1 / 35

Privacy: Understanding the Needs, Policy, and Approach

Privacy: Understanding the Needs, Policy, and Approach. Owen Greenspan Director Law and Policy Program. A Couple of Observations. Justice Ginsburg, U.S. Supreme Court, noted in Arizona v. Evans that….

vdewitt
Download Presentation

Privacy: Understanding the Needs, Policy, and Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy: Understanding the Needs, Policy, and Approach Owen Greenspan Director Law and Policy Program

  2. A Couple of Observations

  3. Justice Ginsburg, U.S. Supreme Court, noted in Arizona v. Evans that…. • “Widespread reliance on computers to store and convey information generates, along with manifold benefits, new possibilities of error, due to both computer malfunctions and operator mistakes… Computerization greatly amplifies an error’s effect, and correspondingly intensifies the need for prompt correction; for inaccurate data can infect notonlyoneagency, but the manyagenciesthatshareaccessto the database.”

  4. The bulk of the criminal justice information maintained in the U.S. is maintained at the State and local level; • Therefore most, but not all, of the legislation on governing this information is found at the State level.

  5. Fair Information Practices

  6. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 1. Collection Limitation Principle. • There should be limits to the • collection of personal data and any • such data should be obtained by • lawful and fair means and, where • appropriate, with the knowledge or • consent of the data subject.

  7. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 2. Data Quality Principle. • Personal data should be relevant to • the purposes for which they are to • be used, and, to the extent • necessary for those purposes, • should be accurate, complete and • kept up-to-date.

  8. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 3. Purpose Specification Principle. • The purposes for which personal data are • collected should be specified not later • than at the time of data collection and the • subsequent use limited to the fulfillment • of those purposes or such others as are • not incompatible with those purposes and • as are specified on each occasion of • change of purpose.

  9. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 4. Use Limitation Principle. • Personal data should not be • disclosed, made available or • otherwise used for purposes other • than those specified in accordance • with Paragraph 9 except: • a) with the consent of the data subject; or • b) by the authority of law.

  10. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 5. Security Safeguards Principle. • Personal data should be protected • by reasonable security safeguards • against such risks as loss or • unauthorized access, destruction, • use, modification or disclosure of • data.

  11. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 6. Openness Principle. • There should be a general policy of • openness about developments, practices • and policies with respect to personal data. • Means should be readily available of • establishing the existence and nature of • personal data, and the main purposes of • their use, as well as the identity and usual • residence of the data controller.

  12. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 7.Individual Participation Principle. • An individual should have the right: • a)to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; • b)to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;

  13. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 7. Individual Participation Principle. • An individual should have the right: • c)to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and • d)to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

  14. The Eight Fair Information Practices (OECD Guidelines on the Protection of Privacy) • 8. Accountability Principle. • A data controller should be • accountable for complying • with measures which give effect to • the principles stated above.

  15. Owen’s 9th Privacy Principle • Failing to address privacy in the planning and design of a information sharing system risks project failure: • Threatens public support for your agency • Political support for what you are trying to accomplish • Financial support • Operational ability

  16. PRIVACY POLICY DEVELOPMENT

  17. Global Privacy and Information Quality Working Group (GPIQWG)

  18. Global Privacy and Information Quality Working Group (GPIQWG)

  19. Step One: GOVERNANCE • Step Two: PLANNING • Step Three: PROCESS • Step Four: PRODUCT • Step Five: IMPLEMENTATION

  20. Governance – Planning Stage • TEAM FORMATION • Advocate • & • Defend • PROJECT • CHAMPION • OR SPONSOR • RESOURCES Process • IDENTIFY TEAM LEADER • BUILD TEAM & STAKEHOLDERS • Empower with • Authority • FINAL TEAM • LEADER & • MEMBERS

  21. (From Privacy, Civil Rights, and Civil Liberties, Policy Templates for Justice Information Systems) • Privacy Policy • Development Templates The privacy policy development templates suggest language for drafting a policy or inter-agency agreement. In order to select the correct template or combination of templates, the agency must first identify the type of information sharing system covered by the privacy policy.

  22. What type of information sharing system will be covered by the privacy policy? □ Incident or event-based records management system (RMS) □ Case management system (CMS) □ Integrated criminal justice information system (IJIS or CJIS) □ Criminal history record information system (CHRI) □ Criminal intelligence gathering system (CIS) □ Justice information sharing network • Privacy Policy • Development Templates

  23. Which of the following best describes the privacy effort involved? □ LOCAL SYSTEMS □ STATEWIDE SYSTEMS □ STATEWIDE NETWORK INTEGRATING LOCAL SYSTEMS □ REGIONAL INFORMATION SHARING SYSTEMS □ AD HOC SYSTEMS • Privacy Policy • Development Templates

  24. Process Stage • Collection • Dissemination & Access • Use • Maintenance & Retention • UNDERSTANDING • INFORMATION • EXCHANGES

  25. Process Stage • Focus • Sources of Legal Authority • Principles –FIP • Perform Information Analysis • ANALYZING THE • LEGAL • REQUIREMENTS

  26. Process Stage • Laws & Policies • Team Privacy Concerns • Build from Existing Laws & Policies • IDENTIFY • CRITICAL • ISSUES & • POLICY GAPS

  27. Product Stage • VISION • & • SCOPE • Organizational • Structure & • Policy Outline • Team Members • Stakeholders • Constituents • REVISED • DRAFT • POLICY • DRAFT • SHARE

  28. Implementation Stage • Formal • Adoption of • Privacy Policy • PROJECT • TEAM • GOVERNING • BOARD • TRAINING • OUTREACH • PUBLICATION • Ongoing • Evaluation & • Monitoring • Legislative • Efforts • Revisions

  29. Alan Carlson’s Privacy Policy • Development Templates Depending upon the need, the privacy policy will consist of one or more of the following policy three templates: TEMPLATE A – Privacy and civil rights protections for inclusion in enabling legislation or authorization for the justice information system This enabling authority would be included in the statute, ordinance, resolution, executive order or other document that authorizes or creates the entity overseeing the information system.

  30. Alan Carlson’s Privacy Policy • Development Templates TEMPLATE B – A basic privacy and civil rights protection policy template covering day-to-day operation of the justice information system This basic system operation would be included in a general policy applicable to the system, or it would provide the central provisions of a stand-alone policy covering protection of privacy, civil rights and civil liberties.

  31. Alan Carlson’s Privacy Policy • Development Templates • TEMPLATE C – • Privacy and civil rights protections for an inter-agency agreement between agencies participating in an information sharing network or system.

  32. ADDITIONAL RESOURCES

  33. ADDITIONAL RESOURCES www.it.ojp.gov/topic.jsp?topic_id=55

  34. Homeland Security • Publications: • Privacy Threshold • Analysis • Privacy Impact • Assessments- • Official Guidance (2006) • Privacy Impact • Assessments for various • industries

  35. Owen@search.org

More Related