130 likes | 339 Views
Privacy by Design Discussions. Dr. Marilyn Prosch, CIPP Arizona State University September 22, 2009. Privacy by Design. Change made retroactively always cost more!. What are the costs associated with changes. Time Resources Morale Possibility of ultimately inferior output.
E N D
Privacy by Design Discussions Dr. Marilyn Prosch, CIPP Arizona State University September 22, 2009
Privacy by Design Change made retroactively always cost more!
What are the costs associated with changes • Time • Resources • Morale • Possibility of ultimately inferior output
Consider Facebook • Member of the Canadian federal Privacy Office spent 30 days at Facebook’s office investigation • Facebookhas committed to using its best efforts to roll out the permissions model by September 1, 2010. • In the meantime, Facebook will oversee the applications developers’ compliance with contractual obligations. Since the conclusion of the investigation, Facebook has provided us with detailed information on its oversight activities, and I am satisfied that it will be a useful means of monitoring developers’ compliance with Facebook’s Statement of Rights and Responsibilities, in the interim. • Facebook has also agreed to a test of the model by an expert third party, prior to its implementation, to ensure that the new model meets the expectations of our report and the company’s subsequent undertakings. http://www.priv.gc.ca/media/nr-c/2009/let_090827_e.cfm
Maturity Model • Organizations may be in different implementation phases of their privacy program • An objective assessment of the maturity level of the program is a key step in assessing if the organization is ready to undergo a privacy audit (either internal or external) • Organizations at a low maturity level most likely will lack the foundations needed, and will be better served by developing the existing privacy infrastructure
Privacy Maturity Model • The AICPA and CICA Privacy Task Force is developing a Privacy Maturity Model • The model is based on the U.S. Department of Defense Software Engineering Institute’s CMM model • The six levels are: • Non-Existent – Management process are not applied at all • Ad Hoc – Processes are ad hoc and disorganized • Repeatable – Processes follow a regular pattern • Defined – Processes are documented and communicated • Managed – Processes are monitored and measured • Optimized – Best practices are followed and automated
We are interested in conducting rigorous and useful research • Let’s consider the following model and discuss what areas concern you and/or your organization about privacy and what we can do to move organizations along the privacy maturity model
Nehmer & Prosch 2009 Model of Privacy Corporate Responsibility Based on Dillard & Layzell’s 2008 Model Corporate Culture Create a Privacy Culture, Cavoukian, 2008 Motivating forces Compliance Fiscal Viability Privacy Payoff, Cavoukian & Hamilton, 2008 Customer Churnrate, Ponemon 2007 FTC Sanctions State Attorney Generals EU Safe Harbor Expectations Privacy Cultural Lag Theory, Prosch 2008 Operational modalities Programs Goals Resource Allocations Privacy Audit Privacy Maturity Lifecycle, Prosch 2008 Chief Privacy Officer Privacy Enhancing Technologies Privacy Policies Community Involvement Allowing constituents a “voice” in privacy design Education Support Environmental Improvements Reducing data pollution: Reducing identify theft risk, Unnecessary workplace Monitoring, cyberbullying, etc. outcomes Educating customers/employees Rights & obligations in process Economic Benefits Privacy Payoff, Cavoukian & Hamilton, 2008