Technology | Scott Macdonald| May 10, 2018
Learn about EBSCO Information Services data privacy and security measures, and our response to GDPR, in this Q&A with Scott Macdonald, EBSCO’s Vice President of Information Security and Platform Operations.
Issues pertaining to online privacy and security are increasingly popular in today’s news. With the General Data Protection Regulation (GDPR) slated to go into effect in a few weeks, Scott Macdonald, EBSCO’s Vice President of Information Security and Platform Operations, shares his thoughts on the current and future state of data privacy and security, and how EBSCO is well-positioned for the future.
After spending the first half of my Naval career as a Surface Warfare Officer aboard ships, I transitioned into what at the time was called an "Information Professional Officer" specialization community. Digital communications and knowledge sharing has long been a key enabler of effective Naval operations on a global scale. By placing appropriate emphasis on the development of a community of professionals who were trained to operate and protect the networks used for such knowledge sharing, they were investing to ensure the confidentiality, integrity, and availability of that knowledge whenever and wherever it was required.
My first assignment as part of this new officer community was to help upgrade the way in which the Navy Publications Library is transmitted and maintained for all deployed ships and shore installations around the world.
After retiring in 2010, I supported Cyber Security research, development and operations teams as a member of the staff at MIT's Lincoln Laboratory before joining EBSCO.
Early on, the Internet was not designed with security and privacy in mind. Now it is becoming more capable of providing rich user experiences that continue to shape the ways that we communicate and share knowledge on a global scale. As NISO Executive Director Todd Carpenter recently said, "the Internet is growing up." And with this growth has come a general distrust in the overall security and privacy of many personal online digital transactions. But we should not settle for this to be the case for our learning environments. Today, many view privacy as a fundamental tenet of learning and unbiased knowledge sharing.
The first page of the EU General Data Protection Regulation (GDPR) states that privacy and the protection of personal data is a fundamental human right. I strongly agree with that statement and am proud to work for a company that places similar weight and importance on these values.
With this in mind, I am very much aware that libraries and content providers, such as EBSCO, are partners in ensuring the integrity of patron privacy. We have a joint obligation to ensure the confidentiality of user data, but to effectively execute this obligation, we must understand what data we have, what it is used for, and when it should be disposed of. GDPR has challenged us to look at our underlying processes and truly understand the needs behind the generation, use and retention of personal data within our environments. Regardless of current or future legislation in this space, these responsibilities should be implemented appropriately for digital and analog media.
GDPR has challenged us to look at our underlying processes and truly understand the needs behind the generation, use and retention of personal data within our environments.
EBSCO continues to place an extremely high priority on designing and implementing solutions that provide the appropriate balance of end user privacy with the benefits and enhancements that come with a clear understanding of users’ needs within our platform. We believe that these concepts can coexist if we design for privacy from the start. For example, we will soon be releasing several capabilities within the EBSCOhost® platform that enable end users the ability to quickly obtain a full accounting of their use of EBSCO products and to include search terms and content accessed within EBSCOhost and the EBSCO Discovery Service™ environments. Rather than implement it as a manual process that may require intervention from Customer Support, we built it into the platform so users can quickly and easily obtain the personal contact and usage information EBSCO is storing. In addition, users can remove the data themselves. This is an example of how the platforms "privacy by design" has been implemented globally. We have also enhanced our policies, procedures and administrative controls to facilitate this in the development environment, while continuing to invest in our security infrastructure and operations.
The user privacy controls and security protections we have implemented within the EBSCOhost and EBSCO Discovery Service platform environments are aimed at establishing and maintaining trust. We want to continue to build on the trust that our users place in us by using our environment. For EBSCO, the controls mandated by GDPR are applicable not only in Europe or for European citizens. We know that users want the means to maintain control over how their personal data is used, and that they want to ensure that their personal information will only be used in a way that supports their personal learning process. We also know that our customers want to provide a secure and reliable environment for their users and be confident that any personal data is protected in accordance with best practices for information security.
This can only be accomplished when libraries and content solution providers work together to establish secure and reliable learning environments. As the Internet "has grown up" and the methods for accessing online digital resources have evolved, the methods by which we access academic and scholarly content (such as IP or URL-based access control mechanisms) have largely remained stagnant and are quickly becoming outmoded. By promoting and implementing modern, standards-based approaches to authentication and access (such as SAML/SSO) as well as other security best practices (including TLS standards-based encryption and enhanced password quality) and account lifecycle management, we will adopt the appropriate technical mechanisms to truly protect user privacy in the digital age. And if implemented correctly, these same controls will continue to place our customers, and end users, in direct control of their data.
Scott Macdonald is a graduate of the United States Naval Academy, with an advanced degree from the Naval War College. He is a 20-year veteran of the United States Navy. After retiring from the Navy, he worked for MIT’s Lincoln Laboratory managing data security.
Your comment will be reviewed by a moderator for approval.