, you know, I I kind of depending on my mood. I like a lot of pop colors. Um, I think that that's a great way to let your personality shine and grab people's attention. So I usually probably say like turquoise, I'd be my go-to. I like that.
PaulPaul? Well, if I'm giving a presentation, I usually wear a suit and my suits are either dark blue or dark gray. So that's kind of boring.
KThat is kind of boring.
PaulI can make a statement with a tie, and that's what I usually try to do. So if it's really important, then the tie is either bright red or very green.
KNice. Now, what about socks? A lot of men like to pop up their boring suits with bright socks.
PaulYeah, I never was that.
KYou never were I was a socks person when I was a nurse. Um, and especially when we had to wear just the strict white uniforms or, you know, navy scrubs, whatever the floor color was. I always wore crazy socks. But I will say that my go-to color, if I'm feeling boring, it's gonna be bright, bright pink, even if it's a suit.
PaulWhat a surprise.
KAll right, I should have come up with something a little more surprising. My go-to color is maroon. I don't know. Okay, beautiful.
PaulYeah, that brightens up your day.
KExactly. So let's get on to the topic then. So, Lily, I'll start with what has probably been the most surprising thing to you about trying to manage through a world health crisis?
SPEAKER_01Yeah, I don't have one surprise by itself. I think that the surprises tend to transform day to day. I'm learning a lot about myself and I'm watching my friends and colleagues also level set on a daily basis. It's been very interesting to see how work from home has become the new norm for a lot of people that normally didn't follow that path. I've spent most of my career in what I call more of a traditional work setting. You wake up, you commute, you go to a building, you spend time with other people and do your job, and then you wrap up the day and then go home. And I think for a lot of Americans, that's been the process. In a matter of days, thousands of people were either, if they're fortunate to still have their jobs, now they have had to relocate back to their homes and perform the same tasks. That took a shock for a lot of people because now instead of having that work is work is home is home, or you have those sort of defined spaces, now it's all commingled. And then I think you insert the electronics that you use to complete your job into that same space. You're now doing that, and oftentimes with your family present, your children present, um maybe a roommate. You're all on the same wireless network, you all have your devices connected together. You have meetings like this where you're trying to find that quiet space to be able to conduct those meetings without interruption, and you might be sharing information that you didn't intend maybe your children or your spouse to hear or someone else. All of a sudden, those tasks that you customarily handled at your job are suddenly now being completed in a completely different environment.
KYeah.
PaulSo does that mean you've also taken additional measures to, for example, keep confidentiality or or security of what you're doing?
SPEAKER_01Me personally, yes. But I do still think about the other employees who may not have appreciated how to navigate that. And they're they're slowly trying to learn how to do that. You look at everything from you know having a secured Wi-Fi network, want to make sure that your laptop is not accessible to your children who might want to go and play a game on a website that might compromise your work laptop if you have one. You have other devices, IoT devices that may be connected to the same network, and that may present other challenges. So I think it's going to be a very important educational piece for most people in the workforce to now have to see why this matters even more if this is going to be their new norm.
KRight. And one of the things that occurred to me, and you and I uh spoke about this a while back, was also there has long been foretold the possibility that we're going to see a lack of experience in government workers. And because we have a lot of older generations working in government who, if they all retire at the same time, we're going to lose a wealth of knowledge and experience. I never thought about turning that around to this older generation having, and I I would fall in the older generation, I think. This older generation having to work from home when they're not accustomed to it. I think about my granddaddy from Mississippi, and of course, you know, we have long held traditions in the South, one of them being that you worked at the same company forever. One of the only few remaining bastions like that is the government where you can stay there and retire after 20 or 30 years. I try to think of my granddaddy having to convert his work to working from home. Now, what he did wasn't conducive to that, but that's beside the point. If he had to convert to working from home, he would have laughed his butt off because nobody can work unless they're sitting in the office from eight to five every day. It's just it you don't get work done unless you're at work. Have you seen that occurring or seen any friends where they're struggling with that or anything?
SPEAKER_01I've I've seen them on both ends. I think in in my organization, um, it speaks to your point, there are thousands of employees who have made their career in the public sector. Whether that's 10, 20, 30 plus years with the same employer, the work culture has followed more along the lines of a traditional working environment, which is exactly what your granddaddy would have been describing to. So when you think about the big tech companies where teleworking is the norm, that's a totally different shift culturally in the workplace. And there may have been a time when it was not welcomed because of that exact philosophy that you're not working unless you're sitting at your desk present and in attendance in an office. And I understand that. I think that it's hard to perceive how could you be doing any work unless you were in the physical space you were assigned to. It would it wasn't really possible decades ago. So now your entire workstation is now synthesized down to one device that is interconnected, your documents are accessible, you can instant message your coworkers. Um, it is possible. And in fact, I I could say personally that the times when I I have teleworked um with some regularity, I get more work done. You know, I'm a I'm a social person by nature. So uh those casual conversations are beneficial to me on a personal level, but also because you have those interjections with your coworkers, you're exchanging thoughts and ideas, and that does round out your workday, but it does chip away from that dedicated focused time to write or to get back on emails. And so to have that quiet time, I find really beneficial. And it works with my working style, but I think that there is a perception that well, what are you doing? Because I can't see you doing anything, right?
KAnd the law is a lot like that.
PaulAre you doing anything because I don't see you doing anything? Exactly. But the question is, are you doing that same work uh when you are in the office when people also cannot see what you are actually doing? Uh and of course, being physically present in an office is also no guarantee that the work actually gets done. I also have friends that uh regularly speak to uh who say, Well, I I I love being at work, I I love the the social atmosphere at work, and I talk to lots of people, but to get my work done, I work from home uh at night because I don't finish it during the day because I'm talking too much.
SPEAKER_01Exactly. Exactly. There's a lot of people that can be very social. Um, you know, you have a long lunch or you're away for coffee breaks, and that does chip away at your work days. What I do like about working from home and that modernized working style is that the focus is on your work product, your deliverables. That's where the accountability comes in. And so because you don't have that face-to-face, the focus is now on well, what report did you write? What emails are you sending? And that's where the basis shifts. And personally, I think that's that's more efficient.
KAnd I agree.
PaulDo you think this may also change how we work and that it will mean that in the future, maybe not the near future, but in in a longer time, it would also be less relevant how many hours you work, but the amount of work that you actually get done?
SPEAKER_01I could see that redefining what it means to work. And so the traditional model we look at is you work 40 hours a week minimum. Many of us work more than that. Is that really required to get the job done? There are other companies where when you're looking at the deliverables, if I can knock out a solid work product with four hours instead of having to sit somewhere for eight hours, which would you rather have? Personally, I'd like to have an excellent work product to me in four hours and you can go about your day. But that's a shift in a model from what we've seen for decades, where you have that, like I said, that attendance and those hours counted because that's how you're compensated. And now we're looking at the deliverables and how do you actually determine what to pay somebody if it's not on an hourly basis.
KAnd I think we've seen a lot of that in the law because years ago, oh gosh, more than 10 years ago, I know that I was working with the company and they were encouraging a telework model, if nothing else, a work from home one day a week to help say it was when gas prices were up and they were trying to help people. But the legal department said no, said that, you know, it's lawyers need to be in the office present. I never had that law firm experience of, you know, 5 a.m. in the morning till 8 p.m. at night or anything. But they had that long-held belief that you had to be in the office to getting work done and then take that over to some jobs I've seen that are working remote, and they literally turn the cameras on so they can see the people's faces between whatever their scheduled work hours are. Which to me seems counterproductive. I guess if it's a customer service and you you're scheduled to work a certain shift, it's one thing. But if you're in a job where it's more about the work you do, who cares if you get that work done at 11 p.m. at night or on Saturday at, you know, three o'clock in the afternoon. I hear bosses complain, well, I couldn't get hold of this person. I IM'd them three times and I found out later they were at the grocery store. Who cares? As long as they're getting their work done and they have their deliverable, who cares when they're getting that work done? So maybe this will help us recognize a shift in attitudes when it comes to working from home. When it comes to those water cooler conversations, uh Paul and I were speaking about this on a prior podcast about how there are people who really make or break their careers on those casual conversations they have to the side. How do we think that's going to shift for people who really the word I'm looking for is succeed, but they they really flourish in those environments where they can build those relationships and have those casual conversations and they actually get a lot done because of the relationships they're building through those water cooler conversations. How can we make up for that?
SPEAKER_01Well, I think since I've been working from home more, video conferencing has been great. It's another way to connect with people. I think how we speak to people really matters. It always did, but I think even more so now because even the tone of your voice on a call can really shift things. And you're more receptive to people that I think are able to navigate a meeting or a call, be organized, be sincere, have that positive tone. That's really resonated with me. And I try to emulate that when I have my meetings. One thing that's been interesting is that some people tend to just jump into a meeting, get right to what they want to talk about, right? I found that as we have more and more people on a call, so I'm not talking about three or four, but you might I've had calls with 20 people on a call, maybe 25 people. You have to begin the call low and kind of walk through what you want to accomplish and leave some time for questions, you know, kind of structure the call and then get into it. I find that that makes things run a lot smoother. People are heard, they have an opportunity to interject when it's appropriate. And you don't have one person going on and on for an hour. It is going to achieve the goal of the call, and it doesn't feel like a waste of time either. But you have to change your approach.
PaulI fully agree with that. It's it's been about four years since I left the Dutch Data Protection Authority, and that was the last time I worked locally here in The Hague and uh had a proper office with colleagues around me full day. Ever since I've been I've been working remotely, first uh three and a half years for Animity and now since November for Trust Arc. For me it was very much a learning curve. In the uh the first couple of weeks I didn't really know how to get work done. Working on my own, being in my house all day, never being really away from work because that laptop was always there in my house. So that's when I moved into a co-working space, which is closed now for obvious reasons. So I have to readjust again to to really working from home. What helped me is is the daily calls with with colleagues wherever they were around the world, but uh also to include a bit of social banner just before the official meeting started, even if it was a customer meeting, just to have those two, three minutes to catch up, how is your day, what's the weather like wherever you are? Basically questions that you would discuss also with with your colleagues. Did you see that program last night or are you following this news story? And then it also helps not to have back-to-back to back-to-back calls that you are in meetings continuously, but have some time to breathe and have those conversations as well.
SPEAKER_01Oh, absolutely. And you know, another thought too is picking up the phone thought and having those conversations versus email. I've had times where I have emails flying back and forth, and just like text messaging, sometimes the context can get lost. So while the technology is great to use for those quick exchanges, sometimes you do need to pick up the phone. My team will tell you guys I'm a big advocate for that because they definitely like to email and I say just call them. You know, they may not be appreciating what your ask actually is. So even in the time since I've been home a lot more, I pick up the phone and I'll say, you know, hey, Katie have a minute. Um, I just want to make sure I'm understanding this. Here's what I'm thinking. Tell me what you think. And people want to be heard. And I think this is an important transition going from the in-person traditional working model to a more digital working style. We don't want to lose that human contact. And so you're not going to have the water cooler, but you do have alternatives.
KDo you catch yourself texting someone saying, hi, I'm about to send you an email, pay attention to it.
SPEAKER_01It depends, maybe once in a while, but sometimes if it's something really critical, I may send a quick text just because that's the fastest way to get someone's attention. We all get flooded with emails, so you don't want to have something missed or if there's time sensitivity. But I'm a talker, so I like to pick up the phone. I don't want to lose sight of that. And to your earlier point, a lot of times when I do need something from someone, it's because of that foundational relationship. I'm a big believer in breaking bread to make inroads with people, you know, and I do miss that. I think that's one aspect that will be a little bit of a challenge where you know you don't have that opportunity to swing by someone's desk and say, hey, you know, let's let's grab a bite to eat because that's how you connect with people. So it's going to take more effort to do that in a digital world, but it can be done.
KAnd I think it also takes a focus, and and this has been something that we've talked about a lot in the world of electronic communications, anyway. It takes a focus on bringing that person to mind when you're reading an email or something that you could interpret it by that tone of voice in multiple ways. And sometimes you can hear that person's voice in both ways, and you're like, hmm, wonder what Kay actually meant by this. So it really does help to pick up that phone and make a call. Transitioning back to some privacy issues. Uh but one of the things that stands out to me, and one of the things that I truly have a lot of respect for you for is you are not a HIPAA privacy person. You are not a government privacy person, you are not a insert whatever industry here privacy person. Because in being the CPO for LA County, you handle every aspect of privacy that they have, which makes you a wonderful privacy jack of all trades, which I think is just fantastic. You can't see it on the podcast here, but I was literally genuflecting to Lily. So you can see it on the video. We're good. Take it as you're due, Lily. But do you see now where people are trying to jump into knowing things about privacy because now they know just enough to be dangerous? And we see this in a lot of news stories, newscasters, social media. People are pontificating on privacy, and you can clearly tell they don't have any idea what they're talking about. Is this something we're going to have to re-educate people? Are we going to have to take the microphones away from them? What do we do about this?
SPEAKER_01The education will be ongoing. It always will be. I don't look at privacy as a fixed idea. It the technology continues to change and how we use the technology will always evolve. So I think it's critical that we always are educating workforce, each other, self in what does privacy mean and what is your question. I've had uh inquiries come in that are cloaked under the idea of privacy when it really, when you get down to the nucleus of what they're asking, it has nothing to do with privacy. That happens a lot. Or people will confuse topics. They maybe have heard something in the news and it doesn't really apply to what the issue is, or sometimes they've missed the privacy issue altogether. So it does take a little bit of digging to find out what the ask really is. I also think that what we understand privacy today is as is, is that that's going to change. That is changing now. What we consider to be private, what we consider our autonomy to be, how do we navigate that as individuals and what does it mean to us? You've heard on one end of the spectrum people say, Well, what do I have to hide? And I always cringe when I hear that question.
PaulYou're not the only one.
SPEAKER_01You know, and then you have the other end where people don't want anything about themselves out at all and in any fashion, but that's really that ship sailed a long time ago, and they may not have appreciated that. So the middle ground to me is so that people do understand what information about you do you have and what do you have control over, and what is already out in existence that you may not be aware of. And then when you tie that into the workplace, we are interacting with not only our own employee data, but we are dealing with, and it's not our customers the way you would have a private organization, but our constituents. So you're constantly interacting with information about people that claim and not have perceived as something that needs to be protected, but it does. So that translates into, let's say, our work from home. You may be working on a spreadsheet, you may have a list of information in an email, you may be interacting with a database through, say, VPN and that has sensitive information in there. So the education piece, I think, is one of the most important aspects of privacy for a workforce. I mean, it's not one size fits all. I think when you're in a large organization like mine, the the nature of the data that employees are interacting with varies immensely. So you can have something very simple in, let's say, with the library. That's probably a very narrow data set and very limited interaction. But then you fan that over to perhaps law enforcement or a healthcare system, and it's vastly larger. And there's other sensitivities that apply in a way that's very different. So I don't think there is a one size fits all in education, but it needs to be tailored to the type of work that you do.
KRight. And do you find yourself having to say it a hundred different ways at 50 different times, using 30 different visuals and eventually it clicks with someone? And when it clicks, you have that moment of, ah, yes, finally. Yeah, right.
SPEAKER_01It's always great when it clicks. The other important area is knowing your audience. Right. And so the education piece matters for leadership and it matters as much with your frontline employees. And those conversations are very different, but they do come down to the same concepts. The goal, what you want to have appreciated by those audiences, may be different. And so how you communicate that matters very much.
KDo you find that coming out of recent events, that privacy may gain a bigger seat at the table? I keep bemoaning that we missed it with GDPR. We should have taken advantage of that. Do we think that executives are now more open to hearing more about privacy given what we're experiencing?
SPEAKER_01I think uh certainly more open. I think that how you frame the conversation matters. And so oftentimes I've heard dialogues where people are very paranoid about privacy, or there's a fear, or there's someone that's going to put you under surveillance and you know intersect your life in a way that maybe you didn't want. But I think there's also ways to use privacy for good. There's ways to share information about yourself to help you, to give you protection and assistance in a much faster way. So I think how we navigate those conversations and also show what protections are in place with that data, how it's going to be used, give that empowerment so that you are offering assistance to others. I think it's just a matter of how that conversation is going to be led. Sometimes it can be a bit of sensationalism or maybe in theories, if you will, on everything closing in and you're just going to be locked in this state of paranoia. You know, you've lost any ability to step left or right without say whoever that is knowing about that. Yeah. And I think that there's some allure to that storyline because it's scary. I want to see more of a storyline of how data is used to help people, how it's used not only from a health perspective, let's say, but I think also to just enhance your personal life, I think in a way that's positive. So again, it depends on how that storyline is framed. And then that's also the secondary educational piece. So people understand, okay, this is why we're collecting this information, this is how it's going to be used, and this is how it benefits you.
PaulThe discussion on using data for good versus surveillance is, of course, also the core of the discussion on the mobile apps that are currently being developed. I already mentioned at the start of the program, Apple and Google have announced that they will work together to build into the core phone software a possibility to track people in a privacy-friendly way, or at least a claimed privacy-friendly way. But despite that, lots of data will be needed, whether it's Bluetooth or location data or other forms of tracking to make sure that people's comings and goings can be observed and thus also people can be alerted if they have been in contact with somebody who later tests positive for COVID-19. And here in Europe, there is lots of scientists and academics who are taking part in that debate. The Netherlands government is going very fast. They released a tender just before Easter and they want to do a public apathon this weekend where the general public and scholars are allowed to comment on a selection of the proposals that have been put forward. Other member states are also using that. DPAs are jumping on the bandwagon as well. And then, of course, also all the uh the the tech companies, the good ones, but also the the more questionable ones. Do you have any any views on on this debate and where it might be headed?
SPEAKER_01Well, I think what's well the the mindset that we look at here, I think, follows along here in the United States, I think follows along our constitutional right. And so that's where we'll have to approach that in conjunction with the amendments that we ascribe to. You look at our First Amendment, our Fourth Amendment, et cetera. So I think that's where public starts to raise those questions of how much freedom are we going to have under the Constitution to be able to gather, speak, express ourselves, and do that with some freedom. And then you also look at from a criminal perspective, is this going to become a search? Is this going to, are we going to give up some information about ourselves that maybe we didn't otherwise appreciate that we would have? And so I think that's where you start to get that question coming from those that are not comfortable with that type of tracking. And then I think secondary to that, with the apps, you've seen the privacy policies in the apps, and I think the navigating the settings on the apps and really understanding that, you know, the three of us may be able to read through that and make changes that fit with what we'd like to have on our phones, but there are many users that just skim to the bottom and just say okay, or they just don't understand what they're reading. Um, because I think there's also uh a little literacy issue when it comes to technology that not everybody is on the same playing field. It's not an even playing field. And that goes back to what I was saying about education. And so I know that in a lot of those policies they're written in plain English, it's not the legalese you saw from years ago, but even in the plain English, I don't think that everyone has the same appreciation for what it is that they are consenting to when they look at those policies. So while there is the issue of, say, tracking and using that data in certain ways to either assist or to follow along and know where your population is moving about, there is the end user themselves that may not really understand what they are providing to these organizations as far as information.
KYou know, that makes me think of the recent ruling in the Amazon Alexa case where a judge said that you can't hold children to the binding arbitration provisions because there's no way they could have understood to agree to that. Right. So I I think you're right. I think there is a fundamental technology baseline that people need to have in order to understand, but then companies need to understand it's not all educated adults that are having to consent to this or agree to this or what you're doing. And you really do need to take into account the best for the people who are going to be the end users of this. And what you consider the best or the risk may not be what they consider the best or the risk. So you've got to put yourself in their shoes.
SPEAKER_01Definitely agree. And another issue that comes up, I think, with the tracking as an example is the information by inference. So I might know that you go to the same Starbucks at 7 a.m. every day. And I might also be able to see who else goes there at the same time every day, or I might see where you are in proximity to the same person at a certain time every day or every night. And so you begin to paint a story that you may not have intended to share by how you navigate the world. Where do you go? Where do you stop? Right. Where do you shop? And so you begin to build out a lot more detail about yourself that you may not have realized is being disclosed. And so that again, I can see on either end of the spectrum where those questions do come up for end users who, again, you're disclosing a lot more about yourself than you ordinarily would have maybe shared with others. Right.
PaulYeah, and that's something that that has been around for for quite a while already. I recall from, I think about two years ago, a study by some journalists into the polar fitness devices, the smart watches or fitness bands that people were using and that would publish um their activity on a map so that you could also track what you have done and and what route you have run or where you had been going. But those were set to public by default. So they could look at those maps and combine all the details, find out where people uh were sleeping, where people were living and where they were working. So they could, for example, find out um who were part of the NSA or where military personnel was located, even at secret bases around the world. Um we'll we'll put the link to that story in the in the show notes because it is a good read and it also makes very clear how an inadvertent privacy setting could disclose a lot of very sensitive information about your life by trying to do something good like staying fit, staying healthy.
KRight. And there was the uh rideshare app that even if you uninstalled it, it left a cookie behind, and it was collecting data from people exactly as you were saying. Those who had a habit of traditionally going to a church on Sunday and whether they were regular churchgoers or whether or not they argued in their houses, whether or not they had dogs, or how well they slept, or things like that, things that you don't even imagine that people are picking up on. But yet they can put this data together for sometimes in unsavory ways or oftentimes in very financially beneficial ways, and sell that data to be able to serve ads to you or products that might fit the circumstances in which you find yourself. So I think it's uh really interesting that you started off that section about studying about what we can do with data. And it sounded positive. And I find that most privacy people, or of course the ones that I I know and I like, uh, believe that data is sexy and that we should be able to collect data and use massive amounts of data in positive ways. Do you believe that? And I I kind of relate this to HIPAA, HIPAA was never intended to get in the way of medical care. Do you believe privacy is not intended to get in the way of using data?
SPEAKER_01Ooh. That's a good question. I I guess it depends on what your end goal is. So, you know, there are uh those that they want to use data in a in a way that you see in the headlines, those are the stories that break through because they definitely grab your attention. But I think when you look at perhaps the identified data or aggregate data, how do you now compile information in a way to benefit others? And that's really the balance, I think, for positive outcomes. But there is the other end of the spectrum where that information can fall into the hands of someone else that has a different goal.
KRight.
SPEAKER_01Um, and so I think it's it's really a matter of ensuring that those stops and controls are in place to prevent maybe a problematic or negative use of the data. But I I suppose it depends on what your end goal is once you've collected that information.
KI like it because I sit here and I think about it. Well, as long as you follow the pillars of privacy, you give the disclosures, you're very open and transparent about what you do, knowing that 75% of the population never read the disclosures. And of the ones that do, most of them don't understand it. So if you're open and transparent, you're honest, you're trying to do everything for the right reason, you're not just de-identifying, you're truly anonymizing data, you're permanently disconnecting it from identifying information so you can have the aggregate. There's a lot of controls out there for privacy. What's your favorite?
SPEAKER_01You know, my my favorite ties into probably my biggest worry, which is employees. And I, you know, I go back to the training topic a lot because people make innocent mistakes, and that can come from misunderstanding how to use technology or even certain software or how they're interacting with the data that they work with. And so while there are the more technology-focused controls, the systems controls, those are very important. But the human that is working with that information is very much important as well. And I'm not even going to go down the path about the bad actors that may be in an organization, but you know, I do, I have had encounters where people have just made innocent mistakes. They've attached the wrong file to an email, they didn't um send that through a secured method or encrypted email example, or just something simply as far as how they've amassed information, let's say on a spreadsheet, did they need to put certain data elements in there to put that report together? Could they have now removed some of that data and then had something that didn't translate into a gold mine of PII to accomplish their job? And so I think that's where I look at it's really a spectrum of education. And I think that also ties into, and we've talked about this before, but I think the multi-generational employees in an organization. So I've seen where there are some employees that have been around long enough that they really grew into their role as computers came into the workplace. So they were around when there were still typewriters and dictation and there were word processors that were not online. And eventually, yeah, remember those? And you know, eventually that graduated into the computers that we began to become more familiar with, the desktop computers, getting on the internet all the way to where we're at now with laptops and tablets. So I think how information that maybe had no value or didn't seem like it was a risk back when you were typing a report now suddenly can end up accidentally posted on a website. So that translation from where somebody was maybe early on in their career to now looking at what is a true risk in 2020, that needs to be continually reminded of staff, educated of staff. And then how we work with that information does really matter. Similarly, you go on the other end of the spectrum where you have employees that are perhaps more savvy with technology, they're using a lot more apps, they're using IoT devices, they are on their home Wi-Fi, you know, and that how that's set up does matter. And so they themselves are a risk as well. They may have innocently had a setting on a device that they didn't realize was compromising that device. And then they have their same work that they're doing, just like maybe the more senior employee that didn't really appreciate that information as well. And just like that, there you might be looking at a breach. Right. So it's it's not to say that I in either case, any employee is more informed or less informed.
PaulThe innocent mistakes still happen, and that can subject any organization to what would you say in these times would be your best recommendation for all those employees that that are forced to work from home and and likely will do so for the foreseeable future? What any tips you can give them?
SPEAKER_01Oh gosh. Um we continue to send out reminders. Anyone listening to this podcast has probably heard the generalized tips, you know, you have your strong passwords and things like that. But I also look at some of the unconventional tips that maybe people don't really think about when they are now transitioning to working at home. You may have devices that are either recording something that might have been said on a meeting like this, um, or just listening. And you're talking about any device. I'm not gonna name any to tag any any one brand, but you know, that can be even a children's device, for example. Right. So they have to really think about what is in your home that is connected to the internet besides just a computer. Also, you know, who else is in your home? Because you may leave your computer unlocked, whereas in your workplace you wouldn't do that. You're reminded to always make sure that that is locked when you're not using it, but your child or your spouse or someone else may just say, I want to look something up really quick, or I want to check this link, and that might compromise your device. So, you know, I think there's other actions where you think of your home as a secure place, and there isn't that bad actor in your home who's going to try to compromise your workstation, but it goes back to those innocent mistakes as well. And you may have said, Oh gosh, I never thought about this, but then you might be ground zero for the problem that now affects realization.
KYeah, kind of like my mom borrowing my computer to make a Walmart order for pickup.
SPEAKER_01Yeah, I don't let her borrow my it it happens. Um, or you know, you I think right now, uh even while we've been speaking, my phone's been flashing quite a bit. Um people are texting a lot. And I think that the psychology of what we're going through worldwide, people are talking to each other quite often, people are sending me articles. You know, my mother loves to send articles all the time. She's a retired nurse, so she's looking things up quite a bit. But sometimes that that link that gets forwarded from somebody that you trust might itself be a problem. And that can impact your personal device. Your device might be on the same network with the other workstation that you have set up at home. And there we start to unfold the problems. So, you know, I think a lot of employees know about the typical cautions that you would expect to have from your CISO or privacy officer. They go through training, they're reminded of that. But again, when we talked about what's your end goal and who's your audience, now that's shifted because you're you're at home and you're not the the messaging that we had before and the instructions we had were for that traditional work in a building, you know, with your coworkers, you're on in a uh the network of your employer. Now everybody's at home and your workspace has changed and the considerations have changed. And like I said, you wouldn't think of your child as being uh, well, I guess some kids can be bad actors from time to time. But you know, from a technology threat perspective, you probably wouldn't think of an elementary school kid as doing anything that would compromise you or your work, but that could happen. Absolutely.
KAnd some of these kids are smart enough to do it on purpose. So with that, we've actually, oh my gosh, had a fantastic conversation. And as talking to you always can, it can go on and on and on with such wonderful topics. So I have a feeling we'll ask you to come back on the episode again. You have some wonderful insights here. But with that, I'm gonna ask one last thing. Was there anything that when we invited you to come on the show, you wanted to make sure I would say, did you want to make sure you didn't talk about? But let's go the other way. Anything you want to make sure that you did get an opportunity to share?
SPEAKER_01You know, I this topic I feel like we probably could go for another hour. Right. You know, I think the one thing I would say is this given what's happened with COVID-19, I did like what you said as far as is this going to be the game changer that makes us look at things in a way that maybe people didn't look at with GDPR as an example. Privacy has always been in the forefront of people's minds in some respect. I'm fascinated with at this point is is this redefining privacy in a way that none of us anticipated? And so I think we look at a balance, even a simple idea of you have positive cases of COVID-19, I'll use as an example. Now we have a balance here of disclosure and privacy of that information. So, what is going to matter going forward as far as me disclosing to you in some fashion that you might have been exposed to this virus and the privacy of, well, who exposed me to this virus? And does that even matter? And how do we navigate that conversation? I think I've seen that come up in many organizations. This is moving so fast, there isn't really that delay that you may have seen with other health epidemics. So let's say AIDS HIV, for example, the there's a longer time frame to notify and then to actually pinpoint the exposure, whereas here, this is so fast moving, you may not be able to really associate it with another person. And does that even really matter at this point? Because now you can focus on your well-being. Right. Right. And so I say all of that because now where are the guardrails on that information when say you disclose it to your employer or you word it to a health agency as an example? How are we going to now frame that information in a way that you yourself may want to have some privacy protections of that? But at the same time, that's impacting a lot of other people who need to know that they themselves might be at risk. Um, I I guess I say all of that because now we we see where privacy has come up in ways that we didn't really associate that link. And now we are going to have to ask ourselves, well, do I want to give up some of my autonomy so that someone knows where I am at any time? Because maybe I would want to be notified if I had crossed paths with somebody that might have exposed me. And I don't really care to know who they are, but the exposure is what matters. So, what is it that we are disclosing? How are we disclosing that? And then what am I giving up to get that protection or notification? So you start to layer in all of these questions, and we're not gonna have the answers to that on this podcast, and probably for some probably for some time, but I I just find it really fascinating that this really transforms, I think, what we had traditionally thought of as privacy and what we are moving forward. It's almost a redefining of that. So I think it's exciting, a little frightening. You know, it does make your head spin a little bit, but I I think it's kind of a a new era in this arena.
PaulWell, thank you very much, Lydia. Those were wonderful insights. And with that, we wrap up another episode of Serious Privacy. If you like our series, please subscribe now in your favorite podcast app, and new episodes will then automatically flow into your feed so that you never miss us again. And also please do tell your friends and colleagues about us. We love to have more listeners, and we are really excited to see the community of listeners grow by the week. Should you have any questions or suggestions on who to invite to the program, please reach out to us via seriousprivacy at trustharp.com or via Twitter at ad podcastprivacy. You will find Kay on Twitter at Heart of Privacy and myself at Europol B. Thank you again for listening to this episode of Sirius Privacy, and until next time, goodbye.
