ayala mar23

§ ©2015 ProQuest LLC. All rights reserved.

Ask “How should we use that data?”Not just “How could we use that

data?”

Daniel Ayala, Director Global Information Security


§ We are working to create a process that lets us examine and confirm appropriate care of privacy of data that is collected, used and shared.

§ As data can be powerful when used in different combinations, this goes beyond just collection of elements, but the permutations that are used for analysis.

§ Through questions asked, we can get a better understanding of the use, the benefit and the risks, and make a decision on how/if to proceed.

§ This is a work in progress, but is on its way. We hope to implement these concepts, as they are finally derived later in 2016.

Overview

2


§ Privacy by design in application development§ Data use inventory, scrutiny and approval§ Transparent, clear notification to users of data collection

and use§ Provide basic unauthenticated services, where possible§ Opt-in for advanced services and related data collection

as the general rule§ Secure the data appropriately, destroy the data when

done

Guidance

3


§ Some data will always be collected; it’s the nature of online services. – Collection alone does not equal violation of user

privacy, especially if explicit approval to use is given by the user.

§ The underlying primary goal is to assist the missions of the researcher, library or author in achieving their missions.

§ Guiding principles will define the rules of data collection, use and sharing.

§ If you collect it, use it wisely, protect it and get rid of it when you don’t need it any longer.

The Up-Front Thinking

4


§ http://www.niso.org/apps/group_public/download.php/16064/NISO%20Privacy%20Principles.pdf

§ http://www.ala.org/advocacy/library-privacy-guidelines-e-book-lending-and-digital-content-vendors

NISO & ALA as Models

5


§ What do you plan to use the data for?

§ Why do you need this data?

§ Who benefits from using this data in this way?

§ Are we already collecting similar data today?

§ What regulations are in effect on this data?

§ What geography is data being collected from?

– Global, EU, US, etc.

§ Who will see the data?

§ How long will you retain the data?

§ Can the data be aggregated and still be materially useful to the intended purpose?

§ How will the data be effectively de-personalised?

§ How will you notify users of the collection of the data?

§ How will the data be protected?

§ What are the data combinations and what do they offer?

§ Is it “right” to collect and use this data? Does it align with our mission?

§ Are there any ethical concerns about the date being?

Questions To Be Asked

6


Different Data CombosDifferent Risks

7

CheckOuts ZIP Birth

Day Name

CheckOuts ZIP Name

Search Hist IP Email

SearchHist IP


§ Helping user further their own research§ Helping libraries support their patrons§ Helping authors and publishers provide useful

content

Benefits as Basis for Reviews

8


§ Devise appropriate access to data

– Least privilege

– Revisit rights frequently

§ Encrypt it! Both in motion and at rest

§ Log all the access, and review the logs regularly

§ Audit your suppliers to your standards

§ Educate the users that use the data

– Trust, but verify

§ Be ready for a compromise

– It’s not IF it’s WHEN

– Protect the data as though you guarantee it will be taken

– Incident response & communications plan beforehand!

Protect the Data

9


§ In Monday’s Apple product keynote, a section was devoted to privacy of data

§ A Reuter’s article1 released at the same time chronicled the internal ”privacy czar” review and scrutiny process within Apple

§ Apple has employed a similar review process prior to data being collected and/or used

§ Apple has been clear about their commitment to privacy

Validation of Approach

10

"Customers expect Apple and other technology companies to do everything in our power to protect their personal information.” -Tim Cook

[1] http://www.reuters.com/article/us-apple-encryption-privacy-insight-idUSKCN0WN0BO

ayala mar23

Education