Transcript
Page 1: Protecting Your Private Parts

Protecting Your Private Parts

Tracy Ann Kosa

Page 2: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Objectives Terminology

Privacy & Security

Privacy Design Requirements

Page 3: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Types of Privacy 3 Dimensions of Privacy:

– Territorial– Physical– Informational

Page 4: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Informational Privacy “Privacy is the claim of individuals,

groups and institutions to determine for themselves, when, how and to what extent information about them is communicated to others”

(Westin 1967)

Page 5: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Personal Information Any information concerning the

personal or material circumstances of an identified or identifiable person

Page 6: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

The Case for Privacy Technology amplifies the possibility of

surveillance and misuse of PI “Privacy legislation plays an important

role in designing, implementing, and using privacy-enhancing systems”

(Fisher-Hubner 2001)

Page 7: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Security & Privacy"I think of privacy as the use of the data by

somebody you gave it to, and security as the theft of the data or the interception of the data by the unknown third party. If I buy a

ticket from Travelocity, what Travelocity does with my data is a privacy issue. If

somebody hacks into Travelocity and steals that data, that’s a security issue.”

(Cate 2008)

Page 8: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Security Impacts PrivacySecurity

techniques can help protect

personal information

Security techniques can

affect the privacy of a data subject

Page 9: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Security Models Bell LaPadula Lattice Model of Information Flow Biba Model Clark Wilson Model Chinese Wall Model RBAC Model Task Based Authorization Model Object-Oriented Security Model (Fischer-Hubner, 2001)

Page 10: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Page 11: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Security Criteria Trusted Computer System Evaluation

Criteria (TCSEC), European IT Security Evaluation Criteria (ITSEC), Canadian Trusted Computer Evaluation Criteria (CTCPEC)

Focus on protecting the system and the organization, not the users and the data subjects

Page 12: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Privacy Criteriafor Security

Protecting the confidentiality, integrity and availability of PI– Protect PI from unauthorized collection, use and

disclosure, including theft– Protect PI from accidental or unlawful destruction– Protect PI from alteration– Ensure availability of PI

Protect data subjects (as system users)– Enable anonymous/pseudonymous use– Support informational self-determination

Page 13: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Example Access control mechanisms to protect

confidentiality and integrity of PI– Enforcing purpose binding– Separation of duties based on roles– Well-formed transactions

Page 14: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Expectations

Page 15: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Reality

Page 16: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Privacy Design Requirements

Timing– Day 1, or when a project feasibility

activities are completed and approved– Some random point during a project– After implementation– 5 years after implementation

Page 17: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Privacy Design Requirements

Process– Identify a benchmark– Read it (really)– Create the requirement– Classify it (people, process, technology)

Page 18: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Privacy Design Requirements

The Case Study– No specific project, creating static

requirements for the enterprise– Using the privacy principles (found in the

private sector privacy legislation, PIPEDA) as a benchmark

Page 19: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA1: Accountability An organization is responsible for

personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

Page 20: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Privacy Design Requirements

IT systems should: – Be capable of providing access to PI on request

and have the capacity to record who has/had access to the PI and for what purpose

– Be transparent and documented so that data subjects can be informed about how their PI is collected, used and disclosed

– Include consideration of privacy in change management practices

– Retain a history of corrective transactions relative to each data subject

Page 21: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA2: Identifying Purpose The purposes for which personal

information is collected shall be identified by the organization at or before the time the information is collected.

Page 22: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Privacy Design Requirements

IT systems should:– Record the date, time and retention period of PI

when it is collected, compiled or obtained– Limit the use of free text areas to collect PI– Limit the ability of using already collected PI for a

new purpose– Include monitoring and enforcement

mechanisms to limit the collection of PI– Possess audit trail functionality and transaction

validation– Separate PI in databases so that queries do not

retrieve data recorded for a different purpose

Page 23: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA3: Consent The knowledge and consent of the

individual are required for the use, or disclosure of personal information, except where inappropriate.

Page 24: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Privacy Design Requirements

IT systems should:– manage a data subject’s consent preferences– serve a consent statement to the data subject prior to

collection– record the terms of consent and timestamp when a data

subject agrees– support serving new consent notices to data subjects’

when the notice of collection is changed– allow data subjects to revoke consent for collection and /

or use– timestamp revocations of consent from data subjects– serve explanatory notices of the ramifications of consent

revocation before purging PI

Page 25: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA4: Limiting Collection The collection of personal information

shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Page 26: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Technology Requirements

IT systems should:– Identify and document all PI data elements required to

provide a service (including physical location)– Restrict use of PI beyond the initial purpose for collection– Record logging information for each collection, use and

disclosure of PI– Document the source for all PI collected– Anonymize PI when used for planning, forecasting or

evaluation purposes– Limit access to PI to authorized and accountable

personnel

Page 27: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA5: Limiting Use, Disclosure & Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Page 28: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Technology Requirements

IT systems should:– Enforce maximum retention periods for PI– Apply retention periods to backups and archives– Anonymize PI no longer necessary for service delivery– Utilize secure electronic disposal methods– Apply safeguards to ensure that PI cannot be used or disclosed

for unauthorized purposes– Support linkage functionality when a data subject’s PI and

documented circumstances where use or disclosure has occurred outside the notice of collection

– Not allow PI to be cached locally– Delete all PI prior to being decommissioned– Prevent linkages of PI across multiple databases outside of initial

service delivery requirements– Where necessary, utilize only internal identifiers (not SIN or DL)

Page 29: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA6: Accuracy Personal information shall be as

accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Page 30: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Technology Requirements

IT systems should:– Be audited regularly to ensure controls are in place and working– Ensure that PI can be easily access and corrected upon request– Have the ability to identify when PI has been changed or modified, by

whom, and for what reason– Designed so that historical PI and any inaccurate PI is not routinely

disclosed to persons other than the data subject– Designed so that anyone who has accessed inaccurate or historical PI

that has changed is informed of these changes in a timely manner– Include validity checks at the point of data entry– Specify the date the data subject’s PI was collected and / or updated– Specify when and how data subject’s PI is to be updated and the source

for the update– Specify how to verify the accuracy and completeness of information

disclosed to or received from a third party– Include record keeping for each data subject’s request for a review for

accuracy, corrections and / or decisions not to correct

Page 31: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA7: Safeguards Personal information shall be

protected by security safeguards appropriate to the sensitivity of the information.

Page 32: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Technology Requirements

IT systems should:– Support the immediate revocation of access

privileges to PI– Have controls in place over the process to grant

authorization to add, change or delete information from records

– Be designed so that access and changes to PI can be audited by date and by user identification

– Labelled, transmit and store PI in accordance with classification

Page 33: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA8: Openness An organization shall make readily

available to individuals specific information about its policies and practices relating to the management of personal information.

Page 34: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Technology Requirements

IT systems should: – Clearly identify transaction types to data

subjects and system users– Clearly identify data flows to the data

subject and system users– Clearly identify system linkages to data

subjects and system users

Page 35: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA9: Individual Access Upon request, an individual shall be

informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Page 36: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Technology Requirements

IT systems should:– Be able to provide a data subject with access to and copies of their PI on

a routine basis (as permitted by law)– Be designed to provide PI at the least cost possible to the data subject– Be able to amend and / or annotate any PI subject to disagreement

regarding accuracy– Have the capacity to notify third parties to whom incorrect PI has been

disclosed within the year preceding the correction of the changes to information or the letter of disagreement

– Provide PI in multiple formats (electronic, audio)– Support multiple format queries for PI (e.g. one query should return all PI

held about a given data subject across different application where necessary for service delivery)

– Support severing of PI of other data subject’s contained in records provided in response to another data subject’s request for access

Page 37: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

CSA10: Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

Page 38: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Technology Requirements

IT systems should:– Record complaint related information, including the date

on which complaints are received– Record all complaint outcomes, the date when made and

the parties involved and make the decisions available (where relevant to ensure consistency)

– Trace all transactions made on a data subject's record, including who made changes to a record, date of change, and purposes for change

– Log transaction history for audit purposes, to respond to privacy complaints and / or to support requests for information from a data subject

Page 39: Protecting Your Private Parts

Protecting Your Private PartsTASK Meeting, 27 February 2008

Privacy & Security


Recommended