You are probably more than familiar with the term „confidentiality“. familiar, perhaps even from the field of IT and IT security. But does confidentiality in data protection also mean what you think it means? Everyday terms in particular can quickly lead to confusion or misunderstandings.

Once said in confidence

You may be wondering what exactly is meant by confidentiality in data protection. Obviously, in many cases, data protection is about protecting what is confidential, namely personal data that not everyone is allowed to see, read and know.
A good example is health data that no third party should know. It is your business, your doctor’s business or the health insurance company’s business, but certainly not the business of a pharmaceutical manufacturer or the operator of a drugstore chain. Data protection and confidentiality are indeed closely related. But data protection is more than confidentiality. For example, personal data must not only be confidential but also available, it must not be manipulated, and the services used to process the personal data must be protected against failures and malfunctions.

But what exactly does confidentiality mean in data protection?

It is about confidentiality and access protection

On the one hand, confidentiality in data protection involves ensuring that employees and contracted service providers who process personal data do not reveal any personal data to unauthorized third parties, i.e., that they are secretive. This also applies to the data protection officers themselves. In this case, no one may disclose the data to be protected without authorization or permission. Unauthorized third parties must not be allowed to access or have access to the data. To achieve this, data protection requires suitable technical and organizational protection measures. Above all, this includes encryption that is state of the art, i.e., not outdated.

IT has a somewhat different view of confidentiality

Perhaps you work in IT or IT security, or you simply know that IT security also has the so-called protection goal of confidentiality. In fact, IT security uses similar or even the same protective measures as data protection, especially encryption. Is confidentiality in data protection and IT security therefore really the same thing? Not quite, because data protection aims to protect personal data, while IT security generally protects data with a corresponding need for protection. At the same time, personal data such as the data of an IT user does not necessarily have to have a high need for confidentiality from the IT
perspective. IT security may be concerned with a different need for protection. Data protection, however, is always concerned with data that is personal, i.e., belongs to a person, or is personal, i.e., can be related to a specific person. Such data must not be disclosed unintentionally or without permission, as in the example given at the beginning, health data. They must not simply be handed over to a retailer who wants to use these data for a suitable offer of over-the-counter medicines. Confidentiality is therefore a core issue for data protection, with certain differences to the IT view or even the everyday view.

Are you familiar with confidentiality in data protection? Take the test!

Question: Confidentiality, secrecy and data protection are actually identical. Is that true?

  1. No, confidentiality is central to data protection. But it is also about other data protection principles that need to be upheld.
  2. Yes, it is always about keeping secrets.

Solution: Answer 1. is correct. The General Data Protection Regulation (GDPR) lists several principles for the processing of personal data. Confidentiality is one of them, but it is not everything in data protection. Secrets, such as trade secrets, do not have to have a personal reference and are then not subject to data protection. In addition, personal data do not have to be secret in order to require protection.
Even personal data that is not secret may not be misappropriated, for example.

Question: If IT ensures confidentiality, data protection is also right. Is that correct?

  1. Yes, IT security provides the confidentiality that data protection needs.
  2. No, IT security and data protection have different goals. IT security does not automatically protect personal data.

Solution: Answer 2. is correct. IT security is about protecting systems and data that are important for IT operations or that are otherwise relevant to the business. For data protection, it is about ensuring the confidentiality of personal and personally identifiable data. It may therefore be the case that IT security analyzes user data extensively in order to detect attacks, while data protection tries to avoid personal
references in the analyses as far as possible.