1 Copyright © 1999-2008 International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

Slides:



Advertisements
Similar presentations
EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
Advertisements

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.
The Geopolitics of Personal Data and the Governance of Privacy Colin J. Bennett Department of Political Science University of Victoria BC, Canada
CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Per Anders Eriksson
High Technology Cooperation Group: Data Privacy The Indo-U.S. High Technology Cooperation Group November 18, Privacy and Cyber Security:
Transborder dataflows Flow of information across national borders Much of this data involves personal information.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Class 13 Internet Privacy Law European Privacy.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Crown copyright: State Services Commission, March Information for New Members of Crown Entity Boards Information for New Members of Crown Entity.
Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.
Privacy and Trust In Europe Mike Small Principal Consultant Security Management CA EMEA.
OASIS PRIVACY MANAGEMENT REFERENCE MODEL EEMA European e-identity Management Conference Paris, June 2012 John Sabo, CA Technologies Co-Chair, OASIS.
© 2007 The MITRE Corporation. MITRE Privacy Practice W3C Government Linked Data Working Group Michael Aisenberg, Esq. 29 June 2011 Predicate for Privacy.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.
Case Study: Pharmaceuticals Patrick F. Sullivan, Ph.D. 939 North Graham Avenue, Indianapolis, IN
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011.
Gershon Janssen 11 th October 2011 London Privacy Management Reference Model International Cloud Symposium 2011.
Session ID: Session Classification: Dr. Michael Willett OASIS and WillettWorks DSP-R35A General Interest OASIS Privacy Management Reference Model (PMRM)
A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008.
Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
Robert Guerra Director, CryptoRights Foundation Implementing Privacy Implementing Privacy: Rules of the Game for Developers Mac-Crypto Conference on Macintosh.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
1 The ISTPA Privacy Framework John Sabo Manager, Security, Privacy and Trust Initiatives Computer Associates Workshop on the Relationship between Security.
Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:
1 PARCC Data Privacy & Security Policy December 2013.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
1 Designing a Privacy Management System International Security Trust & Privacy Alliance.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
PMRM Revision Discussion Slides Illustrations/Figures 1-3 o Model, Methodology, “Scope” options Functions, Mechanisms and “Solutions” Accountability and.
PRIVACY AND SPAM. PRIVACY Claim of individuals, groups or institutions to determine when, how and to what extent personal information is communicated.
APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Protection of Personal Information Act An Analysis on the impact.
Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health
GDPR (General Data Protection Regulation)
Data Protection: EU & International
APP entities (organisations)
Data workshop WhOSE DATA IS IT ANYWAY? Alexia Christie
MIT HIT Symposium How HIPAA Applies to HIT
Protection of Personal Information Bill: An International Perspective
Employee Privacy and Privacy of Employee Information
American Health Information Management Association
Canadian Auditing Standards (CAS)
Policies for Information Sharing
Analysis of Privacy and Data Protection Laws and Directives
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
Presentation transcript:

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust and Privacy Alliance (ISTPA) Michael Willett, Seagate John Sabo, CA, Inc. The Privacy Symposium Harvard University 20 August 2008

2 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved What is the ISTPA? The International Security, Trust and Privacy Alliance (ISTPA), founded in 1999, is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy ISTPA’s focus is on the protection of personal information (PI) ISTPA

3 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved ISTPA’s Perspective on Privacy Operational – Technical, Operational Focus  …“making Privacy Operational”  based on legal, policy and business process drivers  privacy management is multi-dimensional with extended lifecycle requirements Privacy Framework v1.1 published in 2002  supports the full “Lifecycle” of Personal Information “Analysis of Privacy Principles: An Operational Study” published in 2007 See for downloads ISTPA

4 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Three Dimensions of Privacy Management Principles/Legislation/Policies  Requirements and constraints on the collection and use of personal information by government and private sector organizations Business Processes  Data collection, processing and storage systems and business applications which make use of PI Operational Privacy Management and Compliance  Architectures and applications which incorporate standardized privacy management services and controls

5 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved “Analysis of Privacy Principles: An Operational Study” Principles/Legislation/Policies

6 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Laws, Directives, Codes Analyzed The Privacy Act of 1974 (U.S.) OECD Privacy Guidelines UN Guidelines EU Data Protection Directive Canadian Standards Association Model Code Health Insurance Portability and Accountability Act (HIPAA) US FTC Fair Information Practice Principles US-EU Safe Harbor Privacy Principles Australian Privacy Act Japan Personal Information Protection Act APEC Privacy Framework California Security Breach Bill

7 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Analysis Methodology Select representative international privacy laws and directives Analyze disparate language, definitions and expressed requirements Parse expressed requirements into working set of privacy categories and terms Cross-map common and unique requirements Establish basis for a revised operational privacy framework to ensure ISTPA Framework Services supports full suite of requirements

8 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Comparative Analysis-Sample OECD Guidelines – 1980  Collection Limitation  Data Quality  Purpose Specification  Use Limitation  Security Safeguards  Openness  Individual Participation  Accountability Australian Privacy Principles – 2001  Collection  Use and Disclosure  Data Quality  Data Security  Openness  Access and Correction  Identifiers  Anonymity  Transborder Data Flows  Sensitive Information

9 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Derived Privacy Requirements Accountability Notice Consent Collection Limitation Use Limitation Disclosure Access & Correction Security/Safeguards Data Quality Enforcement Openness Less common: Anonymity Data Flow Sensitivity

10 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved What we Discovered Example: Notice Principle Notice: Information regarding an entity’s privacy policies and practices includes 1. definition of the personal information collected 2. its use (purpose specification) 3. its disclosure to parties within or external to the entity 4. practices associated with the maintenance and protection of the information 5. options available to the data subject regarding the collector’s privacy practices 6. changes made to policies or practices 7. information provided to data subject at designated times and under designated circumstances

11 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved PI Lifecycle Implications of “Notice” Notice: Information regarding an entity’s privacy policies and practices definition of the personal information collected its use (purpose specification) its disclosure to parties within or external to the entity practices associated with the maintenance and protection of the information options available to the data subject regarding the collector’s privacy practices changes made to policies or practices information provided to data subject at designated times and under designated circumstances

12 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Revising the Framework Operational Privacy Management

13 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved PI Life Cycle Perspective PI Subject Requestor Collector Processor Operational Privacy Management at each touch point

14 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Designing a Privacy Management System Step by Step ….

15 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Personal Information AGENT INTERACTION CONTROL NEGOTIATION USAGE ACCESS VALIDATION CERTIFICATION Audit ENFORCEMENT SECURITY PI Touch Point Architecture

16 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Personal Information AGENT INTERACTION CONTROL NEGOTIATION USAGE ACCESS VALIDATION CERTIFICATION Audit ENFORCEMENT SECURITY PI Touch Point Architecture SELF- ENCRYPTING PRIVACY AGENT

17 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved ISTPA Privacy Framework Services Control – policy – data management Certification – credentials, trusted processes Interaction - manages data/preferences/notice Negotiation – of agreements, rules, permissions Agent – software that carries out processes Usage – data use, aggregation, anonymization Audit – independent, verifiable accountability Validation - checks accuracy of PI Enforcement – including redress for violations Access - subject review/suggest updates to PI

18 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation PI Touch Point PI, Preferences & PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Making Privacy Operational Assurance Services Usage Access - Each Touch Point node configured with operational stack - Privacy Policy is an input “parameter” to Control - Agent is the Touch Point programming persona -PIC contains PI and usage agreements

19 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation Any two touch points in the PI life cycle Usage PI, Preferences & PIC Repository Agent Control Interaction Negotiation PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Privacy SERVICES Assurance Services Usage Access

20 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Converting Privacy Requirements to Privacy Management Operations “Matrix” Conversion (ISTPA ToolKit Process): 10 Framework Services Privacy Requirements (eg, Principles, Legislation) Service FUNCTIONS

21 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Next Steps for the ISTPA Privacy Framework Undergoing revision now Using the Analysis findings, major revisions to Service definitions and lifecycle issues for integrating services ISTPA has joined the OASIS standards organization as an institutional member to explore standards development We welcome your input and support!

22 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Questions? MAKING PRIVACY OPERATIONAL Michael Willett, Seagate John Sabo, CA, Inc.