350 likes | 503 Views
7 장 Privacy Impact Analysis. 2009.4. 신수정. 1. Overview_ 의미와 목표. PIA 의 의미. 신규 개발 되는 정보시스템 등이 기본적인 프라이버시 요구를 만족 시킬 수 있도록 도와 주는 프로세스. PIA 의 목표. 경영층으로 하여금 프라이버시에 대한 위험과 이를 대응하는 대책의 이해에 기반하여 시스템 설계에 대한 의사결정을 하도록 지원
E N D
7장 Privacy Impact Analysis 2009.4 신수정
1. Overview_ 의미와 목표 • PIA의 의미 신규 개발 되는 정보시스템 등이 기본적인 프라이버시 요구를 만족 시킬 수 있도록 도와 주는 프로세스 • PIA의 목표 • 경영층으로 하여금 프라이버시에 대한 위험과 이를 대응하는 대책의 이해에 기반하여 시스템 설계에 대한 의사결정을 하도록 지원 • 프로젝트 관리자나 프로젝트 스폰서의 역할 내에 프라이버시에 대한 책임성(accountability)를 명확히 포함되도록 함. • 신규 시스템이 프라이버시 관련된 정부의 법규에 기술적으로 그리고 법적으로 순응함을 제시하기 위한 일관성 있고 구조화된 프로세스가 있음을 확신 시켜줌. • 프라이버시의 보호가 비즈니스나 IT 프로젝트에 있어서 핵심적인 조건으로 포함되어 있음을 확신 시켜줌 • 개인정보의 흐름에 대해서 문서화를 제시하여 향후 확인, 주기적인 검검, 새로운 프라이버시 보호 요건의 반영이 용이하도록 함.
1. Overview_ 필요시기 • PIA의 필요시기 • 상세 설계 단계가 시작되기 위한 승인 시 • 시스템 구매 또는 시스템 개발 작업의 승인을 위한 funding의 요청 승인 시 • PIA의 요구 Initiative • 개인정보를 포함하는 데이터베이스의 생성과 수정 • 다양한 목적을 위한 Identification and authentication scheme의 정의시 • Anonymity 또는 peudonymity를 위한 기존의 기회를 제한하거나 제거하려 할 경우 • 스마트카드의 사용 시
2. Privacy의 이해 • 프라이버시란? • Privacy of the person: the integrity of an individual’s body • Privacy of personal behavior: the right of privacy relating to such matters as 성적취향, 습관, 정치적 행위, 종교적 행위 • Privacy of personal communication: the right to communicate with others without routine monitoring • Privacy of personal data: information privacy- 언제, 어떻게, 어느 정도 당신이 당신 자신에 대한 개인 정보를 공유할 수 있는지 결정할 수 있는 권한 • Information privacy의 핵심 • Surveillance로 부터의 자유 • Surveillance: the systematic monitoring of an individual’s activities or communications in order to collect information about them, their activities, or their associates
2. Privacy의 이해 • 개인 정보 • (a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual; • (b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved; • (c) any identifying number, symbol or other particular assigned to the individual; • (d) the address, telephone number, fingerprints or blood type of the individual; • (e) the personal opinions or views of the individual except if they relate to another individual; • (f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence, • (g) the views or opinions of another individual about the individual; and • (h) the individual's name if it appears with other personal information relating to the individual or where disclosure of the name would reveal other personal information about the individual.
2. Privacy의 이해 • 위험 • 법규의 compliance 실패 • 불만 • 신뢰성의 손실 • 시스템의 재설계 설계 초기 부터 Privacy에 대한 고려 필요
2. Privacy의 이해 • 위험 관리 1) 1980 OECD Guideline • ensuring public awareness and transparency (openness) of information policies and practices • establishing necessity and relevance of the information collected • building in finality (establishing the uses of the information in advance and eventually destroying it) • identifying the person who has responsibility for protecting personal information within an organization • getting informed consent from the individual • maintaining accuracy and completeness of records • PIA • PET(privacy enhancing technology)
2. Privacy의 이해 • 프로그램 설계시 일반적인 위험 • Data profiling/data linkage: combining unrelated personal information obtained from a variety of sources to create new information about individuals. Data linkage may be facilitated through the storing of personal information in centralized databases or by linking unrelated databases. Transaction monitoring: tracking an individual's transactions with one or more programs. This usually results in the creation of new personal information describing an individual's overall experience with one or more programs. • Identification of individuals: ESD generally requires identification of individuals and authentication of that identity as a way of managing security risks. Surveillance risks exist where the use of common identifiers or identification systems facilitates data sharing, profiling, or transaction monitoring. • Physical observation of individuals: tracking the movement or location of individuals through the use of vehicle transponders, satellite locators, cameras, or mechanisms for recording individual use of kiosks. • Publishing or re-distributing public databases containing personal information: this might include publishing assessment rolls on the Internet or on compact disks, or publishing court records on the Internet. Electronic publishing frequently eliminates practical limits on the misuse of information, as it can be easily manipulated and used for purposes entirely unrelated to its intended use in manual form.
Step 1 프로젝트 시작 Step 2 데이터 분석 Step 3 프라이버시 분석 Step 4 보고서 작성 • 비즈니스 프로세스 다이어그램 • 비즈니스 프로세스 상의 개인정보 정의 • 개인정보의 세부 데이터 흐름 개발 • PIA 영역 정의 • 팀 리소스 할당 • PIA 도구 선정 • 프라이버시 점검 항목의 완성 • 점검항목의 답변 검토 • 프라이버시 이슈의 기술 • 프라이버시 위험의 도출 및 위험의 평가 • 위험완화를 위한 대책 정의 3. PIA수행_개요 위험의 조기 대응 PIA 추진 절차 • 개발초기단계 부터 프라이버시 위험요소와 대안을 초기부터 의사결정자에게 제공함으로써 지속적 위험관리 가능 • 설계단계부터 프라이버시 요건 반영으로 인해 완료 시스템의 요건반영을 위한 변경 어려움 제거 고객, 관계기관 등의 신뢰 향상 • 프라이버시에 예민한 고객, 정부기관 등에 프라이버시 요구반영에 철저함을 제시 • 대외적으로 프라이버시에 대한 확신의 부여 • 내부적으로 프로젝트 팀원의 프라이버시에 대한 인식 상승
3. PIA수행_개요 System Development Lifecycle Project Work Streams Conceptual Design Design Build Test Implement Evaluate Project Phases: PIA Work Data Design PIA Conceptual PIA PIA Phases: End-to-End PIA 개념적 PIA 설계 PIA • 잠재적 프라이버시 위험 추출 • 프라이버시의 위험을 표면위에 도출 • 프라이버시 비즈니스 요구사항을 정의 • 프라이버시 프로그램, 정책 파악 1) 개인정보 Description • 수집, 사용, 유출, 저장, 보유 의 관점에서 개인정보 표현 2) Privacy Analysis • 현재의 개인정보의 Description이 Privacy 법률이나 표준에 적합한지 평가 -> 법률/표준의 요구의 부합 평가 3) Privacy Risk Identification, Recommendation -> Privacy Report
Conceptual Analysis Data Flow Analysis Follow-up Analysis -Prepare a plain language description of the scope and business rationale of proposed initiative -Identify in a preliminary way potential privacy issues and risks, and key stakeholders -Provide a detailed description of essential aspects of the proposal, including a policy analysis of major issues -Document the major flows of personal information -Compile an environment issues scan to review how other jurisdictions handled a similar initiative -Identify stakeholder issues and concerns -Assessment of public reaction • -Analyze data flows through business process diagrams, and identify specific personal data elements or clusters of data - Assess proposal’s compliance with privacy legislation, relevant program statutes, and broader conformity with general privacy principles -Analyze risk based on the privacy analysis of the initiative, and identify possible solutions -Review design options, and identify outstanding privacy issues/concerns that have not been addressed -Prepare response for unresolved privacy issues - Review and analyze physical hardware and system design of proposed initiative to ensure compliance with privacy design requirements - Provide a final review of the proposed initiative - Conduct a privacy and risk analysis of any new changes to the proposed initiative relating to hardware and software design to ensure compliance with privacy legislation, relevant program statutes, and broader conformity with general privacy principles - Prepare a communications plan 3. PIA수행_Ontario
3. PIA수행 • Conceptual analysis • 키 이슈와 위험, concern이 무엇인가? • 현재의 사업이 무엇을 하고자 하며, 어떠한 프라이버시 이슈가 있는가? 에 대한 전반적 이해제공 • 1) 제안된 사업에 대한 정의와 기술- 범위, 근거.. • 2) 사업의 핵심 영역에 대한 세부 서술 – 사업의 핵심이슈에 대한 정책 분석, 개인정보를 사용하는 근거/비즈니스 케이스에 대한 조사 포함, 비지니스케이스가 개인정보를 반드시 사용해야 하는지, 사용할 경우 anonymous 데이터만 사용해도 되는지 등 파악, 신 기술이 적용되어야 하는지 등 파악 • 3) 상위레벨 개인정보의 흐름 – 정보의 수집, 정보의 처리, 결과 산출, 데이터의 기록 등 • 4) 다른 쪽에서는 비슷한 이슈에 대해서 어떻게 처리했는지 환경분석 • 5) 관련자들의 이슈와 염려에 대한 정의 – 관련자들이 본 사업과 관련되어 개인정보의 보호에 대해 어떠한 관심과 염려가 있는지? • 6) 자신들의 개인정보를 다루는 사업에 대해 대중들은 어떻게 반응하는지 파악
3. PIA수행 • Data Flow Analysis • 1) 비즈니스 프로세스 다이어그램을 통해 데이터 플로우의 분석 • 2) structured privacy analysis를 통한 compliance에 대한 assessment • 3) privacy analysis를 근거로 하여 위험 분석을 수행하고, 위험에 대응하기 위한 대책 정의 • Follow-up Analysis • 실제 프라이버시 설계 요구에 근거하여 시스템 설계가 구축되었는지 검토 • 변경에 대한 대응
4. PIA Tool Kit-STEP 1 • Documenting the Data Flow • 1) 비즈니스 플로우 다이어그램 • Flow Charts. Are most useful for relatively simple applications. Flow charts provide a good general sense of program steps and data flows, along with an outline of the relationships among these elements and the progression between them. • Structured Analysis. Identifying major steps in a program, and then breaking these steps down, according to function, until the project can be represented as a progression through a series of small steps. This is a good way of breaking very complex projects down into more manageable components. • Object-oriented Analysis. Combines the mapping of processes with a mapping of the data flows attached to those processes. It should set out the processes, the organization of these processes (i.e. the architecture), specify which data are being used, and where in each process they are being used.
4. PIA Tool Kit-STEP 1 • Documenting the Data Flow • 2) 데이터플로우의 세부 분석 - 개인정보가 어떻게 수집되고, 사용되고, 공개되는지를 제공
4. PIA Tool Kit-STEP 1 • Documenting the Data Flow
A.3 List Regular Business Transactions That Disclose or Give Access to Personally Identifiable Data Records to: Yes No Limited Access Full Access Is a New PI Record Created as a result? Describe Identify Custodian(s) of New PI Record Created Is a Log of Access Transactions Created by One or Both Parties? If yes, identify Custodian(s). What is the Authority for Disclosure under FIPPA? OPS program or systems staff OPS program auditors Other OPS Systems staff Other OPS Staff e.g. staff of another program or ministry Dedicated Contractor e.g. a contractor who works solely for the program Generic Service Provider e.g. a contractor who works for multiple ministries or programs simultaneously Client Agent e.g. solicitor, trustee, physician, or other service provider. Financial Institutions Financial Transaction Agents External Contract Auditors 4. PIA Tool Kit-STEP 1 • Documenting the Data Flow
A.3 List Regular Business Transactions That Disclose or Give Access to Personally Identifiable Data Records to: Yes No Limited Access Full Access Is a New PI Record Created as a result? Describe Identify Custodian(s) of New PI Record Created Is a Log of AccessTransactions Created by One or Both Parties? If yes, identify Custodian(s). What is the Authority for Disclosure under FIPPA? By Legislative Mandate to Public or Private agencies - name Data Marts/ warehouses other than when fully anonymized By Information Sharing Agreement (ISA) to intra/inter governmental programs - name To the Public or For Sale to the Public or Commercial Interests By ISA to Non-governmental programs - name 4. PIA Tool Kit-STEP 1 • Documenting the Data Flow
A.3 List Regular Business Transactions That Disclose or Give Access to Personally Identifiable Data Records to: Yes No Limited Access Full Access Is a New PI Record Created as a result? Describe Identify Custodian(s) of New PI Record Created Is a Log of Access Transactions Created by One or Both Parties? If yes, identify Custodian(s). What is the Authority for Disclosure under FIPPA? To Client by Self Service in any media To Client via 3rd Party Client via Written Program request Other 4. PIA Tool Kit-STEP 1 • Documenting the Data Flow
A.4 NoteIrregular Business Transactions that Disclose or Give Access to Personally Identifiable Records to: Yes No Limited Access Full Access Is a New PI Record Created? Describe Identify Custodian(s) of New PI Record Created Is a Log of Access Transactions Created by One or Both Parties? If yes, identify Custodian(s). What is the Authority for Disclosure Under FIPPA? Recognized Law Enforcement (excluding police) agents per FIPPA without a warrant or subpoena. Other public sector program investigators, by data sharing agreement, on request. Other Disclosures 4. PIA Tool Kit-STEP 1 • Documenting the Data Flow
A.5 Identify any other PI record database or log produced by business or system transactions that are not listed elsewhere and are not under direct program custody or control. Include temporary and permanent record collections. Record and contents Under control of In the Custody of Applicable privacy legislation and/or contractual privacy provisions e.g. financial settlements provider(s) transaction logs, temporary update data stored in system pending validation, call centre/help desk call logs, etc. 4. PIA Tool Kit-STEP 1 • Documenting the Data Flow
4. PIA Tool Kit-STEP 2 • Privacy analysis • Accountability, • Identifying Purposes, • Limiting Collection, • Consent, • Limiting Use, Disclosure, and Retention, • Accuracy, • Safeguards, • Openness, • Individual Access, and • Challenging Compliance
YES Has responsibility for the PIA been assigned to a Project Privacy Manager or other individual(s)? _ _ NO Where the custody or control of personal information will be transferred to other public or private sector partners as part of the project: _ _ Has the chain of accountability been documented, up to and including the Minister=s ultimate accountability as the head under FIPPA? _ _ Are the performance requirements of the accountable parties comprehensively specified in a measurable way, and subject to specific performance or compliance reviews? _ _ Where public and private sector partners are not subject to FIPPA, have independent third-party audit mechanisms been incorporated into performance and partnership agreements such that public accountability is assured? _ _ Where public and private sector partners are not subject to FIPPA, has the option to schedule them under FIPPA been fully evaluated and documented? _ _ Will the ministry be provided with the results of regularly scheduled audits and compliance checks on the privacy practices of external partners and will those reports be made available to the program clients? _ _ Have legal opinions been sought regarding: _ _ Legislative authority to transfer ministry program delivery responsibilities to partners, including a consideration of the authority for partners to collect, use, disclose or retain personal information as necessary on behalf of ministries? and/or _ _ Legislative authority to alter or limit in any material way the collection, use or disclosure of personal information as authorized by ministry program statutes and FIPPA for the purpose of delivering services through the partners? and/or _ _ Legislative authority to set service standards and procedures for client authentication and the legal authority to collect and use personal information for authentication purposes? and/or _ _ Legislative authority to amend or modify the delegation or designation of statutory program functions to the partners? _ _ Has the organization retained the legal or contractual right to develop mechanisms to determine whether personal information collected on its behalf is disclosed to third parties for any purposes? _ _ Does the organization have specific audit and enforcement mechanisms that oversee the collection, use and disclosure of personal information by public or private sector partners? 4. PIA Tool Kit-STEP 2 • 1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
YES Has a clear relationship been established between the personal information to be collected and the program=s functional and operational requirements? _ _ NO Have all options to minimize the routine collection of personal information been considered? _ _ Does the notice of collection contain the specific purposes, the legal authorities for collection, and the contact information for the official designated to respond to queries regarding the purposes of collection, or _ _ Is there documentation regarding a waiver of notice, or is notice not required as per a specific FIPPA exception? _ _ If there are secondary purposes that are not required to be included in the notice of collection (e.g. audit trail information, transaction validation, financial settlements), have these been documented elsewhere, such as in the Directory of Records, or attached to the record as per s. 46 of FIPPA? _ _ Is client consent sought for secondary uses of personal information, such as service monitoring? _ _ Is the notice of collection made available through all mediums of delivery (i.e. paper forms, counter, phone, automated telephone or kiosk service mediums) and does it identify: _ _ • the personal information to be collected, • the authority for its collection, • the principal purpose(s) for which it is collected, • the name, position, address and telephone number of a contact person? ____ _ ___ Does the notice of collection clearly distinguish between personal information collected for program purposes and personal information collected by partners for other purposes? Alternatively, are separate notices provided? _ _ 4. PIA Tool Kit-STEP 2 • 2. Identifying purpose The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
4. PIA Tool Kit-STEP 2 • 3. Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where otherwise permitted under FIPPA.
4. PIA Tool Kit-STEP 2 • 4. Limiting collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
4. PIA Tool Kit-STEP 2 • 5. Limit Use, Disclosure, and retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
4. PIA Tool Kit-STEP 2 • 6. Accuracy Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
4. PIA Tool Kit-STEP 2 • 7. Safeguard Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
4. PIA Tool Kit-STEP 2 • 8. Openness An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
4. PIA Tool Kit-STEP 2 • 9. Individual access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
4. PIA Tool Kit-STEP 2 • 10. Challenging compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance
4. PIA Tool Kit-STEP 3 • Summarizing The Results • a description of the proposal including programs and/or partners involved, objectives, timing and key milestones, resource requirements, public benefits, and pointers to more detailed information about the proposal; • a list of relevant legislation that may have a bearing on privacy requirements, including program statutes, and relevant policies, including any applicable Management Board Directives; • the specific privacy risks relevant to the proposal; • the options that exist for addressing or mitigating those risks, along with the implications of each option; • an analysis of whether other jurisdictions, either in Canada or internationally, have addressed similar risks and whether their approaches were successful; • any residual risks that cannot be addressed through the proposed options and, where possible, an analysis of the likely implications of these residual risks in terms of public reaction and program success; • a proposed privacy communications strategy, if appropriate.
4. PIA Tool Kit-STEP 3 • Summarizing The Results
4. PIA Tool Kit-STEP 4 • Linkage to government management processes