‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard

29e Confrence internationale des commissaires à la protection de la vie prive

‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard Colin J. Bennett Department of Political Science University of Victoria, BC. cjb@uvic.ca Robin Bayley Linden Consulting Inc. Victoria, BC. rmbayley@shaw.ca 29e Confrence internationale des commissaires à la protection de la vie prive

Why organizations registered to ISO 9001 should have better personal information management • Awareness of their operating systems and personal data holdings • Staff training • Must think through and address regulatory requirements • Ability to capitalize on outside expertise, through conformity assessment process 29e Confrence internationale des commissaires à la protection de la vie prive

Requirements of a Privacy Management Standard • Translation of Fair Information Principles into language and format of standards • Provision of guidance for implementing the principles in organizations • Appropriate conformity assessment tools for business size and data sensitivity • Audit guide • Accreditation system for privacy auditors 29e Confrence internationale des commissaires à la protection de la vie prive

Overlap between quality management and data protection • Transparency of policy and purpose • Procedures for interaction with data subjects • Complaints resolution • Access and correction requests • Consent provision and withdrawal • Personal data management procedures • Data security • Data quality • Data retention 29e Confrence internationale des commissaires à la protection de la vie prive

Motivations for adoption of privacy standards • Through Educational and Regulatory Powers of Data Protection Authorities • Through Desire for Competitive Advantage • Through Referencing the Standard in Contracts 29e Confrence internationale des commissaires à la protection de la vie prive

Initiatives for Privacy Management Standardization • National Standards Bodies • Canadian Standards Association (CSA) • American National Standards Institute (ANSI) • International Standardization Organization (ISO) • Work of JTC-1 of ISO and International Electro-Technical Commission (IEC) • European Committee for Standardization/Information Society Standardization System (CEN/ISSS) • International Security, Trust, and Privacy Alliance (ISTPA). 29e Confrence internationale des commissaires à la protection de la vie prive

John Hopkinson ISSPCS-Prac CISSP ISP CDRP Security Strategist, EWA /IIT President ISSEA Chair CAC-JTC1/TCIT Standards Briefing 29e Confrence internationale des commissaires à la protection de la vie prive

ISO/IEC JTC 1 • JTC 1 is unique • It is a hybrid of both ISO and IEC • 30% of customers are other standards developers • It produces “Base Standards” • It must always assume the “worst case” • Has been developing standards related to Privacy for the last 7 to 10 years 29e Confrence internationale des commissaires à la protection de la vie prive

ISO/IEC JTC 1/SC 17 • Concerned with privacy related to card technology applications • Includes data on smart & optical cards • Not currently reviewing standards for privacy • The chair authored two Privacy Impact assessments for advanced card technologies 29e Confrence internationale des commissaires à la protection de la vie prive

ISO/IEC JTC 1/SC 27 • Created a new WG for Privacy, projects on • A Privacy Framework • A Privacy Reference Architecture • Privacy infrastructures • Anonymity and credentials • Specific Privacy Enhancing Technologies (PETs) • Privacy Engineering 29e Confrence internationale des commissaires à la protection de la vie prive

ISO/IEC JTC 1/SC 31 • Develops standards for RFID • Is starting to consider Privacy • Added the “Kill bit” function to the ISO/IEC 18000-6 standard • Memory blocks include password protection 29e Confrence internationale des commissaires à la protection de la vie prive

ISO/IEC JTC 1/SC 32 • Standards for data mgt and interchange including e-commerce • Deal with e-Business, Metadata, Database Languages, & SQL Multimedia & Application Packages • Recognizes “individual” as a sub-type of Person, have rights which e-Business standards must support 29e Confrence internationale des commissaires à la protection de la vie prive

ISO/IEC JTC 1/SC 36 • Standards of Learning, Education & Training • Support for legal requirements • Surveying members for specifics of National requirements • Most important standard • ISO/IEC 24751 Individualized Adaptability and Accessibility in e-Learning, Education and Training 29e Confrence internationale des commissaires à la protection de la vie prive

ISO/IEC JTC 1/SC 37 • Develop standards for Biometrics • Has started to consider Privacy • Working on • Cross-Jurisdictional and Societal Aspects of Implementation of Biometric Technologies • Guide to the Accessibility, Privacy and Health and Safety Issues in the deployment of Biometric Systems for Commercial Application 29e Confrence internationale des commissaires à la protection de la vie prive

Other Standards Development • Several Consortia are active, including • ISSEA • ISTPA • OASIS • OMG • W3C • Likely several others 29e Confrence internationale des commissaires à la protection de la vie prive

Canadian Privacy Standardization Strategy • 21 & 22 Feb 2007; OPC, CSA, SCC, CGSB • Privacy Standardization Roadmap • What is available & What is needed • Workshop Report • +, Special Needs, Conformance, sharing Best Practices,Timing critical, Engagement 29e Confrence internationale des commissaires à la protection de la vie prive

ISSUES • ISO/IEC JTC 1 and others • A lack of coordination of Privacy activities • No real focal point for Privacy work • Lack harmonized privacy principles • Need Privacy community & technical standards cooperation 29e Confrence internationale des commissaires à la protection de la vie prive

Making Privacy Operational Updating the ISTPA Privacy Framework John T. Sabo President, International Security Trust and Privacy Alliance (ISTPA) Director Global Government Relations CA, Inc. 29e Confrence internationale des commissaires à la protection de la vie prive

What is the ISTPA? • The International Security, Trust, and Privacy Alliance (ISTPA), founded in 1999, is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy. • ISTPA’s focus is on the protection of personal information (PI) • See www.istpa.org ISTPA

Privacy Reality: Complex, Challenging National Security Technology Evolving nature and concepts of Privacy Global Laws Regulations Standards Information Society Industry Rapid Change Digital Economy 29e Confrence internationale des commissaires à la protection de la vie prive Forces

Global Privacy Laws and Policies – Wide Variance OECD Privacy Principles Fair Information Practices HIPAA APEC Privacy Framework EU Data Directive U.S. Privacy Act CSA Model Code 29e Confrence internationale des commissaires à la protection de la vie prive

ISTPA’s Perspective on Privacy • Operational - Solution Focus • Migrate to privacy engineering discipline • Privacy framework supporting full privacy lifecycle • Not a policy framework – rather this is a technical framework for business processes and supporting IT systems • Platform for multidisciplinary collaboration • Must address variations in law and policies • Industry Specific Use Cases ISTPA

ISTPA Framework v 1.1 Concepts • An open, policy configurable set of collaborating services and capabilities used to guide the analysis, design and implementation and assessment of privacy solutions and infrastructure • An architectural approach that provides a template usable by IT architects and program managers to develop interoperable applications 29e Confrence internationale des commissaires à la protection de la vie prive

ISTPA Privacy v 1.1 Framework Services • Control – policy – data management • Certification – credentials, trusted processes • Interaction - manages data/preferences/notice • Negotiation – of agreements, rules, privileges • Agent – software that carries out processes • Usage – data use, aggregation, anonymization • Audit – independent, verifiable accountability • Validation - checks accuracy of PI • Enforcement – including redress for violations • Access - subject correct/update PI 29e Confrence internationale des commissaires à la protection de la vie prive

ISTPA Framework Submitted as ISO Publicly Available Specification • Submitted by ISSEA (International Systems Security Engineering Association) in October 2003 - 2004 • Balloting was to close December 11, 2004 • Caused significant discussion, including Privacy Technology Study Group under ISO JTC-1 • Withdrawal requested November 22, 2004for additional work 29e Confrence internationale des commissaires à la protection de la vie prive

Recent Work: “Analysis of Privacy Principles: Making Privacy Operational” • Select representative global privacy laws & directives • Analyze disparate language, definitions and expressed requirements • Parse expressed requirements into working set of privacy “principles” • Cross-map and derive common and unique requirements 29e Confrence internationale des commissaires à la protection de la vie prive

The Privacy Act of 1974 (U.S.) OECD Privacy Guidelines UN Guidelines EU Data Protection Directive Canadian Standards Association Model Code Health Insurance Portability and Accountability Act (HIPAA) US FTC Fair Information Practice Principles US-EU Safe Harbor Privacy Principles Australian Privacy Act Japan Personal Information Protection Act APEC Privacy Framework California Security Breach Bill Selected Laws, Directives, Codes 29e Confrence internationale des commissaires à la protection de la vie prive

Accountability Notice Consent Collection Limitation Use Limitation Disclosure Access & Correction Security/Safeguards Data Quality Enforcement Openness Additionally: Anonymity Data Flow Sensitivity Derived Core Privacy Principles 29e Confrence internationale des commissaires à la protection de la vie prive

definition of the personal information collected its use (purpose specification) its disclosure to parties within or external to the entity practices associated with the maintenance and protection of the information options available to the data subject regarding the collector’s privacy practices changes made to policies or practices information provided to data subject at designated times and under designated circumstances Example: “Notice Principle” Includes: 29e Confrence internationale des commissaires à la protection de la vie prive

Next Steps: Path to ISTPA Privacy Framework v 2.0 • Use Analysis study to evaluate existing Framework – full document available online • Analysis being used by external organizations • Complete expansion of Framework functions, including function labeling • Continue collaboration with ISSEA on security mapping • Continue development of Master Toolset project to make Framework more accessible and usable • Expected draft v 2.0: 2008 29e Confrence internationale des commissaires à la protection de la vie prive

Questions? john.t.sabo@ca.comwww.istpa.org 29e Confrence internationale des commissaires à la protection de la vie prive

‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard

‘Saying what you do and doing what you say’: Arguments and Prospects for an International Privacy Standard

Presentation Transcript

PowerPoint Lesson 1 PowerPoint Basics

PowerPoint Tutorial 1 Creating a Presentation

NEGAUNEE TOWNSHIP WELLHEAD PROTECTION POWERPOINT PRESENTATION

The following 10 slides represent a Sample Preview from this Training Presentation

NATIONAL CONFRENCE ON AGRICULTURE FOR KHARIF COMPAIGN - 2007

PowerPoint

PowerPoint

eLearning Presentation

Intro to PowerPoint 2007

PowerPoint: Presentation Tips

The Effective Use of PowerPoint Presentation in Teaching Japanese

PowerPoint Chapter 1

PowerPoint Presentation