Protecting Your Private Parts Tracy Ann Kosa. Protecting Your Private Parts TASK Meeting, 27 February 2008 Objectives  Terminology  Privacy & Security.

Slides:



Advertisements
Similar presentations
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Advertisements

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Database Management System
Data Protection and Records Management
Developing a Records & Information Retention & Disposition Program:
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Per Anders Eriksson
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Data Protection for Church of Scotland Congregations
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.
13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.
Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD.
6th CACR Information Security Workshop 1st Annual Privacy and Security Workshop (November 10, 2000) Incorporating Privacy into the Security Domain: Issues.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
HIPAA PRIVACY AND SECURITY AWARENESS.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Data Protection Act AS Module Heathcote Ch. 12.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
EUropean Best Information through Regional Outcomes in Diabetes Privacy and Disease Registries: the case of BIRO & EUBIROD Projects Concetta Tania Di Iorio.
BC Public Libraries November, 2008 Privacy Principles.
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
Twelve Guiding Principles for the Regulation of Surveillance Camera Systems Presented by: Alastair Thomas Date: 23 rd October 2013.
Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
ISO/IEC 27001:2013 Annex A.8 Asset management
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Information Technology & Ethics. Impact The impact of IT on information and communication can be categorized into 4 groups: privacy, accuracy, property,
HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.
ISO DOCUMENT CONTROL. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to: 
APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.
Data protection—training materials [Name and details of speaker]
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
The Data Protection Act 1998
Referral to Community Support Services
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
Privacy principles Individual written policies
Issues of personal data protection in scientific research
Privacy of Client Data.
General Data Protection Regulation
Managing the IT Function
Data Protection Legislation
PERSONAL DATA PROTECTION ACT 2010
6 Principles of the GDPR and SQL Provision
G.D.P.R General Data Protection Regulations
General Data Protection Regulation
OECD Guidelines Collection Limitation: should be limited to personal data, obtained by lawful and fair means, and (where appropriate) with knowledge and.
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
On the Cutting Edge – Update on Privacy Legislation
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
PRIVACY PRESENTATION TO THE SPRING 2013 CONFERENCE BY HANK MOORLAG
Good Spirit School Division
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Protecting Your Private Parts Tracy Ann Kosa

Protecting Your Private Parts TASK Meeting, 27 February 2008 Objectives  Terminology  Privacy & Security  Privacy Design Requirements

Protecting Your Private Parts TASK Meeting, 27 February 2008 Types of Privacy  3 Dimensions of Privacy: –Territorial –Physical –Informational

Protecting Your Private Parts TASK Meeting, 27 February 2008 Informational Privacy  “Privacy is the claim of individuals, groups and institutions to determine for themselves, when, how and to what extent information about them is communicated to others” (Westin 1967)

Protecting Your Private Parts TASK Meeting, 27 February 2008 Personal Information  Any information concerning the personal or material circumstances of an identified or identifiable person

Protecting Your Private Parts TASK Meeting, 27 February 2008 The Case for Privacy  Technology amplifies the possibility of surveillance and misuse of PI  “Privacy legislation plays an important role in designing, implementing, and using privacy-enhancing systems” (Fisher-Hubner 2001)

Protecting Your Private Parts TASK Meeting, 27 February 2008 Security & Privacy "I think of privacy as the use of the data by somebody you gave it to, and security as the theft of the data or the interception of the data by the unknown third party. If I buy a ticket from Travelocity, what Travelocity does with my data is a privacy issue. If somebody hacks into Travelocity and steals that data, that’s a security issue.” (Cate 2008)

Protecting Your Private Parts TASK Meeting, 27 February 2008 Security Impacts Privacy Security techniques can help protect personal information Security techniques can affect the privacy of a data subject

Protecting Your Private Parts TASK Meeting, 27 February 2008 Security Models  Bell LaPadula  Lattice Model of Information Flow  Biba Model  Clark Wilson Model  Chinese Wall Model  RBAC Model  Task Based Authorization Model  Object-Oriented Security Model (Fischer-Hubner, 2001)

Protecting Your Private Parts TASK Meeting, 27 February 2008

Protecting Your Private Parts TASK Meeting, 27 February 2008 Security Criteria  Trusted Computer System Evaluation Criteria (TCSEC), European IT Security Evaluation Criteria (ITSEC), Canadian Trusted Computer Evaluation Criteria (CTCPEC)  Focus on protecting the system and the organization, not the users and the data subjects

Protecting Your Private Parts TASK Meeting, 27 February 2008 Privacy Criteria for Security  Protecting the confidentiality, integrity and availability of PI –Protect PI from unauthorized collection, use and disclosure, including theft –Protect PI from accidental or unlawful destruction –Protect PI from alteration –Ensure availability of PI  Protect data subjects (as system users) –Enable anonymous/pseudonymous use –Support informational self-determination

Protecting Your Private Parts TASK Meeting, 27 February 2008 Example  Access control mechanisms to protect confidentiality and integrity of PI –Enforcing purpose binding –Separation of duties based on roles –Well-formed transactions

Protecting Your Private Parts TASK Meeting, 27 February 2008 Expectations

Protecting Your Private Parts TASK Meeting, 27 February 2008 Reality

Protecting Your Private Parts TASK Meeting, 27 February 2008 Privacy Design Requirements  Timing –Day 1, or when a project feasibility activities are completed and approved –Some random point during a project –After implementation –5 years after implementation

Protecting Your Private Parts TASK Meeting, 27 February 2008 Privacy Design Requirements  Process –Identify a benchmark –Read it (really) –Create the requirement –Classify it (people, process, technology)

Protecting Your Private Parts TASK Meeting, 27 February 2008 Privacy Design Requirements  The Case Study –No specific project, creating static requirements for the enterprise –Using the privacy principles (found in the private sector privacy legislation, PIPEDA) as a benchmark

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA1: Accountability  An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Privacy Design Requirements  IT systems should: –Be capable of providing access to PI on request and have the capacity to record who has/had access to the PI and for what purpose –Be transparent and documented so that data subjects can be informed about how their PI is collected, used and disclosed –Include consideration of privacy in change management practices –Retain a history of corrective transactions relative to each data subject

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA2: Identifying Purpose  The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Privacy Design Requirements  IT systems should: –Record the date, time and retention period of PI when it is collected, compiled or obtained –Limit the use of free text areas to collect PI –Limit the ability of using already collected PI for a new purpose –Include monitoring and enforcement mechanisms to limit the collection of PI –Possess audit trail functionality and transaction validation –Separate PI in databases so that queries do not retrieve data recorded for a different purpose

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA3: Consent  The knowledge and consent of the individual are required for the use, or disclosure of personal information, except where inappropriate.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Privacy Design Requirements  IT systems should: –manage a data subject’s consent preferences –serve a consent statement to the data subject prior to collection –record the terms of consent and timestamp when a data subject agrees –support serving new consent notices to data subjects’ when the notice of collection is changed –allow data subjects to revoke consent for collection and / or use –timestamp revocations of consent from data subjects –serve explanatory notices of the ramifications of consent revocation before purging PI

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA4: Limiting Collection  The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Technology Requirements  IT systems should: –Identify and document all PI data elements required to provide a service (including physical location) –Restrict use of PI beyond the initial purpose for collection –Record logging information for each collection, use and disclosure of PI –Document the source for all PI collected –Anonymize PI when used for planning, forecasting or evaluation purposes –Limit access to PI to authorized and accountable personnel

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA5: Limiting Use, Disclosure & Retention  Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Technology Requirements  IT systems should: –Enforce maximum retention periods for PI –Apply retention periods to backups and archives –Anonymize PI no longer necessary for service delivery –Utilize secure electronic disposal methods –Apply safeguards to ensure that PI cannot be used or disclosed for unauthorized purposes –Support linkage functionality when a data subject’s PI and documented circumstances where use or disclosure has occurred outside the notice of collection –Not allow PI to be cached locally –Delete all PI prior to being decommissioned –Prevent linkages of PI across multiple databases outside of initial service delivery requirements –Where necessary, utilize only internal identifiers (not SIN or DL)

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA6: Accuracy  Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Technology Requirements  IT systems should: –Be audited regularly to ensure controls are in place and working –Ensure that PI can be easily access and corrected upon request –Have the ability to identify when PI has been changed or modified, by whom, and for what reason –Designed so that historical PI and any inaccurate PI is not routinely disclosed to persons other than the data subject –Designed so that anyone who has accessed inaccurate or historical PI that has changed is informed of these changes in a timely manner –Include validity checks at the point of data entry –Specify the date the data subject’s PI was collected and / or updated –Specify when and how data subject’s PI is to be updated and the source for the update –Specify how to verify the accuracy and completeness of information disclosed to or received from a third party –Include record keeping for each data subject’s request for a review for accuracy, corrections and / or decisions not to correct

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA7: Safeguards  Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Technology Requirements  IT systems should: –Support the immediate revocation of access privileges to PI –Have controls in place over the process to grant authorization to add, change or delete information from records –Be designed so that access and changes to PI can be audited by date and by user identification –Labelled, transmit and store PI in accordance with classification

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA8: Openness  An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Technology Requirements  IT systems should: –Clearly identify transaction types to data subjects and system users –Clearly identify data flows to the data subject and system users –Clearly identify system linkages to data subjects and system users

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA9: Individual Access  Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Technology Requirements  IT systems should: –Be able to provide a data subject with access to and copies of their PI on a routine basis (as permitted by law) –Be designed to provide PI at the least cost possible to the data subject –Be able to amend and / or annotate any PI subject to disagreement regarding accuracy –Have the capacity to notify third parties to whom incorrect PI has been disclosed within the year preceding the correction of the changes to information or the letter of disagreement –Provide PI in multiple formats (electronic, audio) –Support multiple format queries for PI (e.g. one query should return all PI held about a given data subject across different application where necessary for service delivery) –Support severing of PI of other data subject’s contained in records provided in response to another data subject’s request for access

Protecting Your Private Parts TASK Meeting, 27 February 2008 CSA10: Challenging Compliance  An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

Protecting Your Private Parts TASK Meeting, 27 February 2008 Technology Requirements  IT systems should: –Record complaint related information, including the date on which complaints are received –Record all complaint outcomes, the date when made and the parties involved and make the decisions available (where relevant to ensure consistency) –Trace all transactions made on a data subject's record, including who made changes to a record, date of change, and purposes for change –Log transaction history for audit purposes, to respond to privacy complaints and / or to support requests for information from a data subject

Protecting Your Private Parts TASK Meeting, 27 February 2008 Privacy & Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.