1 / 13

Implementing Privacy Policy in Justice Information Sharing: A Technical Framework

This document provides an overview of a technical framework for implementing privacy policies in justice information sharing systems. It includes components such as identity credentials, policy enforcement points, and electronic policy statements. The framework is applied to a simple use case and considerations for implementation costs are discussed. The document also highlights the importance of training, legal research, and establishment of information stewards in ensuring privacy and appropriate use practices. Updates on the progress of the Global Technical Privacy Task Team are provided, along with next steps and recommendations for adoption.

bbowes
Download Presentation

Implementing Privacy Policy in Justice Information Sharing: A Technical Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg, Chair, Global Technical Privacy Task Team and Dr. Alan Harbitter, IJIS Institute 10/31/2007

  2. Topics • Approach Overview • Privacy Policy Technical Framework and Components • Applying the Framework to a Simple Use Case • Implementing the Framework • Task Progress Summary

  3. Underlying Principles and Assumptions • Do not invent new technology • Focus on the domain-specific components required for interoperability (e.g., standards, specific metadata) • For now, focus on access rather than collection • Assume that there is a written policy in place • Briefly, we are going to • Identify technologies to translate written privacy policy in machine-readable form • Define the pieces necessary to link justice information systems to that policy

  4. Response message Content metadata Request message Identity credentials PEP PDP Audit trail Obligations Electronic policy statements (dynamic, federated) Written policy Environmental conditions Technical Framework Actions: release, modify, access, delete, … PEP: Policy Enforcement Point PDP: Policy Decision Point

  5. Example Electronic Privacy Policy Rule • Specific to justice applications • Allow (oc)law enforcement ORIs (uc) to perform Updates (a) on criminal history records (dc) under the condition where the ORI is the record owner(c) for criminal history reporting(p) requiring logging of actions (o) uc: User categories a: Actions dc: Data categories c: Conditions p: Purposes o: Obligations Oc: Outcome

  6. Simple Use Case: A Cross-Jurisdictional Traffic Stop

  7. Implementation Cost Considerations • Balance cost, risk, and complexity • Human MOU with no technical implementation standards • Low-hanging fruit such as encryption of portable media (memory sticks, laptops, etc.) • Larger investment and support required for fine-grained than for coarse-grained authorization

  8. It’s Not All Technology • Training and outreach • Legal research of laws governing privacy and disclosure requirements • Establishment of information stewards and policy decision makers • Confidentiality of personal information • Appropriate Use Practices • Appropriate dissemination policy • Physical security measures • Procedural measures • Policy on portable devices/media • Separation of security administration roles

  9. Global Tech Privacy Team Status Update • First draft report delivery—June 2007 • Global Working Groups, GESC, and IJIS reviews— July/August 2007 • Final draft—executive review and ready for release in fall 2007 • Follow-up and next steps—currently under consideration by GAC GESC: Global Executive Steering Committee IJIS: Integrated Justice Information System Institute

  10. Next Steps • Action items and assignments • Privacy Policy Pilot Projects • Global Security Working Group (GSWG) • Global Privacy Information Quality Working Group (GPIQWG) • Continued integration with Justice Reference Architecture (JRA) • Global Infrastructure Standards Working Group (GISWG) • Mature metadata and integrate with NIEM/GJXDM/GFIPM • XML Structure Task Force (XSTF)

  11. Recommendations • Adopt the Privacy Policy Technical Framework • Adopt the common set of standards and metadata that are specific to the justice domain and aligned with current initiatives • Develop a transition strategy for moving to enterprise electronic policy services

  12. Questions?

  13. GAC Recommendations • Adopt Implementing Privacy Policy in Justice Information Sharing: A Technical Framework • Recommend as resource Implementing Privacy Policy in Justice Information Sharing: A Technical Framework Executive Summary Flyer • Recommend as resource Global Federated Identity and Privilege Management Executive Summary Flyer

More Related