Download presentation
Presentation is loading. Please wait.
1
Hewlett-Packard Labs, Bristol, UK
Presentation Title Dealing with Privacy Obligations: Important Aspects and Technical Approaches Marco Casassa Mont Trusted Systems Lab Hewlett-Packard Labs, Bristol, UK 30 August 2004 – 01 September 2004 1st International Conference TrustBus 2004 Zaragoza, Spain
2
Presentation Outline Setting the Context: Privacy and Privacy Obligations Analysis of Privacy Obligations, Issues and Requirements Privacy Obligations: Related Work Privacy Obligations: Our Technical Work Discussion and Next Steps Conclusions 4/3/2019
3
Our Objective and Approach
Focus on Privacy Obligations for Personal Data in Enterprises and Organisations Explore the problem from a technical angle: how to Model, Manage, Enforce and Monitor Privacy Obligations Recognise it is not only a matter of technology but also involves laws, legislation, processes and human intervention. Nevertheless Automation can help. 4/3/2019
4
Setting the Context: Privacy and Privacy Obligations 4/3/2019
5
Privacy is a very Complex Topic …
Regulatory Compliance Modelling of Privacy Policies, Deployment of Policies, Enforcement, Auditing, … Privacy Analysis, Privacy Policy Formulation, Process Engineering, Policy Lifecycle Mgmt, People and their Personal Data Legislation & Laws Technologies Business Social & Aspects Privacy 4/3/2019
6
Focus on Management of Privacy for Personal Data within Enterprises
Privacy Legislation (EU Laws, HIPPA, COPPA, SOX, GLB, Safe Harbour, …) Customers’ Expectations Internal Guidelines Personal Data Applications & Services PEOPLE ENTERPRISE Regulatory Compliance Customers’ Satisfaction Impact on Reputation, Brand, Customer Retention It is a very complex problem. Any tool that helps automating aspects of privacy policy enforcement and reduce involved costs is of primarily importance, especially for enterprises and organisations 4/3/2019
7
Privacy and Personal Data: Importance of Privacy Laws, Legislation and Guidelines
OECD Privacy Guidelines and Policies EU Legislation Various US Laws and Legislations: HIPPA COPPA GLB, etc. Safe Harbour Policies Various Local and National Data Protection Initiatives: Organisations and Enterprise Privacy Guidelines/Policies … 4/3/2019
8
Privacy for Personal Data: Principles
Limited Retention Limited Disclosure Limited Use Limited Collection Consent Purpose Specification Privacy Policies 4/3/2019
9
Privacy Policies: Rights, Permissions and Obligations
Limited Retention Limited Disclosure Limited Use Limited Collection Consent Purpose Specification Privacy Permissions Privacy Obligations Privacy Rights Privacy Policies 4/3/2019
10
Focus on Privacy Obligations
Focus on Privacy Obligations: Why? Lot of technical work has already been done in the space of Privacy Rights and Permissions. More details will be presented in the Related Work Section … The overall Management of Privacy Obligations from a technical perspective, as first-class citizens, is still a green field and open to research. Privacy Obligations are a key aspect of regulatory compliance. 4/3/2019
11
Analysis of Privacy Obligations 4/3/2019
12
Privacy Obligations: Aspects
1 Classifications of Types of Obligations 3 Management of Obligations: Refinement, Control, Enforcement, Monitoring Technologies to deal with Management of Privacy Obligations Privacy Obligations Requirements Common Patterns and 4 2 4/3/2019
13
Privacy Obligation Refinement: Abstract vs. Refined
Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act More refined Privacy Obligations dictate responsibilities with respect of Personal Information: Notice Requirements Enforcement of opt-in/opt-out options Limits on reuse of Information and Information Sharing Data Retention limitations … 4/3/2019
14
Privacy Obligations: 1st Classification
1. Transactional Obligations Privacy obligations that are immediately enforced, when interactions/transactions involves PII data e.g. Notify the owner of PII data when someone accesses it (i.e. linked to an access control decision); 2. Data Retention and Handling Obligations Privacy obligations dealing with deletion and management of PII data, usually driven by time-based events e.g. Delete PII data in X hours/days/months/years starting from its disclosure 3. Other event-driven Obligations Privacy obligations triggered by events that relate to contextual and application-relevant data, such as counters based on usage, trust information, etc. e.g. Delete PII data after it has been accessed X times 4/3/2019
15
Privacy Obligations: 2nd Classification
1. Short-Term Obligations Obligations to be fulfilled immediately or in a short period of time. Their implications in terms of resources needed to fulfill them is limited in time e.g. delete all customer PII data stored in their account after 30 days if the customer does not confirm their registration 2. Long-term Obligations Obligations that might have long term implications in terms of resources needed to fulfill them e.g. delete all PII data of customers after 7 years 3. Ongoing Obligations Obligations that might be short or long termed. They imply an ongoing fulfillment of activities e.g. - every month notify me that you still store my PII data; - notify me every time this data is disclosed to a third party 4/3/2019
16
Privacy Obligations and Access Control
Obligations Contextual to Access Control These obligations include most of the transactional obligations and obligations that can be fulfilled after an authorization decision e.g. - notify me when you access my PII data; - delete my data after accessing it; - check for the trustworthiness of your platform when you access PII data; - log your access and intent in this third party audit server Obligations Unrelated to Access Control These obligations are unrelated to access control decisions. Part of data retention obligations, long-term obligations and ongoing obligations belong to this category e.g. - delete customers’ PII data after 7 years it has been stored – independently by the fact it is accessed - notify me every month if you still have PII data of mine 4/3/2019
17
Who is Setting Privacy Obligations?
Obligations can be set by PII Data Subjects or Third Parties on their behalf People usually set privacy obligations that are related to the “visible” and operational aspects of their PII data. They usually dictate constraints on the usage of PII data, required interactions and actions (notifications, deletions, etc.), opt-in/opt-out choices; Obligations can be set by Enterprises and Organisations Organisations need to support privacy obligations dictated by legislation, laws and internal guidelines. These privacy obligations can be seen as “default” obligations that users are entitled to. 4/3/2019
18
Privacy Obligations: Common Aspects and Requirements 4/3/2019
19
Privacy Obligations: Common Aspects
Timeframe (period of validity) of obligations Events/Contexts that trigger the need to fulfil obligations Target of an obligation (PII data) Actions/Tasks to be Enforced Entities responsible for enforcing obligations Exceptions and special cases 4/3/2019
20
Dealing with Privacy Obligations: Important Issues and Requirements [1/2]
Modelling/Representation of Privacy Obligations Association of Obligations to Data Mapping Obligations into Enforceable Actions Compliance of Refined Policies to high-level Policies Tracking the evolution of Obligation Policies 4/3/2019
![Dealing with Privacy Obligations: Important Issues and Requirements [1/2]](http://slideplayer.com./slide/16145970/95/images/20/Dealing+with+Privacy+Obligations%3A+Important+Issues+and+Requirements+%5B1%2F2%5D.jpg "Modelling/Representation of Privacy Obligations. Association of Obligations to Data. Mapping Obligations into Enforceable Actions. Compliance of Refined Policies to high-level Policies. Tracking the evolution of Obligation Policies. 4/3/2019.")
21
Privacy Obligations: Important Issues and Requirements [2/2]
Dealing with long-term Obligation Aspects Accountability Management User Involvement Complexity and Cost of Instrumenting Applications and Services 4/3/2019
![Privacy Obligations: Important Issues and Requirements [2/2]](http://slideplayer.com./slide/16145970/95/images/21/Privacy+Obligations%3A+Important+Issues+and+Requirements+%5B2%2F2%5D.jpg "Dealing with long-term Obligation Aspects. Accountability Management. User Involvement. Complexity and Cost of Instrumenting Applications. and Services. 4/3/2019.")
22
Privacy Obligations: Related Work 4/3/2019
23
Technical Work in this Space [1/2]
Technical advancements have been made to deal with Privacy Rights, Permissions and Obligations: - Extended access control and authorization mechanisms built to check and enforce privacy permissions against users’ rights, data purpose, intents … Approaches to deal with privacy obligations available for data retention solutions and document management systems. They are very focused and limited in terms of obligation expressiveness and system functionalities. 4/3/2019
![Technical Work in this Space [1/2]](http://slideplayer.com./slide/16145970/95/images/23/Technical+Work+in+this+Space+%5B1%2F2%5D.jpg "Technical advancements have been made to deal. with Privacy Rights, Permissions and Obligations: - Extended access control and authorization mechanisms. built to check and enforce privacy permissions. against users’ rights, data purpose, intents … Approaches to deal with privacy obligations available for. data retention solutions and document management. systems. They are very focused and limited in terms of obligation. expressiveness and system functionalities. 4/3/2019.")
24
Technical Work in this Space [2/2]
Recent important work done in this space: IBM Enterprise Privacy Architecture, including a policy management system, a privacy enforcement system and audit Initial work on privacy obligations in the context of Enterprise Privacy Authorization Language (EPAL) lead by IBM 4/3/2019
![Technical Work in this Space [2/2]](http://slideplayer.com./slide/16145970/95/images/24/Technical+Work+in+this+Space+%5B2%2F2%5D.jpg "Recent important work done in this space: IBM Enterprise Privacy Architecture, including. a policy management system, a privacy enforcement. system and audit. Initial work on privacy obligations in the context of. Enterprise Privacy Authorization Language (EPAL) lead by IBM. 4/3/2019.")
25
EPAL and Privacy Obligation Management
User, Application, Service, … EPAL-driven Authorization and Enforcement Obligation Management And Enforcement Personal and Private Information Privacy Management Framework 4/3/2019
26
EPAL and Privacy Obligation Management
Source: 4/3/2019
27
EPAL and Privacy Obligation Management
EPAL main limitations when dealing with privacy obligations: EPAL (and related privacy architecture) is focuses on an authorization and access control perspective of privacy EPAL does not model or describe obligations: it provides place-holders for them Privacy obligations are considered as “second-class” citizens, as they are only considered in an authorization context … 4/3/2019
28
Privacy Obligations: Our Technical Work 4/3/2019
29
Privacy Obligations: Our Approach to Address the Problems
Deal with Privacy Obligations as “first-class citizens” in the context of Enterprises and Organisations – recognise its importance for Regulatory Compliance Recognise the importance of separation of concerns: explore how to explicitly represent, manage and enforce privacy obligations without imposing any dominant view (for example, the authorization perspective) Research and work on longer-term issues, such as accountability, stronger associations of obligations to data, obligation versioning and tracking 4/3/2019
30
Dealing with Privacy Obligations: Our High Level Model
Data Subjects ENTERPRISE Administrators Privacy Obligations Personal Data (PII) Obligation Management Framework Obligations Scheduling Enforcement Monitoring 4/3/2019
31
Privacy Obligations: Our Technical Work
Technical Work and Research on Privacy Obligations: [1] Modelling and Representation of Obligations [2] Obligation Management System (OMS) for Management, Enforcement and Monitoring of Obligations [3] Accountability and Strong Association of Obligations to Personal Data [4] Prototype 4/3/2019
32
[1] Privacy Obligations: Modelling and Representation
Targeted Personal Data References to stored PII data e.g. Database query, LDAP reference, etc. Privacy Obligation Obligation Identifier Triggering Events One or more Events that trigger different Actions potentially involving changes to PII data e.g. Event: Time-based events Actions: Delete PII, Notify Actions Additional Metadata (Future Extensions) 4/3/2019
![[1] Privacy Obligations: Modelling and Representation](http://slideplayer.com./slide/16145970/95/images/32/%5B1%5D+Privacy+Obligations%3A+Modelling+and+Representation.jpg "Targeted Personal Data. References to stored. PII data. e.g. Database query, LDAP reference, etc. Privacy Obligation. Obligation Identifier. Triggering Events. One or more Events. that trigger different. Actions potentially. involving changes to. PII data. e.g. Event: Time-based events. Actions: Delete PII, Notify. Actions. Additional Metadata. (Future Extensions) 4/3/2019.")
33
[1] Privacy Obligations: Format Example
<obligation id=“gfrbg7645gt45"> <target> <database> <dbname>Customers</dbname> <tname>Customers</tname> <locator> <key name=“UserID">oid_a83b8a:fdfc44df3b:-7f9c</key> </locator> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </database> </target> <obligationitem sid="1"> <metadata> <type>LONGTERM</type> <description>Delete [firstname,surname] at Sat Aug 15 17:26:21 BST 2004.]</description> </metadata> <events> <event> <type>TIMEOUT</type> <date now="no"> <year>2004</year> <month>08</month> <day>14</day> <hour>17</hour><minute>26</minute> </event> </events> <actions> <action> <type>DELETE</type> </action> </actions> </obligationitem> </obligation> 4/3/2019
![[1] Privacy Obligations: Format Example](http://slideplayer.com./slide/16145970/95/images/33/%5B1%5D+Privacy+Obligations%3A+Format+Example.jpg "<obligation id= gfrbg7645gt45 > <target> <database> <dbname>Customers</dbname> <tname>Customers</tname> <locator> <key name= UserID >oid_a83b8a:fdfc44df3b:-7f9c</key> </locator> <data attr= part > <item>creditcard</item> <item>firstname</item> </data> </database> </target> <obligationitem sid= 1 > <metadata> <type>LONGTERM</type> <description>Delete [firstname,surname] at Sat Aug 15 17:26:21 BST 2004.]</description> </metadata> <events> <event> <type>TIMEOUT</type> <date now= no > <year>2004</year> <month>08</month> <day>14</day> <hour>17</hour><minute>26</minute> </event> </events> <actions> <action> <type>DELETE</type> </action> </actions> </obligationitem> </obligation> 4/3/2019.")
34
[2] Our Privacy Obligations Management System (OMS)
Explicit Management of Privacy Obligations within Enterprises Core Functionalities: Processing Scheduling Enforcing Monitoring of Privacy Obligations 4/3/2019
![[2] Our Privacy Obligations Management System (OMS)](http://slideplayer.com./slide/16145970/95/images/34/%5B2%5D+Our+Privacy+Obligations+Management+System+%28OMS%29.jpg "Explicit Management of Privacy Obligations. within Enterprises. Core Functionalities: Processing. Scheduling. Enforcing. Monitoring of Privacy Obligations. 4/3/2019.")
35
[2] OMS as part of an Identity Management System
Obligation Management System Model of Identity Management Systems 4/3/2019
![[2] OMS as part of an Identity Management System](http://slideplayer.com./slide/16145970/95/images/35/%5B2%5D+OMS+as+part+of+an+Identity+Management+System.jpg "Obligation. Management. System. Model of Identity Management Systems. 4/3/2019.")
36
[2] OMS: High Level System Architecture
Applications and Services Data Subjects Privacy-enabled Portal Admins Obligation Monitoring Service Events Handler Monitoring Task Handler Admins Obligation Server Workflows Obligation Scheduler Obligation Enforcer Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data 4/3/2019
![[2] OMS: High Level System Architecture](http://slideplayer.com./slide/16145970/95/images/36/%5B2%5D+OMS%3A+High+Level+System+Architecture.jpg "Applications and Services. Data. Subjects. Privacy-enabled. Portal. Admins. Obligation Monitoring Service. Events. Handler. Monitoring Task Handler. Admins. Obligation. Server. Workflows. Obligation. Scheduler. Obligation. Enforcer. Information. Tracker. Action Adaptors. ENTERPRISE. Audit. Server. Data. Ref. Obligation. Obligation Store. & Versioning. Confidential Data. 4/3/2019.")
37
[2] OMS: High Level System Architecture
Applications and Services Data Subjects Privacy-enabled Portal Setting Privacy Obligations On Personal Data Admins Obligation Server Obligation Scheduler ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data 4/3/2019
![[2] OMS: High Level System Architecture](http://slideplayer.com./slide/16145970/95/images/37/%5B2%5D+OMS%3A+High+Level+System+Architecture.jpg "Applications and Services. Data. Subjects. Privacy-enabled. Portal. Setting Privacy Obligations. On Personal Data. Admins. Obligation. Server. Obligation. Scheduler. ENTERPRISE. Audit. Server. Data. Ref. Obligation. Obligation Store. & Versioning. Confidential Data. 4/3/2019.")
38
[2] OMS: High Level System Architecture
Applications and Services Data Subjects Enforcing Privacy Obligations Admins Events Handler Admins Workflows Obligation Enforcer Information Tracker Obligation Scheduler Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data 4/3/2019
![[2] OMS: High Level System Architecture](http://slideplayer.com./slide/16145970/95/images/38/%5B2%5D+OMS%3A+High+Level+System+Architecture.jpg "Applications and Services. Data. Subjects. Enforcing. Privacy. Obligations. Admins. Events. Handler. Admins. Workflows. Obligation. Enforcer. Information. Tracker. Obligation. Scheduler. Action Adaptors. ENTERPRISE. Audit. Server. Data. Ref. Obligation. Obligation Store. & Versioning. Confidential Data. 4/3/2019.")
39
[2] OMS: High Level System Architecture
Applications and Services Data Subjects Admins Obligation Monitoring Service Events Handler Monitoring Privacy Obligations Monitoring Task Handler Workflows Obligation Enforcer Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data 4/3/2019
![[2] OMS: High Level System Architecture](http://slideplayer.com./slide/16145970/95/images/39/%5B2%5D+OMS%3A+High+Level+System+Architecture.jpg "Applications and Services. Data. Subjects. Admins. Obligation Monitoring Service. Events. Handler. Monitoring. Privacy Obligations. Monitoring Task Handler. Workflows. Obligation. Enforcer. Information. Tracker. Action Adaptors. ENTERPRISE. Audit. Server. Data. Ref. Obligation. Obligation Store. & Versioning. Confidential Data. 4/3/2019.")
40
[3] OMS: Towards Strong Association of Obligations to Data and Accountability
Applications and Services Subjects Privacy-enabled Portal Admins Obligation Monitoring Service Events Handler Obligation Server Monitoring Task Handler Admins Workflows Obligation Scheduler Obligation Enforcer Information Tracker Key Mgmt Service Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation encrypted data+ sticky obligation Obligation Store & Versioning Confidential Data Encryption + Sticky Policies: based on IBE crypto or traditional RSA crypto 4/3/2019
![[3] OMS: Towards Strong Association of Obligations to Data and Accountability](http://slideplayer.com./slide/16145970/95/images/40/%5B3%5D+OMS%3A+Towards+Strong+Association+of+Obligations+to+Data+and+Accountability.jpg "Applications and Services. Subjects. Privacy-enabled. Portal. Admins. Obligation Monitoring Service. Events. Handler. Obligation. Server. Monitoring Task Handler. Admins. Workflows. Obligation. Scheduler. Obligation. Enforcer. Information. Tracker. Key Mgmt. Service. Action Adaptors. ENTERPRISE. Audit. Server. Data. Ref. Obligation. encrypted data+ sticky obligation. Obligation Store. & Versioning. Confidential Data. Encryption + Sticky Policies: based on IBE crypto or traditional RSA crypto. 4/3/2019.")
41
[4] OMS Prototype: Core System Components
4/3/2019
![[4] OMS Prototype: Core System Components](http://slideplayer.com./slide/16145970/95/images/41/%5B4%5D+OMS+Prototype%3A+Core+System+Components.jpg "4/3/2019.")
42
Discussion [1/2] Our system is an initial step towards the explicit management, enforcement and monitoring of privacy obligations: plenty of space for refinements and improvements We assume that the enterprise is willing to be compliant to privacy obligations. Additional assurance and accountability can be added by hardening the audit server and involving trusted third parties 4/3/2019
![Discussion [1/2]](http://slideplayer.com./slide/16145970/95/images/42/Discussion+%5B1%2F2%5D.jpg "Our system is an initial step towards the explicit management, enforcement and monitoring of privacy obligations: plenty of space for refinements and improvements. We assume that the enterprise is willing to be compliant to privacy obligations. Additional assurance and accountability can be added by hardening the audit server and involving trusted third parties. 4/3/2019.")
43
Discussion [2/2] We introduced and discussed a centralised OMS system: potential for bottlenecks. Exploring how to distribute it … Security is required to control the access to obligations and PII data by Administrators and Users We did not discuss the implications of long-terms obligation management in terms of requirements for reliability, survivability and longevity of the platforms running our system. Related work can be leveraged in this space 4/3/2019
![Discussion [2/2] We introduced and discussed a centralised OMS system: potential for bottlenecks. Exploring how to distribute it …](http://slideplayer.com./slide/16145970/95/images/43/Discussion+%5B2%2F2%5D+We+introduced+and+discussed+a+centralised+OMS+system%3A+potential+for+bottlenecks.+Exploring+how+to+distribute+it+%E2%80%A6.jpg "Security is required to control the access to obligations and PII data by Administrators and Users. We did not discuss the implications of long-terms obligation management in terms of requirements for reliability, survivability and longevity of the platforms running our system. Related work can be leveraged in this space. 4/3/2019.")
44
Next Steps Refinement of our concepts, OMS architecture and
further research Addressing open issues such as obligation life-cycle management, overall efficiency, stickiness of privacy obligations to PII data Further research to be done in the context of the EU PRIME project 4/3/2019
45
Conclusions Privacy obligations are a key aspect of privacy. They are “first-class” citizens: need to be explicitly managed The management of privacy obligations is important for enterprises and organisations as part of the overall Regulatory Compliance We introduced our research and technical work in the privacy obligation management space. Described an Obligation Management System (OMS) to schedule, enforce and monitor privacy obligations Open issues: OMS efficiency, scalability, strong association of privacy obligations to data Our research and work are in progress. Part of this work will be done in the context of the EU PRIME project 4/3/2019
46
BACK-UP SLIDES 4/3/2019
47
Privacy: an Important Aspect of Regulatory Compliance
Regulations (incomplete list …) Regulatory Compliance (Example of Process) 4/3/2019
48
Some Privacy Definitions …
“The quality of being secluded from the presence or view of others” “The right of an individual to be secure from unauthorized disclosure of information about oneself that is contained in documents and digital data” “Ensuring that individuals maintain the right to control what information is collected about them and how it is used as well” “For citizens and consumers, freedom from unauthorized intrusion. For organizations, privacy involves the policies that determine what information is gathered, how it is used, and how customers are informed and involved in this process. Privacy is a legal issue, but it is also an information security issue” … 4/3/2019
49
Terminology: Consent, Intent, Data Purpose, Privacy Policy
to access personal data they need to express their INTENT i.e. how they intend to use these data P.S.: INTENT could be hard coded in applications or part of role definitions Data Requestors Request for DATA + INTENT Personal Data (PII) + Consent Applications & Services ENTERPRISE Definition of the PURPOSES data are collected for Privacy Office & Privacy Admins: PRIVACY POLICIES: Dictate how data must be managed. At the very base dictate what can be accessed by requestors, given their INTENT, the PURPOSE of Collecting the Data and CONSENT given by data subjects Data Subject CONSENT is given by data subjects for the usage of their Personal Data (PII) for predefined PURPOSES Personal DATA + CONSENT 4/3/2019
50
Terminology: Aspects of Privacy Policy related to Personal Data
Privacy Policies Personal DATA + CONSENT Check Requirements (Intent against data Purposes and Consent, etc.) Failure (no access) Actions Data Subject - Audit Notification … Personal Data and Consent Success Dictate Access Constraints Request for DATA + INTENT Partial Data Access (filter Data) Data Transformation/Encryption Data Subject’s Constraints … Privacy Policy Enforcement Data Requestors Actions Actual Accessed Data - Audit Notification … ENTERPRISE 4/3/2019
51
Privacy Enforcement on Data: Access Control + Intent, Purpose, Consent, …
Privacy Extension Personal Data Purpose Requestor’s Intent Constraints Requestor Actions Rights Owner’s Consent Privacy-Aware Access Control Other… Personal Data Requestor Actions Rights Access Control Traditional Access Control It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … 4/3/2019
52
Enterprises: Regulatory Compliance and Enforcement of Privacy Policies
It is a very complex problem The full enforcement of privacy rights, permissions and obligations cannot usually be achieved only via technical solutions Processes, best practices and good behaviours are important However, being able to automate aspects of privacy policy enforcement and reduce involved costs is of primarily importance, especially for enterprises and organisations 4/3/2019
53
Privacy Obligation Refinement: Abstract vs. Refined
Even more refined Privacy Obligations specify “technical” constraints on Personal Information: “Notify Data Owners every time their Personal Data is involved in a Transaction or Accessed by Personnel” “Access/Changes to Personal Data must be Audited” “Delete Personal Information after 7 Years” “Delete Personal Information of Customers whom do not come back to this web site within 30 days” … 4/3/2019
54
Privacy Policies: Rights, Permissions and Obligations - Example
Privacy Policies in e-commerce web sites: describe rights of users about their personal information describe permissions given to the involved parties describe obligations the involved parties are subject to Privacy Practices can be checked by consumers to: decide if these practices are acceptable decide what to opt-in and opt-out who to do business with 4/3/2019
55
Privacy Obligations: Explored Types, Events and Actions [1/2]
Long-term Privacy Obligations Events Triggering Obligations Actions Dictated by Obligations Time-driven at a specific date and time (e.g. 1:00am 01-Jan-2005) after a certain period of time (e.g. 1 hour, 3 days, 5 minutes) after the data has being used for a certain number of times (e.g. after being used twice) in a specific timeframe Delete/ Update delete all confidential data of a given data subject partially delete data (e.g. delete only the credit card number) replace data with an updated set of data (e.g. update subject’s address) Driven by Usage and Counters Hide/ Unhide hide (encrypt) all data of a subject from any access hide a part of this data from any access unhide all data unhide a part of the data 4/3/2019
![Privacy Obligations: Explored Types, Events and Actions [1/2]](http://slideplayer.com./slide/16145970/95/images/55/Privacy+Obligations%3A+Explored+Types%2C+Events+and+Actions+%5B1%2F2%5D.jpg "Long-term Privacy Obligations. Events Triggering Obligations. Actions Dictated by Obligations. Time-driven. at a specific date and time (e.g. 1:00am 01-Jan-2005) after a certain period of time (e.g. 1 hour, 3 days, 5 minutes) after the data has being used for a certain number of times (e.g. after being used twice) in a specific timeframe. Delete/ Update. delete all confidential data of a given data subject. partially delete data (e.g. delete only the credit card number) replace data with an updated set of data (e.g. update subject’s address) Driven by Usage. and Counters. Hide/ Unhide. hide (encrypt) all data of a subject from any access. hide a part of this data from any access. unhide all data. unhide a part of the data. 4/3/2019.")
56
Privacy Obligations: Explored Types, Events and Actions [2/2]
Ongoing Privacy Obligations Events Triggering Obligations Actions Dictated by Obligations Time-driven periodically (e.g. every month) send a report to a subject containing the status of their data and their opt-in/opt-out options (e.g. number of times being used, who has tried to access) tell the subject what data he/she has provided get updated data from subject audit the logs, report any improper use of the data Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Notify notify the subject Log take logs Access default allow/disallow all access allow disallow Consult get authorization from data subject get authorization from third party check according to certain condition made by the user Others when the privacy policies changed Stop access to the data update obligation Short-term and Transactional Privacy Obligations Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations. 4/3/2019
![Privacy Obligations: Explored Types, Events and Actions [2/2]](http://slideplayer.com./slide/16145970/95/images/56/Privacy+Obligations%3A+Explored+Types%2C+Events+and+Actions+%5B2%2F2%5D.jpg "Ongoing Privacy Obligations. Events Triggering Obligations. Actions Dictated by Obligations. Time-driven. periodically (e.g. every month) send a report to a subject containing the status of their data and their opt-in/opt-out options (e.g. number of times being used, who has tried to access) tell the subject what data he/she has provided. get updated data from subject. audit the logs, report any improper use of the data. Driven by Contextual Events. when the data being used. when the data being transferred. when the data being deleted. a particular party/parties try to access. data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together. any action predefined by the data subject. Notify. notify the subject. Log. take logs. Access. default allow/disallow all access. allow. disallow. Consult. get authorization from data subject. get authorization from third party. check according to certain condition made by the user. Others. when the privacy policies changed. Stop access to the data. update obligation. Short-term and Transactional Privacy Obligations. Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations. 4/3/2019.")
57
Privacy Obligations: 1st Classification – Examples
Transactional Obligations Notify the owner of PII data when someone accesses it (i.e. linked to an access control decision); Notify the owner of PII data when their data is disclosed to a third party; Delete/Encrypt PII data of a user at the end of a transaction (or after data has been accessed); Ask for authorization to the owner of PII data when someone accesses it; Ask for authorization to the owner of PII data when their data is disclosed to a third party; Create an audit log when PII data is accessed; … 4/3/2019
58
Privacy Obligations: 1st Classification – Examples
2. Data Retention and Handling Obligations Delete PII data in X hours/days/months/years starting from now (e.g. delete ABC data on 01/01/2010) ; Send PII data (in clear or encrypted) to entity Y at time Z (optional: delete the local data after this actions is performed); Notify the owner of PII data every X days/months/years that their data is stored in an enterprise database; Encrypt data under some key at a certain time (alternative to delete) … 4/3/2019
59
Privacy Obligations: 1st Classification – Examples
3. Other event-driven Obligations Delete PII data after it has been accessed X times e.g. delete my PII data once it has been used one time); Notify the owner of PII data after it has been accessed X times; … 4/3/2019
60
Example of EPAL Rule Privacy Policy (informal):
Allow a sales agent or a sales supervisor to collect a customer's data for order entry if the customer is older than 13 years of age and the customer has been notified of the privacy policy. Delete the data 3 years from now. EPAL Privacy Rule: ruling allow user category sales department action store data category customer-record purpose order-processing condition the customer is older than 13 years of age obligation delete the data 3 years from now Source: 4/3/2019
61
EPAL and Privacy Obligation Management
EPAL supports Privacy Obligations: “EPAL defines an Abstract Authorization Interface that outputs a Decision and Obligations …” There is a clear fit for “Transactional” Obligations but … Is it correct to describe also “Non-Transactional” (Data Retention, Other Event-driven) Privacy Obligations within an EPAL rule? We believe it is not … These Obligations can actually specify “First Class” Policies Why “Embedding” them in the context of Authorization Rules? These Obligations might need to be enabled and enforced independently by any Transaction or Interaction (e.g. Unconditionally Delete Personal Data XYZ after 7 years …) 4/3/2019
62
OMS: More Technical Details
Applications and Services Portal Users Admins Privacy Portal GUI: Authoring & Display Obligation Monitoring Service Admins Monitoring Task Handler Obligation Handler Retrieve Store/ Tracking Active Obligations Workflows Events Handler Obligation Enforcer Association Manager Obligation Scheduler & Manager Action Adaptors Obligation Server ENTERPRISE Audit Server Data Ref. Obligation Information Tracker Audit Logs Obligation Store & Versioning Confidential Data 4/3/2019
63
Presentation Title
Similar presentations
