Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of Privacy and Data Protection Laws and Directives

Published byDana Martínková Modified over 5 years ago

Similar presentations

Presentation on theme: "Analysis of Privacy and Data Protection Laws and Directives"— Presentation transcript:

1 Analysis of Privacy and Data Protection Laws and Directives
Around the World Michael Willett (Seagate) ISTPA Board and Framework Chair Track IIB: Global Privacy Policy The Privacy Symposium: Boston, 23 Aug 2007 Confidential

2 What is the ISTPA? The International Security, Trust, and Privacy Alliance (ISTPA) is a global alliance of companies, institutions and technology providers working together to resolve issues related to security, trust, and privacy. “Making Privacy Operational” Published the Privacy Framework See Confidential

3 ISTPA Privacy Framework Services
Control – policy – data management Certification – credentials, trusted processes Interaction - manages data/preferences/notice Negotiation – of agreements, rules, privileges Agent – software that carries out processes Usage – data use, aggregation, anonymization Audit – independent, verifiable accountability Validation - checks accuracy of PI Enforcement – including redress for violations Access - subject correct/update PI Confidential

4 Legal, Regulatory, and Policy Context
Michael Willett: Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor. The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer. Making Privacy Operational PI Touch Point Legal, Regulatory, and Policy Context Security Foundation Agent Interaction Each Touch Point node configured with operational stack Privacy Policy is an input “parameter” to Control Agent is the Touch Point programming persona PIC contains PI and usage agreements Negotiation Access Control Usage PI Container (PIC) PI, Preferences & PIC Repository Assurance Services Validation Certification Audit Enforcement Confidential

5 Legal, Regulatory, and Policy Context
Michael Willett: Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor. The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer. Privacy SERVICES Data Subject Data Requestor Legal, Regulatory, and Policy Context Security Foundation Agent Agent Interaction Interaction Negotiation Access Negotiation Control Usage Control Usage PI Container (PIC) PI, Preferences & PIC Repository PIC Repository Assurance Services Validation Certification Audit Enforcement Confidential

6 Recent publication: “Analysis of Privacy Principles: Making Privacy Operational”
Selected representative global privacy laws/directives Analyzed disparate language, definitions and expressed requirements Parsed expressed requirements into working set of composite privacy “principles” Cross-map and derive common/unique requirements Comprehensive observations and conclusions Confidential

7 Selected Laws, Directives, Codes
US FTC Fair Information Practice Principles US-EU Safe Harbor Privacy Principles Australian Privacy Act Japan Personal Information Protection Act APEC Privacy Framework California Security Breach Bill The Privacy Act of 1974 (U.S.) OECD Privacy Guidelines UN Guidelines EU Data Protection Directive Canadian Standards Association Model Code Health Insurance Portability and Accountability Act (HIPAA) Confidential

8 Core Privacy Principles
Accountability Notice Consent Collection Limitation Use Limitation Disclosure Access & Correction Security/Safeguards Data Quality Enforcement Openness Additionally: Anonymity Data Flow Sensitivity Confidential

9 Example - “Notice Principle” includes:
definition of the personal information collected its use (purpose specification) its disclosure to parties within or external to the entity practices associated with the maintenance and protection of the information options available to the data subject regarding the collector’s privacy practices changes made to policies or practices information provided to data subject at designated times and under designated circumstances Confidential

10 Core Principles (partial list)
Accountability: Reporting made by the business process and technical systems which implement privacy policies to the individual or entity accountable for ensuring compliance with those policies, with optional linkages to sanctions. Consent: The capability, including support for Sensitive Information, Informed Consent, Change of Use Consent, and Consequences of Consent Denial, provided to data subjects to allow the collection and/or specific uses of some or all of their personal data either through an affirmative process (opt-in) or implied (not choosing to opt-out when this option is provided). Confidential

11 … Core Principles - continued
Access and Correction: Capability allowing individuals having adequate proof of identity to find out from an entity, or find out and/or to correct, their personal information, at reasonable cost, within reasonable time constraints, and with notice of denial of access and options for challenging denial. Openness: Availability to individuals of the data collector's or data user's policies and practices relating to their management of personal information and for establishing the existence of, nature and purpose of use of personal information held about them. Confidential

12 Conclusions (sampling)
"composite operational definitions“ have unifying value standard definitions and a taxonomy for privacy requirements facilitate better clarity interpretation of privacy instruments confusing, increasingly complex and diffuse more recent legislation reflects expanded privacy expectations, more requirements legislation: disconnected requirements with no overall “system design” for PI life cycle comparison of imprecise concepts depends on language interpretation “consequences” (e.g., sanctions) are not always explicit or uniform, but left to the judgment and enforcement of a privacy ‘authority’ exceptions (e.g., to Disclosure, to Access) are vaguely treated more focus on “up front” (e.g., Notice/Consent), less focus on the “back end” (e.g., subsequent use, data retention) Privacy Policy is both pervasive and implicit Net: operational Privacy Management framework is badly needed Confidential

13 Next Steps: Path to ISTPA Privacy Framework v 2.0
Use Analysis study to evaluate existing Framework (full document available online) Analysis also being used by other organizations Complete expansion of Framework functions, including function labeling (modeling, automation) Continue collaboration with ISSEA on security mapping to the Framework Continue development of Master Toolset project to make Framework more accessible and usable Expected draft v 2.0: 2008 Confidential

14 Questions? MAKING PRIVACY OPERATIONAL Michael Willett
Confidential

Download ppt "Analysis of Privacy and Data Protection Laws and Directives"

Similar presentations

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
1 NAESB Data Privacy Task Force February 16, 2011.

1 NAESB Data Privacy Task Force February 16, 2011.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.
1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, 2013 © Ravi Sandhu World-Leading Research.

1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, © Ravi Sandhu World-Leading Research.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.

Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.
The Geopolitics of Personal Data and the Governance of Privacy Colin J. Bennett Department of Political Science University of Victoria BC, Canada www.colinbennett.ca.

The Geopolitics of Personal Data and the Governance of Privacy Colin J. Bennett Department of Political Science University of Victoria BC, Canada
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Per Anders Eriksson

Per Anders Eriksson
Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Similar presentations

Ads by Google