Protecting Your Private PartsTracy Ann Kosa
Privacy & Security
Privacy Design Requirements
Types of Privacy3 Dimensions of Privacy:TerritorialPhysicalInformational
Informational PrivacyPrivacy is the claim of individuals, groups and institutions to determine for themselves, when, how and to what extent information about them is communicated to others (Westin 1967)
Personal InformationAny information concerning the personal or material circumstances of an identified or identifiable person
The Case for PrivacyTechnology amplifies the possibility of surveillance and misuse of PIPrivacy legislation plays an important role in designing, implementing, and using privacy-enhancing systems (Fisher-Hubner 2001)
Security & Privacy"I think of privacy as the use of the data by somebody you gave it to, and security as the theft of the data or the interception of the data by the unknown third party. If I buy a ticket from Travelocity, what Travelocity does with my data is a privacy issue. If somebody hacks into Travelocity and steals that data, thats a security issue.
Security Impacts Privacy
Security ModelsBell LaPadulaLattice Model of Information FlowBiba ModelClark Wilson ModelChinese Wall ModelRBAC ModelTask Based Authorization ModelObject-Oriented Security Model (Fischer-Hubner, 2001)
Security CriteriaTrusted Computer System Evaluation Criteria (TCSEC), European IT Security Evaluation Criteria (ITSEC), Canadian Trusted Computer Evaluation Criteria (CTCPEC)
Focus on protecting the system and the organization, not the users and the data subjects
Privacy Criteriafor SecurityProtecting the confidentiality, integrity and availability of PIProtect PI from unauthorized collection, use and disclosure, including theftProtect PI from accidental or unlawful destructionProtect PI from alterationEnsure availability of PI
Protect data subjects (as system users)Enable anonymous/pseudonymous useSupport informational self-determination
ExampleAccess control mechanisms to protect confidentiality and integrity of PIEnforcing purpose bindingSeparation of duties based on rolesWell-formed transactions
Privacy Design RequirementsTimingDay 1, or when a project feasibility activities are completed and approvedSome random point during a projectAfter implementation5 years after implementation
Privacy Design RequirementsProcessIdentify a benchmarkRead it (really)Create the requirementClassify it (people, process, technology)
Privacy Design RequirementsThe Case StudyNo specific project, creating static requirements for the enterpriseUsing the privacy principles (found in the private sector privacy legislation, PIPEDA) as a benchmark
CSA1: AccountabilityAn organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
Privacy Design RequirementsIT systems should: Be capable of providing access to PI on request and have the capacity to record who has/had access to the PI and for what purposeBe transparent and documented so that data subjects can be informed about how their PI is collected, used and disclosedInclude consideration of privacy in change management practicesRetain a history of corrective transactions relative to each data subject
CSA2: Identifying PurposeThe purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Privacy Design RequirementsIT systems should:Record the date, time and retention period of PI when it is collected, compiled or obtainedLimit the use of free text areas to collect PILimit the ability of using already collected PI for a new purposeInclude monitoring and enforcement mechanisms to limit the collection of PIPossess audit trail functionality and transaction validationSeparate PI in databases so that queries do not retrieve data recorded for a different purpose
CSA3: ConsentThe knowledge and consent of the individual are required for the use, or disclosure of personal information, except where inappropriate.
Privacy Design RequirementsIT systems should:manage a data subjects consent preferencesserve a consent statement to the data subject prior to collectionrecord the terms of consent and timestamp when a data subject agreessupport serving new consent notices to data subjects when the notice of collection is changedallow data subjects to revoke consent for collection and / or usetimestamp revocations of consent from data subjectsserve explanatory notices of the ramifications of consent revocation before purging PI
CSA4: Limiting CollectionThe collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Technology RequirementsIT systems should:Identify and document all PI data elements required to provide a service (including physical location)Restrict use of PI beyond the initial purpose for collectionRecord logging information for each collection, use and disclosure of PIDocument the source for all PI collectedAnonymize PI when used for planning, forecasting or evaluation purposesLimit access to PI to authorized and accountable personnel
CSA5: Limiting Use, Disclosure & Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Technology RequirementsIT systems should:Enforce maximum retention periods for PIApply retention periods to backups and archivesAnonymize PI no longer necessary for service deliveryUtilize secure electronic disposal methodsApply safeguards to ensure that PI cannot be used or disclosed for unauthorized purposesSupport linkage functionality when a data subjects PI and documented circumstances where use or disclosure has occurred outside the notice of collectionNot allow PI to be cached locallyDelete all PI prior to being decommissionedPrevent linkages of PI across multiple databases outside of initial service delivery requirementsWhere necessary, utilize only internal identifiers (not SIN or DL)
CSA6: AccuracyPersonal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Technology RequirementsIT systems should:Be audited regularly to ensure controls are in place and workingEnsure that PI can be easily access and corrected upon requestHave the ability to identify when PI has been changed or modified, by whom, and for what reasonDesigned so that historical PI and any inaccurate PI is not routinely disclosed to persons other than the data subjectDesigned so that anyone who has accessed inaccurate or historical PI that has changed is informed of these changes in a timely mannerInclude validity checks at the point of data entrySpecify the date the data subjects PI was collected and / or updatedSpecify when and how data subjects PI is to be updated and the source for the updateSpecify how to verify the accuracy and completeness of information disclosed to or received from a third partyInclude record keeping for each data subjects request for a review for accuracy, corrections and / or decisions not to correct
CSA7: SafeguardsPersonal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Technology RequirementsIT systems should:Support the immediate revocation of access privileges to PIHave controls in place over the process to grant authorization to add, change or delete information from recordsBe designed so that access and changes to PI can be audited by date and by user identificationLabelled, transmit and store PI in accordance with classification
CSA8: OpennessAn organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Technology RequirementsIT systems should: Clearly identify transaction types to data subjects and system usersClearly identify data flows to the data subject and system usersClearly identify system linkages to data subjects and system users
CSA9: Individual AccessUpon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Technology RequirementsIT systems should:Be able to provide a data subject with access to and copies of their PI on a routine basis (as permitted by law)Be designed to provide PI at the least cost possible to the data subjectBe able to amend and / or annotate any PI subject to disagreement regarding accuracyHave the capacity to notify third parties to whom incorrect PI has been disclosed within the year preceding the correction of the changes to information or the letter of disagreementProvide PI in multiple formats (electronic, audio)Support multiple format queries for PI (e.g. one query should return all PI held about a given data subject across different application where necessary for service delivery)Support severing of PI of ot