1 / 16

P rivacy E valuation M ethodology ( PEM ) v1.0 Overview

P rivacy E valuation M ethodology ( PEM ) v1.0 Overview. IDESG Privacy Committee James R. Elste Dr. Stuart Shapiro February 2013. Privacy Evaluation Methodology: Principles. Effectively evaluate privacy issues & risks in IDESG work products and proposals

jason
Download Presentation

P rivacy E valuation M ethodology ( PEM ) v1.0 Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Evaluation Methodology (PEM) v1.0Overview IDESG Privacy CommitteeJames R. ElsteDr. Stuart Shapiro February 2013

  2. Privacy Evaluation Methodology: Principles • Effectively evaluate privacy issues & risks in IDESG work products and proposals • Consistently apply the methodology in an objective, thorough, and fair manner • Support the committees and attempt to identify and resolve privacy issues early in the development process • Provide multiple opportunities to discuss and resolve issues, prior to issuing a Privacy Review Report • Recognizing the significance of raising a formal objection, the Privacy Committee does not intend to lodge objections over immaterial issues or risks.

  3. Privacy Evaluation Methodology:Rules of Association, Section 2.1.3.1 2.1.3.1.1. The responsibility to develop, maintain, publish and adhere to a consistent evaluation methodology for identifying privacy and identity-related civil liberties risks and issues ("Privacy Evaluation Methodology"). 2.1.3.1.2. The responsibility to proactively communicate with and appoint liaisons to other committees of the plenary to identify and resolve potential privacy concerns during the development of IDESG work products. 2.1.3.1.3. The responsibility to review all IDESG work products prior to approval by the Plenary in a timely manner and issue a Privacy Review Report, consistent with the time frames and procedures enumerated in the Privacy Evaluation Methodology. 2.1.3.1.4. The authority to raise formal objections to IDESG proposals as set forth in Section 5.3.3.2 of these Rules ("Rule 5332") if a proposal fails to overcome shortcomings identified in the Privacy Review Report

  4. Privacy Evaluation Methodology: Implementation

  5. Privacy Engineering

  6. FormalPrivacyEvaluation

  7. ReportGeneration& Review

  8. Potential Outcomes

  9. Privacy Evaluation Methodology: Timeframes • No Privacy Issues (30 days) Proposals and work products with no privacy issues or risks will be completed within 30 days from the beginning of the Formal Privacy Evaluation Phase. • Unresolved Privacy Issues Identified (90 days) Proposals and work products with unresolved privacy issues or risks, identified either in Phase1: Privacy Engineering or Phase2: Formal Privacy Evaluation, will be completed within 90 days from the beginning of the Formal Privacy Evaluation.

  10. Privacy Evaluation Criteria • The most important component of the PEM is the evaluation criteria • The evaluation criteria include Fair Information Practice Principles (FIPPs) and defined potential privacy and identity-related civil liberties risks • FIPPs include the FIPPs articulated in the 2011 NSTIC foundational document and the Consumer Privacy Bill of Rights • Potential risks are an adaptation of Solove’s privacy taxonomy • These criteria are non-exclusive • Not all criteria will be relevant in every instance

  11. Privacy Evaluation Workbook Three principal components • Characterization • Analysis • Mitigation and compensating controls Broken down by [personally identifiable] information life cycle stage • Collection • Processing • Use • Disclosure • Retention • Destruction

  12. Privacy Evaluation Workbook: Characterization The characterization section examines in detail the elements of a work product to capture the different dimensions relevant to privacy analysis • Actors and Relationships • Types of Information • Intended Uses • Data Flows • Legal and Regulatory Requirements

  13. Privacy Evaluation Workbook: Analysis The analysis section provides a structure to collect comments and observations related to the application of the evaluation criteria • FIPPs/CPBR • Privacy/Civil Liberties Risks • Legal & Regulatory Implications • Other privacy issues

  14. Privacy Evaluation Workbook: Mitigation and Compensating Controls • This section provides recommendations for addressing identified privacy problems • Acceptance can be a valid resolution • Unresolved issues are noted in the report

  15. Summary • Process Workflows • Implementation • Privacy Engineering • Formal Privacy Evaluation • Privacy Review Report • Potential Outcomes • Timeframes • Privacy Evaluation Criteria & Workbook • Characterization • Analysis • Mitigation and Compensating Controls

  16. Questions??? Thank you for your time and attention.

More Related