Protecting Your Private Parts

1
Protecting Your Private Parts

• Tracy Ann Kosa

2
Objectives

• Terminology
• Privacy Security
• Privacy Design Requirements

3
Types of Privacy

• 3 Dimensions of Privacy
• Territorial
• Physical
• Informational

4
Informational Privacy

• Privacy is the claim of individuals, groups and
  institutions to determine for themselves, when,
  how and to what extent information about them is
  communicated to others
• (Westin 1967)

5
Personal Information

• Any information concerning the personal or
  material circumstances of an identified or
  identifiable person

6
The Case for Privacy

• Technology amplifies the possibility of
  surveillance and misuse of PI
• Privacy legislation plays an important role in
  designing, implementing, and using
  privacy-enhancing systems
• (Fisher-Hubner 2001)

7
Security Privacy

• "I think of privacy as the use of the data by
  somebody you gave it to, and security as the
  theft of the data or the interception of the data
  by the unknown third party. If I buy a ticket
  from Travelocity, what Travelocity does with my
  data is a privacy issue. If somebody hacks into
  Travelocity and steals that data, thats a
  security issue.
• (Cate 2008)

8
Security Impacts Privacy
9
Security Models

• Bell LaPadula
• Lattice Model of Information Flow
• Biba Model
• Clark Wilson Model
• Chinese Wall Model
• RBAC Model
• Task Based Authorization Model
• Object-Oriented Security Model
• (Fischer-Hubner, 2001)

10
(No Transcript)
11
Security Criteria

• Trusted Computer System Evaluation Criteria
  (TCSEC), European IT Security Evaluation Criteria
  (ITSEC), Canadian Trusted Computer Evaluation
  Criteria (CTCPEC)
• Focus on protecting the system and the
  organization, not the users and the data subjects

12
Privacy Criteriafor Security

• Protecting the confidentiality, integrity and
  availability of PI
• Protect PI from unauthorized collection, use and
  disclosure, including theft
• Protect PI from accidental or unlawful
  destruction
• Protect PI from alteration
• Ensure availability of PI
• Protect data subjects (as system users)
• Enable anonymous/pseudonymous use
• Support informational self-determination

13
Example

• Access control mechanisms to protect
  confidentiality and integrity of PI
• Enforcing purpose binding
• Separation of duties based on roles
• Well-formed transactions

14
Expectations
15
Reality
16
Privacy Design Requirements

• Timing
• Day 1, or when a project feasibility activities
  are completed and approved
• Some random point during a project
• After implementation
• 5 years after implementation

17
Privacy Design Requirements

• Process
• Identify a benchmark
• Read it (really)
• Create the requirement
• Classify it (people, process, technology)

18
Privacy Design Requirements

• The Case Study
• No specific project, creating static requirements
  for the enterprise
• Using the privacy principles (found in the
  private sector privacy legislation, PIPEDA) as a
  benchmark

19
CSA1 Accountability

• An organization is responsible for personal
  information under its control and shall designate
  an individual or individuals who are accountable
  for the organization's compliance with the
  following principles.

20
Privacy Design Requirements

• IT systems should
• Be capable of providing access to PI on request
  and have the capacity to record who has/had
  access to the PI and for what purpose
• Be transparent and documented so that data
  subjects can be informed about how their PI is
  collected, used and disclosed
• Include consideration of privacy in change
  management practices
• Retain a history of corrective transactions
  relative to each data subject

21
CSA2 Identifying Purpose

• The purposes for which personal information is
  collected shall be identified by the organization
  at or before the time the information is
  collected.

22
Privacy Design Requirements

• IT systems should
• Record the date, time and retention period of PI
  when it is collected, compiled or obtained
• Limit the use of free text areas to collect PI
• Limit the ability of using already collected PI
  for a new purpose
• Include monitoring and enforcement mechanisms to
  limit the collection of PI
• Possess audit trail functionality and transaction
  validation
• Separate PI in databases so that queries do not
  retrieve data recorded for a different purpose

23
CSA3 Consent

• The knowledge and consent of the individual are
  required for the use, or disclosure of personal
  information, except where inappropriate.

24
Privacy Design Requirements

• IT systems should
• manage a data subjects consent preferences
• serve a consent statement to the data subject
  prior to collection
• record the terms of consent and timestamp when a
  data subject agrees
• support serving new consent notices to data
  subjects when the notice of collection is
  changed
• allow data subjects to revoke consent for
  collection and / or use
• timestamp revocations of consent from data
  subjects
• serve explanatory notices of the ramifications of
  consent revocation before purging PI

25
CSA4 Limiting Collection

• The collection of personal information shall be
  limited to that which is necessary for the
  purposes identified by the organization.
  Information shall be collected by fair and lawful
  means.

26
Technology Requirements

• IT systems should
• Identify and document all PI data elements
  required to provide a service (including physical
  location)
• Restrict use of PI beyond the initial purpose for
  collection
• Record logging information for each collection,
  use and disclosure of PI
• Document the source for all PI collected
• Anonymize PI when used for planning, forecasting
  or evaluation purposes
• Limit access to PI to authorized and accountable
  personnel

27
CSA5 Limiting Use, Disclosure Retention

• Personal information shall not be used or
  disclosed for purposes other than those for which
  it was collected, except with the consent of the
  individual or as required by law. Personal
  information shall be retained only as long as
  necessary for the fulfillment of those purposes.

28
Technology Requirements

• IT systems should
• Enforce maximum retention periods for PI
• Apply retention periods to backups and archives
• Anonymize PI no longer necessary for service
  delivery
• Utilize secure electronic disposal methods
• Apply safeguards to ensure that PI cannot be used
  or disclosed for unauthorized purposes
• Support linkage functionality when a data
  subjects PI and documented circumstances where
  use or disclosure has occurred outside the notice
  of collection
• Not allow PI to be cached locally
• Delete all PI prior to being decommissioned
• Prevent linkages of PI across multiple databases
  outside of initial service delivery requirements
• Where necessary, utilize only internal
  identifiers (not SIN or DL)

29
CSA6 Accuracy

• Personal information shall be as accurate,
  complete, and up-to-date as is necessary for the
  purposes for which it is to be used.

30
Technology Requirements

• IT systems should
• Be audited regularly to ensure controls are in
  place and working
• Ensure that PI can be easily access and corrected
  upon request
• Have the ability to identify when PI has been
  changed or modified, by whom, and for what reason
• Designed so that historical PI and any inaccurate
  PI is not routinely disclosed to persons other
  than the data subject
• Designed so that anyone who has accessed
  inaccurate or historical PI that has changed is
  informed of these changes in a timely manner
• Include validity checks at the point of data
  entry
• Specify the date the data subjects PI was
  collected and / or updated
• Specify when and how data subjects PI is to be
  updated and the source for the update
• Specify how to verify the accuracy and
  completeness of information disclosed to or
  received from a third party
• Include record keeping for each data subjects
  request for a review for accuracy, corrections
  and / or decisions not to correct

31
CSA7 Safeguards

• Personal information shall be protected by
  security safeguards appropriate to the
  sensitivity of the information.

32
Technology Requirements

• IT systems should
• Support the immediate revocation of access
  privileges to PI
• Have controls in place over the process to grant
  authorization to add, change or delete
  information from records
• Be designed so that access and changes to PI can
  be audited by date and by user identification
• Labelled, transmit and store PI in accordance
  with classification

33
CSA8 Openness

• An organization shall make readily available to
  individuals specific information about its
  policies and practices relating to the management
  of personal information.

34
Technology Requirements

• IT systems should
• Clearly identify transaction types to data
  subjects and system users
• Clearly identify data flows to the data subject
  and system users
• Clearly identify system linkages to data subjects
  and system users

35
CSA9 Individual Access

• Upon request, an individual shall be informed of
  the existence, use, and disclosure of his or her
  personal information and shall be given access to
  that information. An individual shall be able to
  challenge the accuracy and completeness of the
  information and have it amended as appropriate.

36
Technology Requirements

• IT systems should
• Be able to provide a data subject with access to
  and copies of their PI on a routine basis (as
  permitted by law)
• Be designed to provide PI at the least cost
  possible to the data subject
• Be able to amend and / or annotate any PI subject
  to disagreement regarding accuracy
• Have the capacity to notify third parties to whom
  incorrect PI has been disclosed within the year
  preceding the correction of the changes to
  information or the letter of disagreement
• Provide PI in multiple formats (electronic,
  audio)
• Support multiple format queries for PI (e.g. one
  query should return all PI held about a given
  data subject across different application where
  necessary for service delivery)
• Support severing of PI of other data subjects
  contained in records provided in response to
  another data subjects request for access

37
CSA10 Challenging Compliance

• An individual shall be able to address a
  challenge concerning compliance with the above
  principles to the designated individual or
  individuals accountable for the organization's
  compliance.

38
Technology Requirements

• IT systems should
• Record complaint related information, including
  the date on which complaints are received
• Record all complaint outcomes, the date when made
  and the parties involved and make the decisions
  available (where relevant to ensure consistency)
• Trace all transactions made on a data subject's
  record, including who made changes to a record,
  date of change, and purposes for change
• Log transaction history for audit purposes, to
  respond to privacy complaints and / or to support
  requests for information from a data subject

39
Privacy Security