180 likes | 187 Views
Implementing Privacy : Rules of the Game for Developers. Robert Guerra Director, CryptoRights Foundation. Mac-Crypto Conference on Macintosh Cryptography & Internet Commerce January 29, 2001. Overview. The Basics : Info-Privacy Principles General Trends : Global Privacy Law
E N D
Implementing Privacy:Rules of the Game for Developers Robert Guerra Director, CryptoRights Foundation Mac-Crypto Conference on Macintosh Cryptography & Internet Commerce January 29, 2001
Overview • The Basics: Info-Privacy Principles • General Trends: Global Privacy Law • Getting Specific: Medical Privacy
The Basics: Information Privacy Principles
Information Privacy Principles [1] • Accountability of Data Maintainer • Purpose for Data Collection • Consent for Data Collection • Limits on Data Collection • Limits on Storage, Use & Disclosure
Information Privacy Principles [2] • Accuracy of Information • Safeguards • Openness of Policies & Practices • User Access & Challenges • Compliance & Auditing
General Trends: Global Privacy Law
World: Privacy Law Trends • Countries around the world are: • Adopting comprehensive laws toprotect privacy • Basing them on OECD and Council of Europe models
EU: Standardizing Privacy • EU Privacy Directive prevents unauthorized transmission of personal info to any country that does not adequately protect privacy. • Encourages countries to adopt strong privacy legislation and standardize privacy policy across borders.
Canada: Personal Privacy • 1983 Privacy Act • Protection for information held by Govt. • Covers ~110 Federal Departments • 2000 Personal Information Protection and Electronic Documents Act.
USA: Financial Privacy • 1978: Right to Financial Privacy Act • 1991: Telephone Consumer Protection Act • 1992: Fair Credit Reporting Act • 1996: Electronic Fund Transfer Act • 1999: Gramm-Leach-Biley Act (Title V) • 2000: Safe Harbour Principles (E.U./1998)
Getting Specific: Medical Privacy Regulations “The Only Crypto that Survives is Medical Crypto.”
USA: the HIPAA $tandard • 1996 Health Insurance Portability & Accountability Act • Improves efficiency of healthcare deliveryby standardizing electronic data interchange. • Protects health data confidentiality and securityby setting and enforcing standards. • All Healthcare organizations are affected. • Covers all personally identifiable health infoin electronic form. • Includes paper records and oral communications.
Regulatory Criteria [1] Access • Controlling access and limiting patient info display. Backup • Secure backups to prevent medical data loss. Unique ID • Every patient or practicioner is unique like all the others. Logoff • Automated signoff after period of inactivity. Audits • Capture a historical record of medical data use.
Regulatory Criteria [2] eSignatures & Chart Signing • Replacing paper-based signatures. • Tracking patient-practicioner interactions. Encryption • Protecting, hiding and transmitting confidential records. Patient Access • Patients should can see their chart and know who’s looked. Sensitive Info • Patient data disclosure control & perfect forward secrecy. Locking Data • Original entries cannot be altered or deleted.
Regulatory Comparison criteria:
“I’m a privacy-rights person…the marketplace can function without sacrificing the privacy of individuals.” – George“Dubya”Bush(Business Week, 5 June 2000)
Robert Guerra Robert @ CryptoRights .org CryptoRights Foundation http://CryptoRights.org Mac-Crypto Conference on Macintosh Cryptography & Internet Commerce January 29, 2001