LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

Similar documents
GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

Robert Bond Partner, Commercial/IP/IT

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

The new GDPR legislative changes & solutions for online marketing

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Privacy and the EU GDPR US and UK Privacy Professionals

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Protection of Privacy Policy

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

PRIVACY IMPACT ASSESSMENT

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

Privacy Policy SOP-031

Executive Summary Industry s Responsibility in Promoting Responsible Development and Use:

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Violent Intent Modeling System

SPONSORSHIP AND DONATION ACCEPTANCE POLICY

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Ethical and social aspects of management information systems

A Guide for Structuring and Implementing PIAs

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Privacy Impact Assessment on use of CCTV

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Personal Data Protection Competency Framework for School Students. Intended to help Educators

Wireless Sensor Networks and Privacy

Analysis of Privacy and Data Protection Laws and Directives Around the World

Efese, ethics in research

EU-GDPR The General Data Protection Regulation

Toward Objective Global Privacy Standards. Ari Schwartz Senior Internet Policy Advisor

Is Transparency a useful Paradigm for Privacy?

Innovation and Technology Law Curriculum

2

Privacy engineering, privacy by design, and privacy governance

A/AC.105/C.1/2014/CRP.13

Internet 2020: The Next Billion Users

The Game Changer: Privacy by Design

Ethics Review Data Sharing Bridging Legal Environments

International Seminar on Personal Data Protection and Privacy Câmara Dos Deputados-BRAZIL

PRIVACY IMPACT ASSESSMENT CONDUCTING A PRIVACY IMPACT ASSESSMENT ON SURVEILLANCE CAMERA SYSTEMS (CCTV)

Pan-Canadian Trust Framework Overview

Artificial Intelligence, Business, and the Law

Building DIGITAL TRUST People s Plan for Digital: A discussion paper

Application pack Level 3 Certificate in Housing Practice blended learning open access

CILIP Privacy Briefing 2017

KEY ISSUES IN PRIVACY AND INFORMATION MANAGEMENT 2015

24 May Committee Secretariat Justice Committee Parliament Buildings Wellington. Dear Justice Select Committee member,

Whatever Happened to the. Fair Information Practices?

Paola Bailey, PsyD Licensed Clinical Psychologist PSY# 25263

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Human Rights in the era of Information and Communication Technology

Details of the Proposal

Societal and Ethical Challenges in the Era of Big Data: Exploring the emerging issues and opportunities of big data management and analytics

Data Anonymization Related Laws in the US and the EU. CS and Law Project Presentation Jaspal Singh

CODE OF CONDUCT. STATUS : December 1, 2015 DES C R I P T I O N. Internal Document Date : 01/12/2015. Revision : 02

GUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT

Commonwealth Data Forum. Giovanni Buttarelli

ARTICLE 29 Data Protection Working Party

Primary IVF Conditions for Registration For Assisted Reproductive Treatment Providers under the Assisted Reproductive Treatment Act 2008

Identifying and Managing Joint Inventions

European Union General Data Protection Regulation Effects on Research

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

A Pattern Catalog for GDPR Compliant Data Protection

Interactive Workshop on Data Protection Impact Assessment

networked Youth Research for Empowerment in the Digital society MANIFESTO

Lecture 7 Ethics, Privacy, and Politics in the Age of Data

Privacy Procedure SOP-031. Version: 04.01

Contents. Executive summary 2. Responding to the fear of technology why data protection law exists 4

Gender pay gap reporting tight for time

Venturing into contracting?

Privacy and Security in Europe Technology development and increasing pressure on the private sphere

12 April Fifth World Congress for Freedom of Scientific research. Speech by. Giovanni Buttarelli

THE UNIVERSITY OF AUCKLAND INTELLECTUAL PROPERTY CREATED BY STAFF AND STUDENTS POLICY Organisation & Governance

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Global Alliance for Genomics & Health Data Sharing Lexicon

Enforcement of Intellectual Property Rights Frequently Asked Questions

Avoiding Enemies of Trust Common Behaviors that Inadvertently Damage Trust at Work 1 and How to Avoid Them

Australian Census 2016 and Privacy Impact Assessment (PIA)

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

The information ethics matrix. Values and rights in electronic environments

Towards a Modern Approach to Privacy-Aware Government Data Releases

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

Ethics Guideline for the Intelligent Information Society

COMMUNICATIONS POLICY

The Information Commissioner s role

Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

CAMD Transition Sub Group FAQ IVDR Transitional provisions

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

BOSS PUTS YOU IN CHARGE!

HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)

GDPR Implications for ediscovery from a legal and technical point of view

Children s rights in the digital environment: Challenges, tensions and opportunities

Privacy by Design Assessment and Certification. For discussion purposes only

Committee on the Internal Market and Consumer Protection. of the Committee on the Internal Market and Consumer Protection

Comments of the ELECTRONIC PRIVACY INFORMATION CENTER

DEVON & CORNWALL C O N S T A B U L A R Y

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

LAW ON TECHNOLOGY TRANSFER 1998

How did it come about? What was the motivation to actually put GDPR itself... for that to be the vehicle to do that?

Transcription:

LAB3-R04 A Hard Privacy Impact Assessment Post conference summary John Elliott Joanne Furtsch @withoutfire @PrivacyGeek

Table of Contents THANK YOU... 3 WHAT IS PRIVACY?... 3 The European Perspective... 3 The US Perspective... 4 WHAT IS PRIVACY RISK?... 4 Privacy Harms... 4 PRIVACY IMPACT ASSESSMENTS... 5 When to do a PIA... 5 PIA Process... 5 Privacy Solutions... 6 CASE STUDY AUTOMATIC RISK ANALYSIS OF ONLINE CHAT... 6 RESOURCES... 6 2

Privacy Impact Assessments This post-session summary is a re-cap of the Learning Lab. The main aim of the Lab was to help information security professionals understand the what, when, why and how of a privacy impact assessment. Hopefully now when you have to work with a privacy professional, you will at least know what they re talking about! Thank you Before going into a recap of the session which I hope you ll find really useful as a reminder of the material we covered (because I ll be the first to acknowledge that doing this in two hours was a bit of a sprint), I wanted to say thanks for attending and participating; both Joanne and I really enjoyed running the session. What is Privacy? Hopefully you ll remember the fun discussion you had about how much you all earned! The generally accepted definition of privacy is: The ability of a person to control, edit, manage and delete information about themselves and to decide how, and to what extent, such information is communicated to others. There was a brilliant talk all about privacy at RSA Conference 2017 from IAPP President and CEO, Trevor Hughes. If you want to get a better understanding of the nuances of privacy you can watch the recording at: https://www.rsaconference.com/videos/the-future-of-privacy-2017 There are contrasting viewpoints however in Europe and the US about whether privacy is a (fundamental) right or a legal tort. The European Perspective The European view is that privacy is a right. It s enshrined in Article 8 of the European Convention on Human Rights. Everyone has the right to respect for his private and family life, his home and his correspondence. The latest pan-european legislation, the General Data Protection Regulation (GDPR) starts off by stating: The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the Charter ) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her And the first Article states: 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 3

2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. So, any interpretation of a privacy matter in Europe will be rights based. And this is important even if you re a US-based company and you process the data of people resident in the EU. Because the GDPR is extra-territorial in application. The US Perspective In the US, privacy has been established as a tort since Judge Brandeis wrote his paper on the right to be let alone when the portable camera was invented (for more about this see Trevor Hughes presentation, linked above). Privacy is not an explicit general right but in the US is contained in separate bits of legislation. Some examples are GLBA, HIPAA, COPPA, and FERPA The previous administration produced a review entitled Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation that described a move to a more rights-based view of privacy in the US, however where privacy sits within the new administration s priorities is yet to be seen. What is Privacy Risk? Privacy Risk is the risk of harm arising through an intrusion into privacy. Privacy Harms Privacy harms can affect both individuals and organizations. The types of events that give rise to privacy harms are: Unauthorized disclosure o Data breach o Over-sharing Keeping someone s data for too long Doing something the person wouldn t expect Drawing conclusions from multiple data points Using inaccurate data And the harms that can affect an individual are typically broken down into two areas, direct harms (which are easily measured) and indirect harms (that are harder to measure). Direct harms include loss of employment, financial loss, disruption of relationships and harm to both physical and mental health for an example think of what happened when there was a breach at the affairs website Ashley Madison where people who were included in the leaked database lost their jobs, marriages and in some cases committed suicide. Indirect harms include self-censorship (because people are afraid that their privacy will not be maintained, and in the EU this is also closely related to the right to Freedom of Expression), a loss of personal dignity and a loss of personal autonomy The harm to an organization can be reputational, which can affect both individual and institutional trust (think Yahoo!); regulatory which can result in fines or an expensive audit regime (e.g. from the FTC) and legal, as the organization can be subject to direct legal action (e.g. for damages) from data subjects. 4

Privacy Impact Assessments A Privacy Impact Assessment (PIA) is also called a Privacy Risk Assessment and (for some unknown reason) in the EU they are called Data Protection Impact Assessments (DPIA). And although privacy pros tend to talk about Privacy Impact they really mean Privacy Risk and as InfoSec professionals we know how to do risk assessments. So when you hear PIA think Privacy Risk Assessment or simply, what is the Impact and Probability of the Privacy Harms identified above of happening to individuals and to the corporation. Once you ve done a PIA then just as with a traditional information security risk assessment you can apply solutions to bring the privacy risk back with the organization s risk appetite. When to do a PIA The simple answer is as early as possible in any project. The earlier you do a PIA, the sooner you can influence the design to reduce privacy risks. Just as with information security, it s easier to fix risks by design early on rather than trying to apply controls afterwards. There s also some statutory requirements where a PIA (or DPIA) is required: In the US, the E-Government Act of 2002 Section 208 requires U.S. government agencies to do PIAs for electronic information systems and collection. It s also recommended as best practice for all organizations processing personal data and would be useful in defending legal privacy-related claims. The GDPR in the EU requires organizations to undertake a DPIA when an organization plans: 1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 2. Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 3. A systematic monitoring of a publicly accessible area on a large scale. PIA Process There are six steps in a typical PIA process: 1. Document the information flows (and also volumes) which is what you ll be familiar doing when carrying out information security risk assessments. However, for a PIA it is important to also consider the nature of the data being processed, there s different levels of privacy harm attached to different sorts of personal data. 2. Identify all the entities that could be affected by a privacy harm and this could be individuals, organizations and other third parties. 3. Identify states and countries where the individuals reside this is important so that you can capture all the relevant compliance requirements. 4. Identify the privacy risks (harms/impacts and probability) and the compliance obligations. 5. Develop privacy solutions to minimize the privacy risk (or bring them within the organization s risk appetite) and meet compliance requirements. 6. Talk to stakeholders about the risks and how they will be addressed it s often very useful to talk with the data subjects (users, employees) about what you ve discovered. 5

Privacy Solutions There are four main ways to address privacy risks: 1. Data minimization by far the most powerful way of reducing risk is not to collect data, and if you have collected data then only collect the minimum you need and delete it as soon as you can. 2. Anonymization and pseudononymization so that data is no longer related to an individual. 3. Encryption which we know is hard to do well but good encryption of data can prevent it being used or accessed improperly. 4. Technical controls which are the same as you know about from your information security experience. Case Study Automatic Risk Analysis of Online Chat In the case study, we considered the privacy harms that could come to Alice, Bob, ANDY and the chat provider. The most interesting aspect I hope you found was that the greatest privacy risk to all of four of the entitles was the same unauthorized disclosure of the contents of Alice s (and Bob s) chat messages. All the working groups came to the same conclusion which was to just store that data in memory and as soon as chat session was finished, to forget the data and not store it. This is a great example that data minimization is often the most powerful privacy solution we have. Resources If you enjoyed this journey into privacy which I ll acknowledge was pretty high speed then you ll find lots of great resources on the International Association of Privacy Professionals (IAPP) website at https://iapp.org/. They have a great qualification for IT professionals who want to demonstrate their privacy credentials which is the CIPT - https://iapp.org/certify/cipt/. Joanne would of course like to direct you to the TRUSTe website where again you ll find lots of useful privacy information https://www.truste.com/. And sometimes I write about privacy things as well as payments (PCI) and cyber security at http://withoutfire.com/. John Elliott March 2017 6

SESSION ID: LAB3-R04 A Hard Privacy Impact Assessment: Monitoring and Protecting Children Online John Elliott LLM CIPP/E Head of Payment Security easyjet @withoutfire Joanne B. Furtsch CIPP/US/C Director, Policy and Data Governance TRUSTe @PrivacyGeek

Agenda Theory What is Privacy What is a Privacy Impact Assessment? Why do one? US View EU /GDPR View Practice - Detecting grooming online What are the privacy risks? Who do they affect? How could they be reduced / managed? 2

What we hope you ll take away Basic privacy principles Why do a PIA (or a DPIA) How to conduct a PIA Where next?

What is privacy?

Introduce yourselves to each other Name Where you come from What you want to get out of this session How much you earn

What is privacy?

the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others.

EU Perspective European Convention on Human Rights (ECHR) Article 8: 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law, and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health and morals, or for the protection of the rights and freedoms of others. 8

EU Perspective Recital 1: The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the Charter ) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her General Data Protection Regulation (GDPR) 9

In the EU privacy is a fundamental human right European Convention on Human Rights (ECHR) General Data Protection Regulation (GDPR) GDPR Article 1 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

Why is GDPR important? Extra-territorial application GDPR Article 3(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union. Will you process the data of any EU citizens? 11

US Perspective Privacy is more than just, as Justice Brandeis famously proclaimed, the right to be let alone. It is the right to have our most personal information be kept safe by others we trust. It is the right to communicate freely and to do so without fear. It is the right to associate freely with others, regardless of the medium. In an age where so many of our thoughts, words, and movements are digitally recorded, privacy cannot simply be an abstract concept in our lives; privacy must be an embedded value. Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation. White House, January 17, 2017 12

US Perspective U.S paradigm shift viewing privacy as a right Financial crisis Evolving technology and growth Sectorial approach to privacy laws Industries or individual types where data misuse can cause a high level of harm GLBA, HIPAA, COPPA, and FERPA Self-regulation or voluntary frameworks fill the gaps Questions around where the U.S. approach is headed Recent Executive Order removing privacy protections for non-u.s. citizens Policies around government surveillance and impact on US businesses EU-U.S. Privacy Shield agreement remains intact Does not rely on protections under the Privacy Act 13

What is privacy risk?

Privacy Risk is the risk of harm arising through an intrusion into privacy.

What could be privacy harm?

What can cause harm to individuals? Unauthorized disclosure Data breach Over-sharing Keeping data for too long Doing something the person wouldn t expect Drawing conclusions from multiple data points Using inaccurate data

Direct harm Loss of employment Financial loss Disruption of relationships Harm to mental and physical health

Indirect Harm Self-censorship Loss of personal dignity Loss of personal autonomy Fear of something happening

It s just like any infosec risk likelihood (probability) impact 20

Privacy risk to corporations Adverse publicity Regulatory censure Trust / distrust Existential risk Direct action from data subjects (consumers) + Explicit compliance requirements 21

Privacy risk assessment Privacy Impact Assessment (PIA) Data Protection Impact Assessment (DPIA)

Process Document information flows (and volumes) Identify entities (inc 3 rd Parties) Identify geographies (states/countries) Identify privacy risks and compliance obligations Develop privacy solutions Consult with stakeholders 23

Privacy solutions Data minimization Anonymization, pseudonymization Encryption Other technical protection

When - generally Type of data Quantity of data Doing something new New technology And at what stage in the process? 25

USA when to do a PIA E-Government Act of 2002 Section 208 U.S. government agencies required to do PIAs for electronic information systems and collection Documented assurances privacy issues have been identified and addressed early in the development lifecycle Conducting PIAs is an industry best practice Government PIAs and process serve as examples

What GDPR says: Do DPIA when 1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 2. Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 3. A systematic monitoring of a publicly accessible area on a large scale. 27

Tips Minimize data Types Length of storage Storage locations Pseudonymization, Anonymize 28

(D)PIAs in InfoSec work Network monitoring Email monitoring Endpoint monitoring 29

International Association of Privacy Professionals Resources for privacy pros iapp.org Certification for technologists working in privacy Certified Information Privacy Technologist (CIPT) 30

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback