1 / 40

University of Toronto Basic Privacy

University of Toronto Basic Privacy . January 24, 2012. PRIVACY. What is it? Why does it matter? How does it work? How is it regulated? What should you do?. PRIVACY: WHAT IS IT? PERSONAL INFORMATION IS…. INFORMATION ABOUT AN IDENTIFIABLE INDIVIDUAL ,

odette
Download Presentation

University of Toronto Basic Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. University of TorontoBasic Privacy January 24, 2012

  2. PRIVACY What is it? Why does it matter? How does it work? How is it regulated? What should you do?

  3. PRIVACY: WHAT IS IT? PERSONALINFORMATION IS… INFORMATION ABOUT AN IDENTIFIABLE INDIVIDUAL, including, but not limited to; ethnic origin, race, religion, age, sex, sexual orientation, education, financial, employment, medical, psychiatric, psychological or criminal information, identifying numbers; S.I.N., home address, home phone number, photos, videos, identifiable recordings of individual, name appearing with / revealing other personal information etc. NOT if acting in business or professional capacity eg. name, position, routine work information

  4. IDENTIFIABILITY; SPECIAL CASES Aggregated/statistical data usually not individually linkable BUT ABSENCE OF NAMES OR OBVIOUS IDENTIFIERS MAY MISLEAD: -small-cell principle … One of these seven people is HIV positive… The more factors you have, the likelier identification becomes; -Asian women over age 50, with income over $200k/yr, who drive a Volvo, with postal code in M3H …. Notorious/known events/facts; The B.C. pig farmer who… or The driver of the vehicle which killed… Future identifiability; eg, tissue samples (are the information) DNA… Khaled el emam on reidentifiability: http://www.ehealthinformation.ca/

  5. PRIVACY: WHAT IS IT? DEFINITIONS • Privacy of the person - ‘bodily privacy’, blood samples, etc. • Privacy of personal behaviour - religion, politics, etc., including ‘media privacy’ • Privacy of personal communications - ‘interception privacy’, various media • Privacy of personal data - ‘data/information privacy’, control of data

  6. PRIVACY: WHAT IS IT? To be left alone “THE RIGHT TO PRIVACY” (Warren & Brandeis, 1890) “…right of the individual to be let alone.” … -in the face of changing technology - photos in newspapers ‘Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops.“’ http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html

  7. PRIVACY: WHAT IS IT? INFORMATION PRIVACY [The key principle of modern privacy laws] Control over collection, use, disclosure, retention and destruction of your personal information Privacy principles embodied in “Fair Information Practices.” Informational self-determination

  8. PRIVACY: WHAT IS IT? FAIR INFORMATION PRACTICES • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980); http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm • European Union Directive on Data Protection (1995/1998); http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML • CSA Model Code for Protection of Personal Information (1996); http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code/article/principles-in-summary • United States Safe Harbor Agreement (2000) and EU reaction; http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML • Global Privacy Standard (2006). www.ipc.on.ca/images/Resources/up-gps.pdf • IPC’s Privacy By Design Principles http://privacybydesign.ca/about/principles

  9. CSA PRIVACY CODE PRINCIPLES 1. AccountabilityAn organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. 2. Identifying PurposesThe purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. 3. ConsentThe knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. 4. Limiting CollectionThe collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. 5. Limiting Use, Disclosure and RetentionPersonal information shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the stated purposes. 6. AccuracyPersonal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used. 7. SafeguardsPersonal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. OpennessAn organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals. 9. Individual AccessUpon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 10. Challenging ComplianceAn individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. http://www.csa.ca/standards/privacy/code/Default.asp?articleID=5286&language=english

  10. PRIVACY: WHAT IS IT? PRIVACY BY DESIGN PRINCIPLES Proactive, not reactive, preventive, not remedial Privacy as the default Privacy embedded into design Full functionality, positive-sum, not zero sum End-to-end security, lifecycle protection Visibility and transparency Respect for User Privacy www.privacybydesign.ca

  11. PRIVACY Why does it matter? People want/need it It’s “good for business” It is a legal requirement

  12. PRIVACY LAWS ARE… A blunt instrument for individual control over PI An approximated solution for everybody because we have weak technology To do things right, you’d need a smart agent or matrix of rights … that would -knowwhere all of your personal information is at all times -carry out your wishes and needs in real time -get it right for all your various institutions/companies/friends/family, etc -report back to you in real time of collections, uses, disclosures, etc of your pi and -operate at the level of individual data items, not gross categories Privacy laws and institutions can`t support this level of control so they err on the side of preventing broadly defined unauthorized disclosure/destruction Maybe in the future; meanwhile, IPC federated identity ideas interesting… http://www.ipc.on.ca/images/Resources/F-PIA_2.pdf

  13. LAWS BASED ON CSA PRINCIPLES Federal Personal Information Protection and Electronic Documents Act PIPEDA Strongly consent-based; Incorporates CSA Code Principles; regulates commercial activity with personal information, inter-provincial data flows and federally-regulated endeavours like banking, insurance and telecommunications (ousted by substantially similar provincial laws), Que, Alta, BC and PHIPA http://laws.justice.gc.ca/en/showtdm/cs/P-8.6 …and Ontario Personal Health Information Protection Act; PHIPA Consent based—health data is important/sensitive—regulates health information, explicit consent/ability to “shape” treatment, deemed consent for treatment, BUT research without consent , mandatory disclosure to eliminate/reduce significant risk of bodily harm http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm#BK54

  14. NOTICE-BASED PRIVACY LAWS Some public sector privacy statutes…like Ontario Freedom of Information and Protection of Privacy ActFIPPA Notice-based – because government must conduct certain activities– once you are notified of collection of your personal information (for a lawfully authorized activity) you may be have no control – although some consent-based opting out is possible for activities, no choice because Government is only supplier or The activity is not (totally or necessarily) optional; eg: -standard setting -regulation, licensing, tracking/updating entitlements -law enforcement -emergency disclosure, public health and safety http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm Also true of some other provincial privacy laws and Canadian public sector privacy law http://laws.justice.gc.ca/en/showtdm/cs/P-21

  15. PRIVACY How does it work? Give people notice > “reasonable expectations” Then stick to notices – and legal requirements Use adequate security/practices There are limits to privacy (user control)

  16. U of T NOTICE of COLLECTION • The University of Toronto respects your privacy.  Personal information that you provide to the University is collected pursuant to section 2(14) of the University of Toronto Act, 1971. It is collected for the purpose ofadministering admissions, registration, academic programs, university-related student activities, activities of student societies, financial assistance and awards, graduation and university advancement, and for the purpose of statistical reporting to government agencies. At all times it will be protected in accordance with the Freedom of Information and Protection of Privacy Act.  If you have questions, please refer to www.utoronto.ca/privacy or contact the University Freedom of Information and Protection of Privacy Coordinator at 416-946-7303, McMurrich Building, room 201, 12 Queen's Park Crescent West, Toronto, ON, M5S 1A8.

  17. PRIVACY LAWS REGULATE Collection Use Disclosure Retention Destruction Of personal information

  18. COLLECTION • Three requirements: • Must have legal authority to collect • Statutory authorization, law enforcement or • necessary for program delivery, teaching purposes etc. • (for the proper administration of a lawfully authorized activity) • Must collect directly from individual • Limited exceptions including consent • Must provide notice of collection indicating; • Legal authority • Principal intended uses of the personal information • Individual to contact with questions

  19. USE AND DISCLOSURE • For original or consistent purpose (see notice of collection) • With the individual’s consent • Internally on a need-to-know basis • To comply with legislation, other legal requirements • For specific compassionate circumstances • Where necessary for fundraising • With periodic notices & opt-outs • limited other circumstances

  20. SECURITY vs. PRIVACY • Privacy involves institution’s legal obligations, especially for collection, use, disclosure, retention and destruction of personal information, in support of individual privacy • Privacy is a legal right/obligation of individual/institution • FIPPA part III sets out privacy protections • Security comprises lock-and-key measures; data integrity, protection, confidentiality and identity authentication • Security supports and is a key enabler for privacy • FIPPA General Reg. s. 4 lists security requirements • There can be no privacy without security

  21. SECURITY • End-to-end (full lifecycle, all contexts) • Physical • Technical / IT systems • Administrative / behavioural (incl. policy) • Data should be protected like other assets • No universal due diligence standards but …

  22. PAPER VS. ELECTRONIC RECORDS Historic disclosure of records in paper form can be a poor basis for putting them online Eg. -property assessment records -records of town/city council meetings -records of administrative tribunals -certain types of licensing records -voters lists Balance possible privacy impacts against benefits/objectives of proposed activity Electronic posting unlike historical availability of paper records (practical obscurity) -(world) wide distribution (beyond local interests) -easy copying/aggregation into other databases/uses -loss of control by originating body -persistence beyond control of originating body U.S. papers on practical obscurity: http://www.nyls.edu/user_files/1/3/4/17/49/Vol49no3p967-992.pdf http://repositories.cdlib.org/cgi/viewcontent.cgi?article=1022&context=ischool

  23. PRIVACY What should I do? Give users clear information Support User rights and expectations Keep it simple Know your organization

  24. SETTING REAL WORLD (legal) LIMITS What is possible? technology / business etc. What do people need, want, fear? Beliefs Philosophy Principles Government response to public expectations Law Policy Practices

  25. PRIVACY LIMITS Privacy (in data protection laws) is never absolute; some exceptions for: -Law enforcement -Public health -Legal processes (generally supersede statutory privacy protections) subpoenas, summonses, court orders, etc. -Other legislation emergency management, health protection, anti-terrorism etc. …data protection laws are made by law-makers, who may discover new priorities, exceptions or other reasons to change or abrogate privacy. The balance is found in the same way as other political/social balances. Public involvement, consultation and advocacy help to guide politicians…

  26. WORK REASONABLY WITHIN LEGAL LIMITS – AND IN UNREGULATED ACTIVITIES If you can, do the activity without personal information. Be creative- anonymize, use non-identifying token; eg. IPC HWY 407 solution: http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=335 -Is the personal information NECESSARY If personal information is NECESSARY for an activity; balance privacy interests being compromised against the value of the activity; eg. -public health surveillance threshold: Where between the common cold & SARS?? Beware erroneous (often well-established) misconceptions: -business may want more information than needed for a transaction -law enforcement personnel may look for a lot of data on everybody -a building manager may want access to video surveillance records.. How do you decide what is right…what is enough?

  27. HELP SET USEFUL PRIVACY LIMITS ALWAYS ask: What EXACTLY is the activity or function? What EXACTLY are the objectives of the activity? -- get a COMPLETE list Determine what actions are NECESSARY to achieve the objectives, then (and only then) -Define and list EXHAUSTIVELY what PI is NECESSARY to accomplish the actions -Check existing legal parameters; can you collect, use, disclose the PI? -Even if you can legally collect, use, disclose etc., or are UNREGULATED: -can you do the task without PI? -if not, can you get away with less/partial information? -Consider how well the activity can be delivered with more or less PI -Consider financial impacts/benefits of having/using more or less PI -How can you minimize/eliminate privacy risks? Remember risks of having PI – breaches, data loss, ID theft, etc. Consider impact on your client/employer of a breach or misuse of data; For example, IPC/MTO arrangement re access to driver and vehicle license databases http://www.ipc.on.ca/images/Resources/up-1num_25.pdf

  28. PRIVACY IMPACT ASSESSMENTS A living document that develops with a project to Identify privacy risks for leadership attention by By setting examining and evaluating: Project data flows at transactional level, evaluating against; law, standards, policy/practice, community expectation eg. PHIPA, FIPPA, PbD, CSA, Institution policies, practices, community consultations A team effort; IT, Security, Privacy, Legal, etc… Results in a listing of residual privacy risks for leadership to accept, or remedy; Roger Clarke historical PIA paper: http://www.rogerclarke.com/DV/PIAHist-08.html

  29. ABOUT SECURITY Most security measures can’t guarantee confidentiality They make unauthorized access difficult so information is less likely to be accessed. Well chosen and applied security reduces the probability unauthorized access as much as circumstances and resources permit.

  30. ELECTRONIC RECORD SECURITY Keep electronic records of confidential information in a secure server environment. Access confidential records securely – through encrypted channels, such as virtual private networks. Only remove confidential records from a secure server with authorization, operational need, and it there is no other reasonable means to accomplish the task. Out of secure server environment, keep confidential electronic records encrypted (eg. in transit and storage). Server drives likely to be encrypted soon.

  31. CLOUD COMPUTING; TWO PAPERS Privacy in the Clouds – IPC User-centric identity management infrastructure … will be the answer http://www.ipc.on.ca/images/Resources/privacyintheclouds.pdf Roger Clarke Cloud Computing paper: “Cloud computing emerged during 2006-09 as a fashion item….” http://www.rogerclarke.com/EC/CCEF.html

  32. WHEN YOU OWN THE SYSTEM Your IT / security staff should know your systems, existing and planned Data flows should be understood and finely mapped This activity is key to privacy or threat/risk assessments Even if you are outsourcing, do this detailed work for any “in house” components or parts of the system/service

  33. WHEN YOU DO NOT OWN THE SYSTEM Do all you can to understand the vendor’s systems as well and completely as possible: Ask for detailed data flows, systems maps, etc. Have your IT / security staff meet the vendor’s Enter into NDAs as necessary to learn as much as possible But the vendor might not let you see enough for you to assess privacy/security to your satisfaction You will have to establish trust, …..based on assurances that you can verify

  34. CHECKING OUT THE VENDOR • Cloud or not, check: • Institutional procurement process/experts; • RFI, RFP, etc • Reference checks, • Information from other clients, • Letters of recommendation • Reputation, past record • Compliance with/breach of legislative requirements • Certifications • Interview the contractor

  35. SOME POSSIBLE VENDOR ASSURANCES Compliance with yourprivacy/security requirements Confidentiality; no information sale, tracking, data mining… Governing law … preferably Ontario No disclosures except as required by law Staff training, need-to-know access, confid. Agreements No third party contractors, or standards as for staff Data minimization Breach notification, investigation, remediation/mitigation Security; IT, physical, administrative/behavioural Periodic update and maintained currency of assurances Location of servers, data, etc, etc, etc…

  36. SECURING ASSURANCES A negotiation with your vendor, involving: Procurement IT/CIO staff Legal Privacy Other experts as required….

  37. ASSURANCES MUST BE VERIFIED Operational Audits Security Audits Active Security Testing Etc… All to be incorporated into your agreement(s)

  38. ORGANIZATIONAL SUGGESTIONS Keep it simple!! Use simple binary rules; -Confidential or not -Secured or not Provide clear guidance/rules --- avoid fuzzy lines, difficult distinctions If it’s not officially designated as public, it’s confidential If it’s electronic, keep it in a secure institutional server or keep it encrypted If it’s hard copy, keep in a locked cabinet inside a locked, non-public space Provost’s security guideline http://www.provost.utoronto.ca/policy/FIPPA_-_Guideline_Regarding_Security_for_Personal_and_Other_Confidential_Information.htm

  39. ORGANIZATIONAL SUGGESTIONS Know the Organization: Mission, purposes, rules How is it governed? How is it administered? Think like an executive….big picture Avoid becoming a “narrow” expert

  40. FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY OFFICE Rafael Eskenazi – FIPP Director Tel: (416) 946-5835 E-Mail:rafael.eskenazi@utoronto.ca University of Toronto FIPP Office McMurrich Building, Room 201 12 Queen’s Park Crescent West Toronto, ON M5S 1A8 Fax: (416) 978-6657

More Related