Common Principles and Approaches to Privacy

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Choice and consent

Organizations should: - describe the choices available to individuals - get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information **Consent is often considered especially important for disclosures of personal information to other data controllers**

Consent and choice

Organizations should: - describe the choices available to individuals - get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information **Consent is often considered especially important for disclosures of personal information to other data controllers**

Data subject access

Organizations should: - provide individuals with access to their personal information for review and update

Notice

Organizations should: - provide notice about their privacy policies and procedures - identify the purpose for which personal information is collected, used, retained and disclosed

Information life cycle principles

Data needs to be protected throughout its life cycle, from collection to destruction. Appropriate methods of destruction vary based on the type and sensitivity of personal information involved. These principles place obligations or limitations on the collection, use, disclosure, storage and destruction of personal information.

Personal data (EU)

"personal data" is any and all data that relates to an identified or identifiable individual. includes information about an "identified" or "identifiable" individual (e.g., street address, telephone number and e-mail address). Sensitive personal information (special categories of data): Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sex life

Personally identifiable information (US)

"personally identifiable information (PII)" is information that is covered by privacy laws includes information about an "identified" or "identifiable" individual (e.g., street address, telephone number and e-mail address). Sensitive personal information - SSN and financial information, health information

1890 definition of privacy

"the right to be left alone" - Samuel Warren and Louis Brandeis, Harvard Law Review

Forms of privacy notices

* Contracts * Application forms * Specific web pages * Terms of use * Icons * Signs * Brochures

Typical elements of personal information

* Name * Gender * Contact information (address, phone number, email, etc) * Age and date of birth * Martial status * Other demographic info (income or education) * Languages spoken

Typical elements of customer information

* Purchase history * Other history of interactions (e.g., visits to a website or physical facility) * Information about leads or prospects * Former customers * Market research participants * Voice recording of telephone calls * Citizens or others who receive social security, health or other benefits from the government * Tax records or other records about individuals held by the government

Typical elements of HR information

* Salary * Job title * Productivity and performance statistics * Medical and pension benefits * Employee evaluations * Disabled, veteran or other relevant status * Location information (e.g., controlled by GPS) * Nationality Not limited to current employees

Main drivers and challenges for organizations to protect information

* compliance with laws, regulations and contracts * prevention of data breaches * avoidance of enforcement actions or lawsuits * counter identity theft and fraud * manage other business risks to its brand and reputation * meet customer expectations * staying up to date with evolving technologies * meet the demands of outsourcing, off-shoring and extended global enterprises

Information privacy

**our focus** governs the collection and handling of personal information

Principles of OECD Guidelines

- Collection limitation - Data quality - Purpose specification - Use limitation - Security safeguards - Openness - Individual participation - Accountability

Common themes among principles frameworks

- Collection limitation - OECD/COE/APEC - Data quality - OECD/COE/Madrid - Purpose specification - OECD/COE/Madrid - Use limitation/proportionality - OECD/COE/APEC/Madrid - Security safeguards - OECD/COE/APEC - Openness/notice/choice - OECD/COE/APEC/Madrid - Individual participation/access and correction - OECD/COE/APEC - Accountability - OECD/COE/APEC/Madrid - Preventing harm/lawfullness and fairness - APEC/Madrid - Integrity of personal information - APEC

Ways for organizations to manage information risk

- Privacy impact assessments (PIAs) - Privacy assessments/audits - Privacy by Design

Common processes of information risk management

1. Administrative - policies for proper management of personal information 2. Technical - systems and tools (e.g., encryption) to prevent unauthorized access (or use even if accessed) of personal information 3. Physical - locks, etc. These safeguards reinforce each other

Classes of privacy

1. Information privacy 2. Bodily privacy 3. Territorial privacy 4. Communications privacy

Principles of APEC Framework

1. Preventing harm 2. Notice 3. Collection limitations 4. Uses of personal information 5. Choice 6. Integrity of personal information 7. Security safeguards 8. Access and correction 9. Accountability

Modern privacy in the context of human rights

1948 General Assembly of United Nations - Universal Declaration of Human Rights 1950 Council of Europe - European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) - "everyone has the right to respect for his private and family life, his home and his correspondence" 1960's Council of Europe - Recommendation 509 on Human Rights and Modern and Scientific Technological Developments, a framework of specific principles and standards to prevent unfair collection and processing of personal information

Historical timeline of principles frameworks

1973 - US report - original Code of Fair Information Practices 1980 - OECD Guidelines 1981 - Council of Europe (COE) Convention (broadly similar to OECD Guidelines) 1995 - EU Data Protection Directive (to address problems in connection with trans-border data flows). Directed each member state of the EU to adopt privacy laws that were "equivalent" to each other in providing protection of personal information. 2004 - APEC Privacy Framework 2009 - Madrid Resolution (independent data protection and privacy commissions - not the governments) (purposes: 1) effective and internationally uniform protection of privacy with regard to processing of personal data, and 2) facilitation of the international flows of personal data needed in a globalized world)

Recent definitions of privacy

1997 - UK's Calcutt Committe: "the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information." Australian Privacy Charter - "a free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy."

Information risk management

An important role for the privacy professional is the manage risk for the organization

Data protection authority (DPA)

An official or agency responsible for overseeing enforcement of data protection laws. In many countries, also educates the public on data protection matters and acts as international liaison for data protection issues.

Privacy assessments/audits

Reviews of an organization's compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts.

Modern privacy principles

Build on important international agreements, including the OECD Guidelines

Privacy impact assessments (PIAs)

Checklists or tools to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind. Should: - be completed before implementation of the privacy project, product or service - be ongoing through its development Should identify these attributes of the data collected: * what information is collected * why it is collected * the intended use of the information * with whom the information is shared * the consent and choice rights of the data subjects Used: - to assess new systems, significant changes to existing systems, operational policies and procedures and intended use of the information - before, during and after M&A Maintains consistency between policy and practice

Privacy by Design

Concept that organizations should build privacy directly into technology, systems and practices at the design phase to ensure privacy from the outset. Principles: 1. Proactice not reactive; preventative not remedial 2. Privacy as the default setting 3. Privacy embedded into design 4. Full Functionality - positive-sum, not zero-sum 5. End-to-end security - full life cycle protection 6. Visibility and transparency - keep it open 7. Respect for user privacy - keep it user-centric

Modern ideas about privacy

Decisively shaped by the rapid development of information technology (IT) 1984 - George Orwell's book 1984 - to prevent the creation of "Big Brother", there were increasing demands for formal rules to govern the collection and handling of personal information 1970 - German state of Hesse enacted the first known modern data protection law (motivated in part by IT + attempt to prevent a reoccurrence of the personal information abuses under Hitler's Third Reich, WWII 1970 - US passed its first national privacy law, the Fair Credit Reporting Act (focused on the single sector of information about consumer credit)

Line between personal and non-personal information

Depends on what is "identifiable" Not always clear and regs/courts disagree- ex: EU considers IP address "personal data" because "identifiable", but Ireland and US do not (except that in the US IP addresses in context of healthcare information breaches are). Changes in technology can shift the line (e.g., IP addresses used to be dynamic and now are static)

Disclosure

Disclosure to third parties only: - for the purposes identified in the notice - for which the individual has provided implicit or explicit consent Rights of the data subject should be maintained even on transfer of the information to other parties. Other requirement should be conveyed to third party controllers and processors. New purposes and uses may be subject to consent.

Personal information definition

EU - "personal data" is any and all data that relates to an identified or identifiable individual US - "personally identifiable information (PII)" is information that is covered by privacy laws Canada - "personal information" is information about an identifiable individual, but does not include certain business contact information Japan - "personal information" is information that relates to living individuals and that can identify specific individuals by name, date of birth or other description All definitions are similar - information about an identified individual, such as name and SSN. Also includes information about an "identified" or "identifiable" individual (e.g., street address, telephone number and e-mail address).

Organizations in the chain

Each organization in the chain - from data controller, to data processor, to any subsequent data processor acting on behalf of the first data processor - must act in a trusted way, doing operations that are consistent with the direction of the data controller

History of legal protection of privacy rights

Far-reaching history - 1361 Justice of the Peace Act in England for arrest of "peeping toms" and eavesdroppers - 1765 British Lord Camden protected the privacy of the home - 1776 Swedish Parliament Access to Public Records Act - 1858 France prohibited publication of private facts

Aggregate or stastistical information

Generally does not raise privacy compliance issues

The Organization of Economic Cooperation and Development (OECD) "Guidelines Governing the Protection of Privacy and Trans-border Data Flows of Personal Data" (1980)

International organization published a set of privacy principles - the most widely recognized framework for fair information practices

Potential outcomes of information risk management

Improper handling of personal information can lead to a range of problems and costs

data protection law

In the EU and other countries, laws in the area of protection of information about individuals

privacy law

In the U.S. and other countries, laws in the area of protection of information about individuals

Sources of personal information

Information about an individual can be treated differently based on the source of the information. 3 sources: 1. Public records - collected and maintained by a government entity and available to the general public 2. Publicly available information - generally available to a wide range of persons 3. Nonpublic information - not generally available or easily accessed due to law or custom

U.S. fair information practices

Means for organizing the multiple individual rights and organizational responsibilities that exist with respect to personal information. Date back to a 1973 report by the US Dept of Health, Education and Welfare Advisory Committee on Automated System.

The Asia Pacific Economic Cooperation (APEC) privacy pinciples (2004)

Multinational organization with 21 Pacific coast members and the Americas. APEC Privacy Framework generally mirrors the OECD Guidelines, but in some areas are more explicit about exceptions.

General and organizational information

Not considered personal information, but key part of the information assets of an organization (so needs to be protected and secured to ensure its confidentiality). Examples: - financial - human resources - operational - IP - information about the organization's products and services

Rights of individuals

Notice, access, choice and consent

Scope and limitations on use

Organization: - collects personal information only for the purposes identified in the notice - limit their use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent - retain personal information only as long as necessary to fulfill the stated purpose - disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual

Management and administration

Organizations should define, document, communicate and assign accountability for their privacy policies and procedures

Use and retention

Organizations should limit the use of personal information to: - the purposes identified in the notice - for which the individual has provided implicit of explicit consent Retain personal information only for as long as necessary to fulfill the stated purposes. Data not retained should be securely disposed, returned or destroyed.

Monitoring and enforcement

Organizations should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes

Purposes of privacy notices

consumer education and organizational accountability

Corporate information

Privacy and data protection laws generally focused on individuals, not a corporation/other organization Sole propietorship/small business - information may be so closely linked to an individual that it may be considered personal information

Privacy's impact on organizational risk

Privacy is a personal issue, a social issue, a legal issue and a business issue. Organizations face the challenge of effectively managing compliance, expectations and risk across increasingly complex and geographically diverse enterprises.

Privacy policy and notice

Privacy policy - an internal statement that governs an organization's or entity's handling practices of personal information. Directed at the users of the personal information. Privacy notice - a statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. Sometimes referred to as a privacy statement, a fair processing statement or a privacy policy. Common to use the organization's privacy policy as a privacy notice.

Processing of personal information

Processing is very broad - the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure or destruction

Opt in and opt out

Two central concepts of choice. Opt in - an individual actively affirms that information can be shared with third parties (e.g., checks a box stating she wants info to go to another organization) Opt out - in the absence of action by the individual, information can be shared with third parties (e.g., unless a box is checked, information can go to another organization)

Data subject

The individual about whom information is processed Ex: patient at a medical facility, employee of a company, customer of a retail store

Collection

There should be limits to the collection of personal data. It should be collected: - by lawful and fair means - with the knowledge or consent of the subject - limited to an identified purpose and compatible uses - proportionate and executed through lawful means Collection from third parties should also be considered.

Data controller

an organization that has the authority to decide how and why personal information is to be processed **the focus of most obligations under privacy and data protection laws**

Special categories of data (EU)

What EU Data Protection Directive calls sensitive personal information Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sex life Other data can be considered sensitive in other EU countries

Bodily privacy

a person's physical being and invasion thereof

Non-personal information

also called "de-identified" or "anonymized" information frequently used for research, statistical or aggregate purposes privacy and data protection laws generally do not apply to non-personal information

Data processor

an individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller

Territorial privacy

placing limits on the ability to intrude into another individual's environment

Communications privacy

protection of the means of correspondence

History of information privacy as a social concept

rooted in some of the oldest texts and cultures - laws of classical Greece, the Bible, Jewish law, Qur'an, sayings of Mohammed

Sensitive personal information

subset of personal information - requires additional privacy and security limitations to safeguard may vary depending on the jurisdiction and regulations US - SSN and financial information Almost all countries - health information

Pseudonymized data

where information about individuals is retained under pseudonyms


Ensembles d'études connexes

EMT - Chapter 33: Obstetrics and Neonatal Care

View Set

The Criminal Justice System Reading and Exercises

View Set

Economics Chapter 28 - Economic Growth

View Set

ISSA PERSONAL TRAINER CHAPTER 9 - PRINCIPLES OF PROGRAM DESIGN

View Set

What Macroeconomics is all about

View Set