Privacy: Understanding the Needs, Policy, and Approach

1
Privacy Understanding the Needs, Policy, and
Approach

• Owen Greenspan
• Director
• Law and Policy Program

2
A Couple of Observations
3
Justice Ginsburg, U.S. Supreme Court, noted in
Arizona v. Evans that.

• Widespread reliance on computers to store and
  convey information generates, along with manifold
  benefits, new possibilities of error, due to both
  computer malfunctions and operator mistakes
  Computerization greatly amplifies an errors
  effect, and correspondingly intensifies the need
  for prompt correction for inaccurate data can
  infect not only one agency, but the many agencies
  that share access to the database.

4

• The bulk of the criminal justice information
  maintained in the U.S. is maintained at the State
  and local level
• Therefore most, but not all, of the legislation
  on governing this information is found at the
  State level.

5
Fair Information Practices
6
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 1. Collection Limitation Principle.
• There should be limits to the
• collection of personal data and any
• such data should be obtained by
• lawful and fair means and, where
• appropriate, with the knowledge or
• consent of the data subject.

7
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 2. Data Quality Principle.
• Personal data should be relevant to
• the purposes for which they are to
• be used, and, to the extent
• necessary for those purposes,
• should be accurate, complete and
• kept up-to-date.

8
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 3. Purpose Specification Principle.
• The purposes for which personal data are
• collected should be specified not later
• than at the time of data collection and the
• subsequent use limited to the fulfillment
• of those purposes or such others as are
• not incompatible with those purposes and
• as are specified on each occasion of
• change of purpose.

9
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 4. Use Limitation Principle.
• Personal data should not be
• disclosed, made available or
• otherwise used for purposes other
• than those specified in accordance
• with Paragraph 9 except
• a) with the consent of the data subject or
• b) by the authority of law.

10
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 5. Security Safeguards Principle.
• Personal data should be protected
• by reasonable security safeguards
• against such risks as loss or
• unauthorized access, destruction,
• use, modification or disclosure of
• data.

11
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 6. Openness Principle.
• There should be a general policy of
• openness about developments, practices
• and policies with respect to personal data.
• Means should be readily available of
• establishing the existence and nature of
• personal data, and the main purposes of
• their use, as well as the identity and usual
• residence of the data controller.

12
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 7. Individual Participation Principle.
• An individual should have the right
• a)to obtain from a data controller, or otherwise,
  confirmation of whether or not the data
  controller has data relating to him
• b)to have communicated to him, data relating to
  him within a reasonable time at a charge, if
  any, that is not excessive in a reasonable
  manner and in a form that is readily
  intelligible to him

13
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 7. Individual Participation Principle.
• An individual should have the right
• c)to be given reasons if a request made under
  subparagraphs(a) and (b) is denied, and to be
  able to challenge such denial and
• d)to challenge data relating to him and, if the
  challenge is successful to have the data erased,
  rectified, completed or amended.

14
The Eight Fair Information Practices
(OECD Guidelines on the Protection of
Privacy)

• 8. Accountability Principle.
• A data controller should be
• accountable for complying
• with measures which give effect to
• the principles stated above.

15
Owens 9th Privacy Principle

• Failing to address privacy in the planning and
  design of a information sharing system risks
  project failure
• Threatens public support for your agency
• Political support for what you are trying to
  accomplish
• Financial support
• Operational ability

16
PRIVACY POLICY DEVELOPMENT
17

Global Privacy and Information Quality Working
Group (GPIQWG)

18

Global Privacy and Information Quality Working
Group (GPIQWG)

19

• Step One GOVERNANCE
• Step Two PLANNING
• Step Three PROCESS
• Step Four PRODUCT
• Step Five IMPLEMENTATION

20
Governance Planning Stage
TEAM FORMATION
Advocate Defend
PROJECT CHAMPION OR SPONSOR
RESOURCES
Process
IDENTIFY TEAM LEADER
BUILD TEAM STAKEHOLDERS
Empower with Authority
FINAL TEAM LEADER MEMBERS
21

• Privacy Policy
• Development Templates

(From Privacy, Civil Rights, and Civil Liberties,
Policy Templates for Justice Information Systems)
The privacy policy development templates suggest
language for drafting a policy or inter-agency
agreement. In order to select the correct
template or combination of templates, the agency
must first identify the type of information
sharing system covered by the privacy policy.
22

• Privacy Policy
• Development Templates

What type of information sharing system will be
covered by the privacy policy? ? Incident or
event-based records management system
(RMS) ? Case management system (CMS) ?
Integrated criminal justice information system
(IJIS or CJIS) ? Criminal history record
information system (CHRI) ? Criminal
intelligence gathering system (CIS) ? Justice
information sharing network
23

• Privacy Policy
• Development Templates

Which of the following best describes the privacy
effort involved? ? LOCAL SYSTEMS ? STATEWIDE
SYSTEMS ? STATEWIDE NETWORK INTEGRATING
LOCAL SYSTEMS ? REGIONAL INFORMATION SHARING
SYSTEMS ? AD HOC SYSTEMS
24
Process Stage

• Collection
• Dissemination Access
• Use
• Maintenance Retention

UNDERSTANDING INFORMATION EXCHANGES
25
Process Stage

• Focus
• Sources of Legal Authority
• Principles FIP
• Perform Information Analysis

ANALYZING THE LEGAL REQUIREMENTS
26
Process Stage

• Laws Policies
• Team Privacy Concerns
• Build from Existing Laws Policies

IDENTIFY CRITICAL ISSUES POLICY GAPS
27
Product Stage
VISION SCOPE
Organizational Structure Policy Outline
Team Members
Stakeholders
Constituents
REVISED DRAFT
POLICY DRAFT
SHARE
28
Implementation Stage
Formal Adoption of Privacy Policy
PROJECT TEAM
GOVERNING BOARD
TRAINING
PUBLICATION
OUTREACH
Ongoing Evaluation Monitoring
Legislative Efforts
Revisions
29
Alan Carlsons Privacy Policy Development
Templates
Depending upon the need, the privacy policy will
consist of one or more of the following policy
three templates
TEMPLATE A Privacy and civil rights protections
for inclusion in enabling legislation or
authorization for the justice information
system This enabling authority would be included
in the statute, ordinance, resolution, executive
order or other document that authorizes or
creates the entity overseeing the information
system.
30

• Alan Carlsons Privacy Policy
• Development Templates

TEMPLATE B A basic privacy and civil rights
protection policy template covering day-to-day
operation of the justice information system This
basic system operation would be included in a
general policy applicable to the system, or it
would provide the central provisions of a
stand-alone policy covering protection of
privacy, civil rights and civil liberties.
31
Alan Carlsons Privacy Policy Development
Templates

• TEMPLATE C
• Privacy and civil rights protections for an
  inter-agency agreement between agencies
  participating in an information sharing network
  or system.

32
ADDITIONAL RESOURCES
33
ADDITIONAL RESOURCES
www.it.ojp.gov/topic.jsp?topic_id55
34

• Homeland Security
• Publications
• Privacy Threshold
• Analysis
• Privacy Impact
• Assessments-
• Official Guidance (2006)
• Privacy Impact
• Assessments for various
• industries

35

• Owen_at_search.org