1

Designing a Privacy Management System

International Security

Trust & Privacy Alliance

2

Mr. Private I, system designer and charter member of the ISTPA Framework Committee, has been given a real challenge by one of his customers: Design a total privacy management system for ALL the corporate databases, which receive, hold, and transfer both customer and employee data, and in multiple jurisdictions! WHERE TO BEGIN???

PRIVACY MANAGEMENT

3

Personal Information

Mr. Private I decided to start at the center of the design challenge: The corporate databases containing the Personal Information. But, from his ISTPA tutorials, he knew that SECURITY was an essential element of privacy management….

4

Personal Information

SECURITY

The system components would need to draw on well-defined SECURITY functions, such as confidentiality, integrity, authentication, and access control. Now, what privacy management services are needed?

5

Since privacy deals with life cycle management of PI, I needed to fence off that PI data from the rest of the database….

Personal Information

SECURITY

6

Looking ahead, I realized that the “fence” created a boundary and that any dialog about PI would have to cross that boundary. I gave it a name: AGENT. Dialog about PI is handled by the AGENT service…

Personal Information

AGENT

SECURITY

7

The AGENT will need to interface to the world outside the database and interact with other system elements, so I created an INTERACTION service.

Personal Information

AGENT

INTERACTION

SECURITY

8

Procedures, best practices, legislation, and jurisdictional mandates will govern the collection, access, and use of PI. A CONTROL service is needed to execute the particular privacy “policy” against the PI database….

Personal Information

AGENT

INTERACTION

CONTROL

SECURITY

9

Privacy is the proper use of PI throughout its lifecycle, consistent with the permission of the subject and applicable laws/policies. As PI is collected and maintained, an AGREEMENT

service is needed to arbitrate with the PI subject for permissible use of the PI….

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

SECURITY

10

Reflect on the concept of “proper use of PI throughout its lifecycle”, which is a core management requirement of the definition of privacy. Subsequent use of PI by other system entities could involve transfer, linking, inference and even re-negotiation of permissions. I added a USAGE service for that purpose….

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

SECURITY

11

PI is “personal” information about the subject. Since the use of the PI is to be “proper” and “consistent with the permission of the subject and applicable laws/policies”, the subject should be able to access, review, and possibly correct PI about the subject held by another entity. Thus, the ACCESS Service…

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESS

SECURITY

12

Given the assumed value of PI collected in the database, the privacy management system should make every effort itself to check the accuracy of PI at any point in its life cycle. The VALIDATION service does the checking, through the AGENT service.

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

SECURITY

13

“Users” should have the proper credentials to use the system. The CERTIFICATION service will manage and check those credentials for any entity involved in processing PI.

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

CERTIFICATION

SECURITY

14

The privacy management system needs its own “watchdog” to record, maintain, and report any and all relevant events in order to subsequently confirm compliance. For that reason, I added the AUDIT service.

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

CERTIFICATION

Audit

SECURITY

15

What should happen IF the system fails in some aspect of privacy management or violates an accepted tenet of the system? The ENFORCEMENT service handles redress in such cases.

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

CERTIFICATION

Audit

ENFORCEMENT

SECURITY

16PI SUBJECTS will interact with the system, as well as PI REQUESTORS.

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

CERTIFICATION

Audit

ENFORCEMENT

SECURITY

SUBJECT REQUESTOR

17

WHEW! Mr Private I needed a rest after all that design. I had identified 10 privacy SERVICES, but how did they work together to create an operational privacy management system? I needed to experiment with a few Use Cases…

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

CERTIFICATION

Audit

ENFORCEMENT

SECURITY

SUBJECT REQUESTOR

18

I started simple: Consider an employer application like Payroll that requests certain PI from an employee…

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

CERTIFICATION

Audit

ENFORCEMENT

SECURITY

SUBJECT REQUESTOR

19

Through the employer AGENT and INTERACTION, a NOTICE of the purpose and use of the requested PI is presented to the SUBJECT. The PI, together with the permissible purpose/use, is submitted for VALIDATION, then stored in the PI database by CONTROL. Through CONTROL, PI is shared with the REQUESTOR.

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

CERTIFICATION

Audit

ENFORCEMENT

SECURITY

SUBJECT REQUESTORNOTICE

PI

PI

20(ADDITIONAL USE CASES…)

Personal Information

AGENT

INTERACTION

CONTROL

AGREEMENT

USAGE

ACCESSVALIDATION

CERTIFICATION

Audit

ENFORCEMENT

SECURITY

SUBJECT REQUESTOR