Common Principles and Approaches to Privacy
Choice and consent
Organizations should: - describe the choices available to individuals - get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information **Consent is often considered especially important for disclosures of personal information to other data controllers**
Consent and choice
Organizations should: - describe the choices available to individuals - get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information **Consent is often considered especially important for disclosures of personal information to other data controllers**
Data subject access
Organizations should: - provide individuals with access to their personal information for review and update
Notice
Organizations should: - provide notice about their privacy policies and procedures - identify the purpose for which personal information is collected, used, retained and disclosed
Information life cycle principles
Data needs to be protected throughout its life cycle, from collection to destruction. Appropriate methods of destruction vary based on the type and sensitivity of personal information involved. These principles place obligations or limitations on the collection, use, disclosure, storage and destruction of personal information.
Personal data (EU)
"personal data" is any and all data that relates to an identified or identifiable individual. includes information about an "identified" or "identifiable" individual (e.g., street address, telephone number and e-mail address). Sensitive personal information (special categories of data): Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sex life
Personally identifiable information (US)
"personally identifiable information (PII)" is information that is covered by privacy laws includes information about an "identified" or "identifiable" individual (e.g., street address, telephone number and e-mail address). Sensitive personal information - SSN and financial information, health information
1890 definition of privacy
"the right to be left alone" - Samuel Warren and Louis Brandeis, Harvard Law Review
Forms of privacy notices
* Contracts * Application forms * Specific web pages * Terms of use * Icons * Signs * Brochures
Typical elements of personal information
* Name * Gender * Contact information (address, phone number, email, etc) * Age and date of birth * Martial status * Other demographic info (income or education) * Languages spoken
Typical elements of customer information
* Purchase history * Other history of interactions (e.g., visits to a website or physical facility) * Information about leads or prospects * Former customers * Market research participants * Voice recording of telephone calls * Citizens or others who receive social security, health or other benefits from the government * Tax records or other records about individuals held by the government
Typical elements of HR information
* Salary * Job title * Productivity and performance statistics * Medical and pension benefits * Employee evaluations * Disabled, veteran or other relevant status * Location information (e.g., controlled by GPS) * Nationality Not limited to current employees
Main drivers and challenges for organizations to protect information
* compliance with laws, regulations and contracts * prevention of data breaches * avoidance of enforcement actions or lawsuits * counter identity theft and fraud * manage other business risks to its brand and reputation * meet customer expectations * staying up to date with evolving technologies * meet the demands of outsourcing, off-shoring and extended global enterprises
Information privacy
**our focus** governs the collection and handling of personal information
Principles of OECD Guidelines
- Collection limitation - Data quality - Purpose specification - Use limitation - Security safeguards - Openness - Individual participation - Accountability
Common themes among principles frameworks
- Collection limitation - OECD/COE/APEC - Data quality - OECD/COE/Madrid - Purpose specification - OECD/COE/Madrid - Use limitation/proportionality - OECD/COE/APEC/Madrid - Security safeguards - OECD/COE/APEC - Openness/notice/choice - OECD/COE/APEC/Madrid - Individual participation/access and correction - OECD/COE/APEC - Accountability - OECD/COE/APEC/Madrid - Preventing harm/lawfullness and fairness - APEC/Madrid - Integrity of personal information - APEC
Ways for organizations to manage information risk
- Privacy impact assessments (PIAs) - Privacy assessments/audits - Privacy by Design
Common processes of information risk management
1. Administrative - policies for proper management of personal information 2. Technical - systems and tools (e.g., encryption) to prevent unauthorized access (or use even if accessed) of personal information 3. Physical - locks, etc. These safeguards reinforce each other
Classes of privacy
1. Information privacy 2. Bodily privacy 3. Territorial privacy 4. Communications privacy
Principles of APEC Framework
1. Preventing harm 2. Notice 3. Collection limitations 4. Uses of personal information 5. Choice 6. Integrity of personal information 7. Security safeguards 8. Access and correction 9. Accountability
Modern privacy in the context of human rights
1948 General Assembly of United Nations - Universal Declaration of Human Rights 1950 Council of Europe - European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) - "everyone has the right to respect for his private and family life, his home and his correspondence" 1960's Council of Europe - Recommendation 509 on Human Rights and Modern and Scientific Technological Developments, a framework of specific principles and standards to prevent unfair collection and processing of personal information
Historical timeline of principles frameworks
1973 - US report - original Code of Fair Information Practices 1980 - OECD Guidelines 1981 - Council of Europe (COE) Convention (broadly similar to OECD Guidelines) 1995 - EU Data Protection Directive (to address problems in connection with trans-border data flows). Directed each member state of the EU to adopt privacy laws that were "equivalent" to each other in providing protection of personal information. 2004 - APEC Privacy Framework 2009 - Madrid Resolution (independent data protection and privacy commissions - not the governments) (purposes: 1) effective and internationally uniform protection of privacy with regard to processing of personal data, and 2) facilitation of the international flows of personal data needed in a globalized world)
Recent definitions of privacy
1997 - UK's Calcutt Committe: "the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information." Australian Privacy Charter - "a free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy."
Information risk management
An important role for the privacy professional is the manage risk for the organization
Data protection authority (DPA)
An official or agency responsible for overseeing enforcement of data protection laws. In many countries, also educates the public on data protection matters and acts as international liaison for data protection issues.
Privacy assessments/audits
Reviews of an organization's compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts.
Modern privacy principles
Build on important international agreements, including the OECD Guidelines
Privacy impact assessments (PIAs)
Checklists or tools to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind. Should: - be completed before implementation of the privacy project, product or service - be ongoing through its development Should identify these attributes of the data collected: * what information is collected * why it is collected * the intended use of the information * with whom the information is shared * the consent and choice rights of the data subjects Used: - to assess new systems, significant changes to existing systems, operational policies and procedures and intended use of the information - before, during and after M&A Maintains consistency between policy and practice
Privacy by Design
Concept that organizations should build privacy directly into technology, systems and practices at the design phase to ensure privacy from the outset. Principles: 1. Proactice not reactive; preventative not remedial 2. Privacy as the default setting 3. Privacy embedded into design 4. Full Functionality - positive-sum, not zero-sum 5. End-to-end security - full life cycle protection 6. Visibility and transparency - keep it open 7. Respect for user privacy - keep it user-centric
Modern ideas about privacy
Decisively shaped by the rapid development of information technology (IT) 1984 - George Orwell's book 1984 - to prevent the creation of "Big Brother", there were increasing demands for formal rules to govern the collection and handling of personal information 1970 - German state of Hesse enacted the first known modern data protection law (motivated in part by IT + attempt to prevent a reoccurrence of the personal information abuses under Hitler's Third Reich, WWII 1970 - US passed its first national privacy law, the Fair Credit Reporting Act (focused on the single sector of information about consumer credit)
Line between personal and non-personal information
Depends on what is "identifiable" Not always clear and regs/courts disagree- ex: EU considers IP address "personal data" because "identifiable", but Ireland and US do not (except that in the US IP addresses in context of healthcare information breaches are). Changes in technology can shift the line (e.g., IP addresses used to be dynamic and now are static)
Disclosure
Disclosure to third parties only: - for the purposes identified in the notice - for which the individual has provided implicit or explicit consent Rights of the data subject should be maintained even on transfer of the information to other parties. Other requirement should be conveyed to third party controllers and processors. New purposes and uses may be subject to consent.
Personal information definition
EU - "personal data" is any and all data that relates to an identified or identifiable individual US - "personally identifiable information (PII)" is information that is covered by privacy laws Canada - "personal information" is information about an identifiable individual, but does not include certain business contact information Japan - "personal information" is information that relates to living individuals and that can identify specific individuals by name, date of birth or other description All definitions are similar - information about an identified individual, such as name and SSN. Also includes information about an "identified" or "identifiable" individual (e.g., street address, telephone number and e-mail address).
Organizations in the chain
Each organization in the chain - from data controller, to data processor, to any subsequent data processor acting on behalf of the first data processor - must act in a trusted way, doing operations that are consistent with the direction of the data controller
History of legal protection of privacy rights
Far-reaching history - 1361 Justice of the Peace Act in England for arrest of "peeping toms" and eavesdroppers - 1765 British Lord Camden protected the privacy of the home - 1776 Swedish Parliament Access to Public Records Act - 1858 France prohibited publication of private facts
Aggregate or stastistical information
Generally does not raise privacy compliance issues
The Organization of Economic Cooperation and Development (OECD) "Guidelines Governing the Protection of Privacy and Trans-border Data Flows of Personal Data" (1980)
International organization published a set of privacy principles - the most widely recognized framework for fair information practices
Potential outcomes of information risk management
Improper handling of personal information can lead to a range of problems and costs
data protection law
In the EU and other countries, laws in the area of protection of information about individuals
privacy law
In the U.S. and other countries, laws in the area of protection of information about individuals
Sources of personal information
Information about an individual can be treated differently based on the source of the information. 3 sources: 1. Public records - collected and maintained by a government entity and available to the general public 2. Publicly available information - generally available to a wide range of persons 3. Nonpublic information - not generally available or easily accessed due to law or custom
U.S. fair information practices
Means for organizing the multiple individual rights and organizational responsibilities that exist with respect to personal information. Date back to a 1973 report by the US Dept of Health, Education and Welfare Advisory Committee on Automated System.
The Asia Pacific Economic Cooperation (APEC) privacy pinciples (2004)
Multinational organization with 21 Pacific coast members and the Americas. APEC Privacy Framework generally mirrors the OECD Guidelines, but in some areas are more explicit about exceptions.
General and organizational information
Not considered personal information, but key part of the information assets of an organization (so needs to be protected and secured to ensure its confidentiality). Examples: - financial - human resources - operational - IP - information about the organization's products and services
Rights of individuals
Notice, access, choice and consent
Scope and limitations on use
Organization: - collects personal information only for the purposes identified in the notice - limit their use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent - retain personal information only as long as necessary to fulfill the stated purpose - disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual
Management and administration
Organizations should define, document, communicate and assign accountability for their privacy policies and procedures
Use and retention
Organizations should limit the use of personal information to: - the purposes identified in the notice - for which the individual has provided implicit of explicit consent Retain personal information only for as long as necessary to fulfill the stated purposes. Data not retained should be securely disposed, returned or destroyed.
Monitoring and enforcement
Organizations should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes
Purposes of privacy notices
consumer education and organizational accountability
Corporate information
Privacy and data protection laws generally focused on individuals, not a corporation/other organization Sole propietorship/small business - information may be so closely linked to an individual that it may be considered personal information
Privacy's impact on organizational risk
Privacy is a personal issue, a social issue, a legal issue and a business issue. Organizations face the challenge of effectively managing compliance, expectations and risk across increasingly complex and geographically diverse enterprises.
Privacy policy and notice
Privacy policy - an internal statement that governs an organization's or entity's handling practices of personal information. Directed at the users of the personal information. Privacy notice - a statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. Sometimes referred to as a privacy statement, a fair processing statement or a privacy policy. Common to use the organization's privacy policy as a privacy notice.
Processing of personal information
Processing is very broad - the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure or destruction
Opt in and opt out
Two central concepts of choice. Opt in - an individual actively affirms that information can be shared with third parties (e.g., checks a box stating she wants info to go to another organization) Opt out - in the absence of action by the individual, information can be shared with third parties (e.g., unless a box is checked, information can go to another organization)
Data subject
The individual about whom information is processed Ex: patient at a medical facility, employee of a company, customer of a retail store
Collection
There should be limits to the collection of personal data. It should be collected: - by lawful and fair means - with the knowledge or consent of the subject - limited to an identified purpose and compatible uses - proportionate and executed through lawful means Collection from third parties should also be considered.
Data controller
an organization that has the authority to decide how and why personal information is to be processed **the focus of most obligations under privacy and data protection laws**
Special categories of data (EU)
What EU Data Protection Directive calls sensitive personal information Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sex life Other data can be considered sensitive in other EU countries
Bodily privacy
a person's physical being and invasion thereof
Non-personal information
also called "de-identified" or "anonymized" information frequently used for research, statistical or aggregate purposes privacy and data protection laws generally do not apply to non-personal information
Data processor
an individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller
Territorial privacy
placing limits on the ability to intrude into another individual's environment
Communications privacy
protection of the means of correspondence
History of information privacy as a social concept
rooted in some of the oldest texts and cultures - laws of classical Greece, the Bible, Jewish law, Qur'an, sayings of Mohammed
Sensitive personal information
subset of personal information - requires additional privacy and security limitations to safeguard may vary depending on the jurisdiction and regulations US - SSN and financial information Almost all countries - health information
Pseudonymized data
where information about individuals is retained under pseudonyms