Explain the difference between the terms security, privacy and integrity of data

6.1 Data Protection – Security, Privacy and Integrity

Learning Objectives (AO1‑AO3)

  • AO1 – Knowledge: Define the three fundamental concepts of data protection and use the exact syllabus terminology (confidentiality, integrity, availability, non‑repudiation, privacy).

  • AO2 – Application: Identify technical and legal measures that support each concept, citing the relevant standards and legislation.

  • AO3 – Analysis & Design: Evaluate how security, privacy and integrity interact when designing a data‑handling system, using a short case‑study.

Key Definitions (with standards/legislation)

TermDefinition (syllabus wording)Key Standard or Legal Framework
Security (Confidentiality, Integrity, Availability, Non‑repudiation)Technical and procedural safeguards that protect data from unauthorised access, disclosure, alteration, destruction or loss, and that provide proof of origin and receipt.ISO/IEC 27001, ISO/IEC 27002 (control families), NIST Cybersecurity Framework
PrivacyThe right of individuals (or organisations) to control how their personal or sensitive information is collected, stored, processed, shared and destroyed.GDPR (EU), Data Protection Act 2018 (UK), CCPA (California)
IntegrityAssurance that data is accurate, complete, and has not been altered in an unauthorised manner throughout its lifecycle.ISO/IEC 27002 (integrity controls), PCI‑DSS (hash & digital‑signature requirements)

Security Controls (AO2)

  • Authentication & Authorisation – passwords, biometrics, multi‑factor authentication (MFA), Role‑Based Access Control (RBAC), Access Control Lists (ACLs).

  • Encryption – symmetric (AES‑256) for data at rest; asymmetric (RSA/ECC) and TLS 1.3 for data in transit.

  • Network Defences – firewalls (packet‑filtering, stateful), Intrusion Detection/Prevention Systems (IDS/IPS), Virtual Private Networks (VPNs), anti‑malware/anti‑virus solutions.

  • Audit Trails & Logging – record who accessed/changed data, timestamps and source IP; essential for accountability, privacy compliance and integrity verification.

  • Backup & Recovery – regular, immutable backups stored off‑site to ensure availability and protect against ransomware.

  • Physical Controls – locked server rooms, CCTV, secure disposal of media.

Privacy Controls (AO2)

  • Informed Consent – explicit, freely given permission before collection or sharing (GDPR Art. 6).

  • Data Minimisation – collect only data necessary for the stated purpose.

  • Anonymisation & Pseudonymisation – remove or replace identifying attributes to reduce risk.

  • Rights of Access, Rectification & Erasure – mechanisms for data subjects to view, correct or delete their data (GDPR Art. 15, 17).

  • Privacy‑by‑Design & Privacy Impact Assessments (PIA) – embed privacy considerations from the earliest design stage and assess risks before deployment.

Integrity Mechanisms (AO2)

  • Validation Checks – range, format, length and presence checks at input time.

  • Checksums & Hashes – cryptographic hash functions (e.g., SHA‑256) to detect accidental or malicious alteration.

  • Digital Signatures – hash encrypted with the sender’s private key; receiver verifies with the public key, providing integrity and non‑repudiation.

  • Version Control & Auditing – maintain a history of changes and who made them.

Pseudocode: Secure Hashing with Salting

// Generate a salted SHA‑256 hash for a file
function generateHash(file):
data   = readBytes(file)
salt   = randomBytes(16)                 // 128‑bit random salt
salted = concat(salt, data)              // prepend salt
hash   = SHA256(salted)                  // strong, collision‑resistant
storeHash(file, salt, hash)              // keep both salt and hash
return hash
// Verify the integrity of a file
function verifyHash(file):
storedSalt, storedHash = retrieveStoredHash(file)
data   = readBytes(file)
salted = concat(storedSalt, data)
currentHash = SHA256(salted)
if currentHash == storedHash:
return "Integrity OK"
else:
return "Data has been altered"

Note: SHA‑256 is preferred over MD5 or SHA‑1 because it offers far greater collision resistance. Adding a unique salt prevents pre‑computed rainbow‑table attacks.

Comparison of the Three Concepts

AspectSecurity (Confidentiality, Integrity, Availability, Non‑repudiation)PrivacyIntegrity
Primary GoalPrevent unauthorised access, alteration, loss or denial of service.Give data subjects control over personal information.Guarantee data is accurate, complete and trustworthy.
Typical MeasuresFirewalls, IDS/IPS, MFA, encryption, backups, physical security.Consent, data‑minimisation, anonymisation, PIAs, right‑to‑erasure.Checksums, digital signatures, input validation, version control.
Key Standard / LawISO 27001, ISO 27002, NIST CSF.GDPR, Data Protection Act 2018, CCPA.PCI‑DSS, ISO 27002 (integrity controls).
Failure ConsequenceUnauthorised disclosure, financial loss, reputational damage, service outage.Regulatory fines, loss of trust, legal action.Wrong decisions, system malfunction, loss of credibility.

Inter‑relationship of Security, Privacy & Integrity (AO3)

  1. Security ↔ Privacy: Encryption (a security control) enforces privacy by ensuring only authorised parties can read personal data (confidentiality).

  2. Security ↔ Integrity: Hashing and digital signatures are security mechanisms that detect unauthorised modification, thereby preserving integrity.

  3. Privacy ↔ Integrity: Privacy regulations (e.g., GDPR Art. 5) require that personal data be accurate and unaltered, mandating integrity checks as part of compliance.

  4. All three together – case study:

    A multinational e‑commerce site uses TLS 1.3 (security) for all client‑server communications. TLS provides:

    • Confidentiality – data is encrypted, protecting personal details (privacy).

    • Integrity – MAC (Message Authentication Code) ensures the payload has not been tampered with.

    • Non‑repudiation – server presents a certificate signed by a trusted CA, proving its identity.

    The site also runs a Privacy Impact Assessment, stores only the necessary fields (data minimisation), and logs every access to the database for audit (integrity & accountability). This single control set simultaneously satisfies the three concepts, illustrating the layered, defence‑in‑depth approach expected in the syllabus.

Real‑World Illustrations

  • Security example: A bank uses hardware security modules (HSMs) to protect encryption keys, MFA for online banking, firewalls at the network perimeter, and daily immutable backups.

  • Privacy example: A health‑tracking app obtains explicit consent before sharing step‑count data, offers a “Delete my data” button (GDPR Art. 17), and stores data in a pseudonymised form.

  • Integrity example: A firmware update server publishes a SHA‑256 hash and a digital signature; devices verify both before installing the update.

  • Network‑level example: A corporate LAN is protected by a stateful firewall and a site‑to‑site VPN. The firewall enforces confidentiality (blocks unauthorised traffic), the VPN provides integrity (IPsec ESP with authentication), and both support privacy by ensuring only authorised remote offices can access internal data.

Suggested Diagram

Venn diagram showing the overlap of Security, Privacy and Integrity.


Examples in each region:

  • Security ∩ Privacy – “Encrypted personal health record”.

  • Security ∩ Integrity – “Signed software update”.

  • Privacy ∩ Integrity – “Audit‑logged data correction with consent”.

  • All three – “TLS‑protected online banking transaction”.

Summary (Key Take‑aways)

  • Security provides confidentiality, integrity, availability and non‑repudiation through technical and procedural safeguards.

  • Privacy defines the legal and ethical rights of data subjects over personal information.

  • Integrity guarantees that data remains accurate, complete and unaltered.

  • Effective data‑protection design integrates all three: security mechanisms enforce privacy, integrity checks support security, and privacy legislation mandates integrity and confidentiality.

  • Use the exact syllabus terminology and cite the appropriate standards (ISO 27001/27002, NIST CSF, GDPR, DPA 2018, PCI‑DSS) to maximise marks across AO1‑AO3.