slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard PowerPoint Presentation
Download Presentation
‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard

Loading in 2 Seconds...

play fullscreen
1 / 32

‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard. Colin J. Bennett Department of Political Science University of Victoria, BC. cjb@uvic.ca Robin Bayley Linden Consulting Inc. Victoria, BC. rmbayley@shaw.ca.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard' - yeardley


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2
‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard

Colin J. Bennett

Department of Political Science

University of Victoria, BC.

cjb@uvic.ca

Robin Bayley

Linden Consulting Inc. Victoria, BC. rmbayley@shaw.ca

29e Confrence internationale des commissaires à la protection de la vie prive

why organizations registered to iso 9001 should have better personal information management
Why organizations registered to ISO 9001 should have better personal information management
  • Awareness of their operating systems and personal data holdings
  • Staff training
  • Must think through and address regulatory requirements
  • Ability to capitalize on outside expertise, through conformity assessment process

29e Confrence internationale des commissaires à la protection de la vie prive

requirements of a privacy management standard
Requirements of a Privacy Management Standard
  • Translation of Fair Information Principles into language and format of standards
  • Provision of guidance for implementing the principles in organizations
  • Appropriate conformity assessment tools for business size and data sensitivity
  • Audit guide
  • Accreditation system for privacy auditors

29e Confrence internationale des commissaires à la protection de la vie prive

overlap between quality management and data protection
Overlap between quality management and data protection
  • Transparency of policy and purpose
  • Procedures for interaction with data subjects
    • Complaints resolution
    • Access and correction requests
    • Consent provision and withdrawal
  • Personal data management procedures
    • Data security
    • Data quality
    • Data retention

29e Confrence internationale des commissaires à la protection de la vie prive

motivations for adoption of privacy standards
Motivations for adoption of privacy standards
  • Through Educational and Regulatory Powers of Data Protection Authorities
  • Through Desire for Competitive Advantage
  • Through Referencing the Standard in Contracts

29e Confrence internationale des commissaires à la protection de la vie prive

initiatives for privacy management standardization
Initiatives for Privacy Management Standardization
  • National Standards Bodies
    • Canadian Standards Association (CSA)
    • American National Standards Institute (ANSI)
  • International Standardization Organization (ISO)
    • Work of JTC-1 of ISO and International Electro-Technical Commission (IEC)
  • European Committee for Standardization/Information Society Standardization System (CEN/ISSS)
  • International Security, Trust, and Privacy Alliance (ISTPA).

29e Confrence internationale des commissaires à la protection de la vie prive

slide8
John Hopkinson ISSPCS-Prac CISSP ISP CDRP

Security Strategist, EWA /IIT

President ISSEA

Chair CAC-JTC1/TCIT

Standards Briefing

29e Confrence internationale des commissaires à la protection de la vie prive

iso iec jtc 1
ISO/IEC JTC 1
  • JTC 1 is unique
    • It is a hybrid of both ISO and IEC
    • 30% of customers are other standards developers
    • It produces “Base Standards”
    • It must always assume the “worst case”
  • Has been developing standards related to Privacy for the last 7 to 10 years

29e Confrence internationale des commissaires à la protection de la vie prive

iso iec jtc 1 sc 17
ISO/IEC JTC 1/SC 17
  • Concerned with privacy related to card technology applications
  • Includes data on smart & optical cards
  • Not currently reviewing standards for privacy
  • The chair authored two Privacy Impact assessments for advanced card technologies

29e Confrence internationale des commissaires à la protection de la vie prive

iso iec jtc 1 sc 27
ISO/IEC JTC 1/SC 27
  • Created a new WG for Privacy, projects on
    • A Privacy Framework
    • A Privacy Reference Architecture
    • Privacy infrastructures
    • Anonymity and credentials
    • Specific Privacy Enhancing Technologies (PETs)
    • Privacy Engineering

29e Confrence internationale des commissaires à la protection de la vie prive

iso iec jtc 1 sc 31
ISO/IEC JTC 1/SC 31
  • Develops standards for RFID
  • Is starting to consider Privacy
  • Added the “Kill bit” function to the ISO/IEC 18000-6 standard
  • Memory blocks include password protection

29e Confrence internationale des commissaires à la protection de la vie prive

iso iec jtc 1 sc 32
ISO/IEC JTC 1/SC 32
  • Standards for data mgt and interchange including e-commerce
  • Deal with e-Business, Metadata, Database Languages, & SQL Multimedia & Application Packages
  • Recognizes “individual” as a sub-type of Person, have rights which e-Business standards must support

29e Confrence internationale des commissaires à la protection de la vie prive

iso iec jtc 1 sc 36
ISO/IEC JTC 1/SC 36
  • Standards of Learning, Education & Training
  • Support for legal requirements
  • Surveying members for specifics of National requirements
  • Most important standard
    • ISO/IEC 24751 Individualized Adaptability and Accessibility in e-Learning, Education and Training

29e Confrence internationale des commissaires à la protection de la vie prive

iso iec jtc 1 sc 37
ISO/IEC JTC 1/SC 37
  • Develop standards for Biometrics
  • Has started to consider Privacy
  • Working on
    • Cross-Jurisdictional and Societal Aspects of Implementation of Biometric Technologies
    • Guide to the Accessibility, Privacy and Health and Safety Issues in the deployment of Biometric Systems for Commercial Application

29e Confrence internationale des commissaires à la protection de la vie prive

other standards development
Other Standards Development
  • Several Consortia are active, including
    • ISSEA
    • ISTPA
    • OASIS
    • OMG
    • W3C
  • Likely several others

29e Confrence internationale des commissaires à la protection de la vie prive

canadian privacy standardization strategy
Canadian Privacy Standardization Strategy
  • 21 & 22 Feb 2007; OPC, CSA, SCC, CGSB
  • Privacy Standardization Roadmap
      • What is available & What is needed
  • Workshop Report
      • +, Special Needs, Conformance, sharing Best Practices,Timing critical, Engagement

29e Confrence internationale des commissaires à la protection de la vie prive

issues
ISSUES
  • ISO/IEC JTC 1 and others
  • A lack of coordination of Privacy activities
  • No real focal point for Privacy work
  • Lack harmonized privacy principles
  • Need Privacy community & technical standards cooperation

29e Confrence internationale des commissaires à la protection de la vie prive

making privacy operational

Making Privacy Operational

Updating the ISTPA Privacy Framework

John T. Sabo

President, International Security Trust and Privacy Alliance (ISTPA)

Director Global Government Relations

CA, Inc.

29e Confrence internationale des commissaires à la protection de la vie prive

what is the istpa
What is the ISTPA?
  • The International Security, Trust, and Privacy Alliance (ISTPA), founded in 1999, is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy.
  • ISTPA’s focus is on the protection of personal information (PI)
  • See www.istpa.org

ISTPA

privacy reality complex challenging
Privacy Reality: Complex, Challenging

National

Security

Technology

Evolving nature and concepts of Privacy

Global Laws

Regulations

Standards

Information Society

Industry

Rapid Change

Digital Economy

29e Confrence internationale des commissaires à la protection de la vie prive

Forces

global privacy laws and policies wide variance
Global Privacy Laws and Policies – Wide Variance

OECD Privacy Principles

Fair Information Practices

HIPAA

APEC Privacy Framework

EU Data Directive

U.S. Privacy Act

CSA Model Code

29e Confrence internationale des commissaires à la protection de la vie prive

istpa s perspective on privacy
ISTPA’s Perspective on Privacy
  • Operational - Solution Focus
    • Migrate to privacy engineering discipline
    • Privacy framework supporting full privacy lifecycle
    • Not a policy framework – rather this is a technical framework for business processes and supporting IT systems
  • Platform for multidisciplinary collaboration
  • Must address variations in law and policies
  • Industry Specific Use Cases

ISTPA

istpa framework v 1 1 concepts
ISTPA Framework v 1.1 Concepts
  • An open, policy configurable set of collaborating services and capabilities used to guide the analysis, design and implementation and assessment of privacy solutions and infrastructure
  • An architectural approach that provides a template usable by IT architects and program managers to develop interoperable applications

29e Confrence internationale des commissaires à la protection de la vie prive

istpa privacy v 1 1 framework services
ISTPA Privacy v 1.1 Framework Services
  • Control – policy – data management
  • Certification – credentials, trusted processes
  • Interaction - manages data/preferences/notice
  • Negotiation – of agreements, rules, privileges
  • Agent – software that carries out processes
  • Usage – data use, aggregation, anonymization
  • Audit – independent, verifiable accountability
  • Validation - checks accuracy of PI
  • Enforcement – including redress for violations
  • Access - subject correct/update PI

29e Confrence internationale des commissaires à la protection de la vie prive

istpa framework submitted as iso publicly available specification
ISTPA Framework Submitted as ISO Publicly Available Specification
  • Submitted by ISSEA (International Systems Security Engineering Association) in October 2003 - 2004
  • Balloting was to close December 11, 2004
  • Caused significant discussion, including Privacy Technology Study Group under ISO JTC-1
  • Withdrawal requested November 22, 2004for additional work

29e Confrence internationale des commissaires à la protection de la vie prive

recent work analysis of privacy principles making privacy operational
Recent Work: “Analysis of Privacy Principles: Making Privacy Operational”
  • Select representative global privacy laws & directives
  • Analyze disparate language, definitions and expressed requirements
  • Parse expressed requirements into working set of privacy “principles”
  • Cross-map and derive common and unique requirements

29e Confrence internationale des commissaires à la protection de la vie prive

selected laws directives codes
The Privacy Act of 1974 (U.S.)

OECD Privacy Guidelines

UN Guidelines

EU Data Protection Directive

Canadian Standards Association Model Code

Health Insurance Portability and Accountability Act (HIPAA)

US FTC Fair Information Practice Principles

US-EU Safe Harbor Privacy Principles

Australian Privacy Act

Japan Personal Information Protection Act

APEC Privacy Framework

California Security Breach Bill

Selected Laws, Directives, Codes

29e Confrence internationale des commissaires à la protection de la vie prive

derived core privacy principles
Accountability

Notice

Consent

Collection Limitation

Use Limitation

Disclosure

Access & Correction

Security/Safeguards

Data Quality

Enforcement

Openness

Additionally:

Anonymity

Data Flow

Sensitivity

Derived Core Privacy Principles

29e Confrence internationale des commissaires à la protection de la vie prive

example notice principle includes
definition of the personal information collected

its use (purpose specification)

its disclosure to parties within or external to the entity

practices associated with the maintenance and protection of the information

options available to the data subject regarding the collector’s privacy practices

changes made to policies or practices

information provided to data subject at designated times and under designated circumstances

Example: “Notice Principle” Includes:

29e Confrence internationale des commissaires à la protection de la vie prive

next steps path to istpa privacy framework v 2 0
Next Steps: Path to ISTPA Privacy Framework v 2.0
  • Use Analysis study to evaluate existing Framework – full document available online
  • Analysis being used by external organizations
  • Complete expansion of Framework functions, including function labeling
  • Continue collaboration with ISSEA on security mapping
  • Continue development of Master Toolset project to make Framework more accessible and usable
  • Expected draft v 2.0: 2008

29e Confrence internationale des commissaires à la protection de la vie prive

questions
Questions?

john.t.sabo@ca.comwww.istpa.org

29e Confrence internationale des commissaires à la protection de la vie prive