Privacy by Design: Integrating Technology into Global Privacy Practices

Similar documents
Presentation Outline

Protection of Privacy Policy

Privacy Law in Canada: Obligations and Risks in the Cyber Age Dina L. Maxwell Associate Lawyer

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Guidelines for the Stage of Implementation - Self-Assessment Activity

Submission of the Information & Privacy Commissioner, Ontario, Canada

Privacy by Design Assessment and Certification. For discussion purposes only

Global Alliance for Genomics & Health Data Sharing Lexicon

LESSONS LEARNED. Mr. Gianfranco Scipione, M.Sc., J.D./M.B.A. Manager, Research Integrity UHN Research

Responsible Data Use Policy Framework

Digital Identity Innovation Canada s Opportunity to Lead the World. Digital ID and Authentication Council of Canada Pre-Budget Submission

RFID and privacy - Some industry perspectives (ICC, EICTA)

Pan-Canadian Trust Framework Overview

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Whatever Happened to the. Fair Information Practices?

ARTICLE 29 Data Protection Working Party

Data Protection and Ethics in Healthcare

COMMUNICATIONS POLICY

Privacy engineering, privacy by design, and privacy governance

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

What We Heard Report Inspection Modernization: The Case for Change Consultation from June 1 to July 31, 2012

Privacy Procedure SOP-031. Version: 04.01

GUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT

Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D

Developing a Code of Practice for the Connected Car IT.CAN 21st Annual Conference October 23, Abstract

A Citizen s Guide. to Big Data and Your Privacy Rights in Nova Scotia. Office of the Information and Privacy Commissioner for Nova Scotia

Youth Online: Beware of the 5 Ps When Using Social Networks

DNVGL-CG-0214 Edition September 2016

Privacy Policy SOP-031

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

Privacy. New technologies, same responsibilities. Carole Fleeman Office of the Victorian Privacy Commissioner

KEY ISSUES IN PRIVACY AND INFORMATION MANAGEMENT 2015

Advancing Health and Prosperity. A Brief to the Advisory Panel on Healthcare Innovation

NCRIS Capability 5.7: Population Health and Clinical Data Linkage

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

Staffordshire Police

Session 1, Part 2: Emerging issues in e-commerce Australian experiences of privacy and consumer protection regulation

THOMPSON RIVERS UNIVERSITY 4 TH ANNUAL PRIVACY AND SECURITY CONFERENCE

Violent Intent Modeling System

Analysis of Privacy and Data Protection Laws and Directives Around the World

CANADIAN CENTRE FOR ETHICS AND CORPORATE POLICY. Annual General Meeting. May 17, :30 7:00 pm

NHS SOUTH NORFOLK CLINICAL COMMISSIONING GROUP COMMUNICATIONS AND ENGAGEMENT STRATEGY

Privacy Policy Framework

GDPR Implications for ediscovery from a legal and technical point of view

Human Biological Material Collection, Storage and Use

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

NHS South Kent Coast. Clinical Commissioning Group. Complaints, Comments and Compliments Policy

BARRIE PUBLIC LIBRARY COLLECTION DEVELOPMENT POLICY MOTION #16-34 Revised June 23, 2016

Lecture 7 Ethics, Privacy, and Politics in the Age of Data

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

PRIVACY ANALYTICS WHITE PAPER

The City of Kawartha Lakes Public Library

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

This Privacy Policy describes the types of personal information SF Express Co., Ltd. and

ART COLLECTION POLICY

Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

1 SERVICE DESCRIPTION

Applying PIPEDA to the Smart Grid

Privacy by Design: essential for organizational accountability and strong business practices

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Pickens Savings and Loan Association, F.A. Online Banking Agreement

Code of Business Conduct

Personal Data Protection Competency Framework for School Students. Intended to help Educators

Marine Renewable-energy Application

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

Enabling Trust in e-business: Research in Enterprise Privacy Technologies

Australian Census 2016 and Privacy Impact Assessment (PIA)

Corporate Services. Yes. Chief Executive Officer. Head of Legal and Compliance. Policy and Compliance Officer

Notice of Privacy Practices

Privacy Impact Assessment Desk Reference Guide

Privacy Impact Assessments

WRHA Supply Chain New Technology Workshop Supply Chain Forum November 17, 2010

Brief to the. Senate Standing Committee on Social Affairs, Science and Technology. Dr. Eliot A. Phillipson President and CEO

New Age Vital Statistics Services: What They Do and Don t Do

The Game Changer: Privacy by Design

8 Executive summary. Intelligent Software Agent Technologies: Turning a Privacy Threat into a Privacy Protector

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

The Medical Examiner s Process

Paola Bailey, PsyD Licensed Clinical Psychologist PSY# 25263

Anti cheating guidelines for Arbiters

What does the revision of the OECD Privacy Guidelines mean for businesses?

The New Legislative Framework Revision of the NAWI-D and the MI-D

Consultation Paper on Public Safety Radio Interoperability Guidelines

Information Governance Policy

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

About the Office of the Australian Information Commissioner

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

Pr i v a c y. Change the Paradigm. A White Paper. Ann Cavoukian, Ph.D. Information and Privacy Commissioner of Ontario, Canada

Reporters' Memorandum: Restatement Third of Information Privacy Principles

ITU/ITSO Workshop on Satellite Communications, AFRALTI, Nairobi Kenya, 17-21, July, Policy and Regulatory Guidelines for Satellite Services

Lambeth Clinical Commissioning Group

WIPO Development Agenda

Toronto Real Estate Board Submission to Office of the Privacy Commissioner of Canada. July 2016

POLICY ON INVENTIONS AND SOFTWARE

Transcription:

Privacy by Design: Integrating Technology into Global Privacy Practices Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario, Canada Harvard Privacy Symposium August 23, 2007

Role of the IPC Role of the Information & Privacy Commissioner of Ontario (IPC) is set out in three statutes: Freedom of Information and Protection of Privacy Act (FIPPA); Municipal Freedom of Information and Protection of Privacy Act (MFIPPA); Personal Health Information Protection Act (PHIPA).

Mandate of the IPC Under its statutory mandate, the IPC is responsible for: investigating privacy complaints; resolving appeals from refusals to provide access to information; ensuring that organizations comply with the access and privacy provisions of the Acts; educating the public about Ontario's access and privacy laws; and conducting research on access and privacy issues, and providing advice and comment on proposed government legislation and programs.

Privacy by Design Technology knows no borders technology transcends jurisdiction. This has been the driving force behind my office s approach to privacy, in shaping public policy and organizational practices, on a wide range of technology-related issues, including: RFIDs, biometrics, smartcards, PKI, DRM, P3P, identity management systems, video surveillance, national ID cards, electronic road toll systems, and Social Networks (Facebook).

Build It In Build in privacy up front, into the design specifications into the architecture; if possible embed privacy right into the technology used bake it into the specs; Assess the risks to privacy: conduct a privacy impact assessment; follow up with annual privacy audits; Data minimization is key: minimize the routine collection and use of personally identifiable information use encrypted or coded information whenever possible; Use privacy enhancing technologies (PETs): give your customers maximum control over their data.

Privacy-Enhancing Technologies (PETs) The IPC developed the concept and methodology recognized around the world today as privacyenhancing technologies (PETs); In 1995, the IPC and the Dutch Data Protection Authority published the landmark study, Privacy- Enhancing Technologies: The Path to Anonymity (Vols. I & II). www.ipc.on.ca/images/resources/anoni-v2.pdf

Privacy Enhancing Technologies (PETs) Privacy Enhancing Technologies include those that empower individuals to manage their own identities in a privacy enhancing manner. These include tools or systems to: anonymize and pseudonymize identities; securely manage login IDs and passwords and other authentication requirements; restrict traceability and limit surveillance; allow users to selectively disclose their PII to others and exert maximum control over their PII once disclosed.

Recent IPC Publications on Privacy, Security and Technology Biometric Encryption: A Positive-Sum Technology that Achieves Strong Authentication, Security AND Privacy Developed with chief scientist, Alex Stoinov, Ph.D., this paper discusses the merits of the biometric encryption approach to verifying identity, ensuring strong security, and protecting privacy; www.ipc.on.ca/images/resources/up-1bio_encryp.pdf RFID Privacy Guidelines Developed with EPCglobal Canada, this publication is the strongest, most complete set of RFID guidelines developed to date, and promotes compliance with Canadian federal and provincial privacy laws; www.ipc.on.ca/docs/rfidgdlines.pdf Identity Theft Revisited: Security is Not Enough This publication outlines how any organization can protect itself and, most importantly, protect its customers. www.ipc.on.ca/userfiles/page_attachments/idtheft-revisit.pdf

Personal Health Information Protection Act (PHIPA) Applies to organizations and individuals involved in the delivery of health care services (both public and private sector); The only health sector privacy legislation in Canada based on consent: implied consent within healthcare providers circle of care, otherwise, express consent; The only health sector privacy legislation that was declared to be substantially similar to Canada s federal private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

Mandate of the Legislation Requires consent for the collection, use and disclosure of PHI, with necessary but limited exceptions; Requires that health information custodians treat all PHI as confidential and keep it secure; Codifies an individual s right to access and request correction of his/her own PHI; Gives a patient the right to instruct health information custodians not to share any part of his/her PHI with other health care providers; Establishes clear rules for the use and disclosure of personal health information for secondary purposes including fundraising, marketing and research; Ensures accountability by granting an individual the right to complain to the IPC about the practices of a health information custodian; and Establishes remedies for breaches of the legislation.

PHIPA Order No. 5 Wireless Technology Results in Order PHIPA Order No. 5 resulted from a methadone clinic that installed a wireless video surveillance system in its washroom to monitor patients providing urine samples; Video images were intercepted by a wireless rear view backup camera in a car outside of the clinic; The Clinic was ordered to strongly encrypt all wireless signals if wireless video technology was to be utilized, and to review encryption practices on an annual basis; The standard of practice created by this Order was that if healthcare providers choose to use wireless technology, then they must encrypt strongly.

PHIPA Order No. 4 Stolen Laptop Results in Order Despite the known high risks of loss or theft, personal health information was transported out of a hospital on a portable device (a laptop) by a physician, without safeguards; The Hospital was ordered to either de-identify or encrypt all personal health information before allowing it to be removed from the workplace; PHIPA Order No. 4 created the standard of practice expected regarding the removal of identifiable health information from a healthcare facility if it s not encrypted, it s not in compliance with PHIPA.

Global Privacy Standard In 2005, at the 27th International Data Protection Commissioners Conference in Montreux, Switzerland, I chaired a Working Group of Commissioners convened for the sole purpose of creating a single Global Privacy Standard (GPS); Globalization and converging business practices created the need to harmonize various sets of fair information practices so that businesses and technology companies could turn to a single instrument for assessing whether their practices were privacy-enhancing; The GPS builds upon the strengths of existing codes, containing timehonored privacy principles, but reflects an enhancement by explicitly recognizing the concept of data minimization under the collection limitation principle; The final version of the GPS was formally tabled and accepted by Commissioners in the United Kingdom, on November 3, 2006, at the 28th International Data Protection Commissioners Conference. www.ipc.on.ca/images/resources/up-gps.pdf

Conclusion Recognizing that the laws of various jurisdictions must be respected, a single privacy standard, as reflected in the Global Privacy Standard, can serve as a useful benchmark for businesses and technology/software companies; Turning to technology to enhance privacy not only makes good privacy sense, regardless of jurisdiction, it also makes good business sense, offering a competitive advantage; Integrating technology into sound privacy practices will be an essential way forward to compliment the global framework of laws and policies in place.

How to Contact Us Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: (416) 326-3333 / 1-800-387-0073 Web: www.ipc.on.ca E-mail: info@ipc.on.ca

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback