privacy for practitioners—real case studies illustrating privacy policy development and impact...

United StatesDepartment of Justice

Privacy for Practitioners—Real Case Studies Illustrating Privacy Policy Development and

Impact AssessmentFebruary 5, 2013

Cabell Cropper Christina M. AbernathyNational Criminal Justice Association Institute for Intergovernmental Research

Diana Graski Becki GogginsNational Center for State Courts State of Alabama

2013 Criminal Justice Information Forum on Data Exchange and Information Sharing Standards and Models


2

Topics• Privacy overview• Global privacy resources• Illinois privacy resources• Global success stories• Keys to success• Technical privacy case studies and success stories


3

Privacy OverviewWhat is privacy?

• Privacy refers to individuals’ interests in preventing the inappropriate collection, storage, use, and release of personally identifiable information

• Privacy, as it relates to information sharing, concerns information whose confidentiality is enforceable by law or social norms


4

Privacy OverviewCivil Liberties Are Civil Rights Are

The fundamental individual rights or freedoms, such as the freedom of speech, press, assembly, and religion, the right to due process and a fair trial, as well as the right to privacy and other limitations on the power of the government to restrain or dictate the actions of individuals

The rights and privileges of citizenship and equal protection that the state is constitutionally bound to guarantee all citizens regardless of race, religion, sex, or other characteristics unrelated to the worth of the individual

Involve restrictions on government Civil rights involve positive or affirmative government action

Together, they are the legal protections that safeguard individual freedom and ensure equal treatment under the law!


5

Privacy Overview

What Is a Privacy Policy?

What Is the Purpose of a Privacy Policy?


6

Privacy Overview

What Is the Difference Between a

Privacy Policy and a Security Policy?


7

Privacy OverviewWhy do you need a privacy policy?• “the public’s acceptance of an integrated justice information system is related to its

confidence that the government is taking measures to protect individual’s privacy interests”

• There is “a need to educate the public as to what information about citizens is available in the justice system and what is available to the public”

• “Privacy issues are raised when the government collects information about individuals for investigatory purposes absent any suspicion of criminal wrongdoing . . . mere collection of personally identifiable victim and witness information raises genuine privacy concerns . . . factors should be identified to balance the amount of data collected to address privacy concerns while still meeting legitimate law enforcement needs”

• “A sound privacy policy should clearly identify appropriate uses of the information contained in the information system”

‒ IIJIS’ Privacy Issues Confronting the Sharing of Justice Information in an Integrated Justice Environment


8

Privacy Overview

Reasons for Having a Privacy Policy

It’s the Right Thing to Do!


9

What Can Happen Without a Privacy Policy?• Effects of Improper Practices

– Tarnish an individual’s reputation– Personal or financial injury to individuals– Loss of ability to share information– Lawsuits and paying settlements or judgments– Loss of public support and confidence– Loss of funding and resources– Getting shut down– Decline in morale


10

From Privacy to Information Quality• The collection and sharing of poor quality information raises

serious privacy concerns because the two concepts are inherently linked

• Quality information plays an extremely important role in the protection of the privacy rights of individuals

• Through cross-collaboration among local, state, tribal, and federal justice entities, information is shared to form the records that underlie justice decision-making

• As cross-collaboration increases, it is imperative that justice entities address the quality of the information shared


11

From Privacy to Information Quality

How Can You Develop and Implement

Privacy and Information Quality Policies

and Procedures?


Global Privacy Resources


13

Global Justice Information Sharing Initiative—or “Global”• Federal advisory body to nation’s chief law enforcement officer, the

U.S. Attorney General (AG)• Supported by the Bureau of Justice Assistance (BJA) and the Office of

Justice Programs (OJP), U.S. Department of Justice (DOJ)• Representatives from across the justice landscape, affecting the work of

more than 1.2 million justice professionals • Global’s Advisory Committee (GAC) working groups, councils, and task

teams are formed around timely justice issues:– Intelligence– Infrastructure, standards, security– Business solutions– Privacy and information quality


14

Global Privacy Resources Booklet• A road map to help justice entities

navigate the diverse privacy resources available today

• Structured to help determine which products to use when and for what purpose

• Products are grouped according to their use at each step of a Privacy Program Cycle

• All Global Privacy Resources are available online at www.it.ojp.gov/privacy


15

Global Privacy Resources• Step 1. Educate and Raise Awareness

– Executive Summary for Justice Decision Makers: Privacy, Civil Rights, and Civil Liberties Program Development

– 7 Steps to a Privacy, Civil Rights, and Civil Liberties Policy


16

Global Privacy Resources • Step 2. Assess Agency Privacy Risks

– Guide to Conducting Privacy Impact Assessments for State, Local, and Tribal Justice Entities (or “PIA Guide”)


17

Global Privacy Resources • Step 3. Develop the Privacy Policy

– Privacy, Civil Rights, and Civil Liberties Policy Development Guide for State, Local, and Tribal Justice Entities (Global Privacy Guide)

– Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities (SLT Policy Development Template)


18

Global Privacy Resources • Step 4. Perform a Policy Evaluation

– Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities: Policy Review Checklist


19

Global Privacy Resources• Step 5. Implement and Train

– Coming Soon! Establishing a Privacy Officer Function Within a Justice or Public Safety Entity: Recommended Responsibilities and Training

– The Importance of Privacy, Civil Rights, and Civil Liberties Protections in American Law Enforcement and Public Safety DVD—or “Line Officer Video”


20

Global Privacy Resources • Step 5. Implement and Train

– Implementing Privacy Policy in Justice Information Sharing: A Technical Framework

– Privacy, Civil Rights, and Civil Liberties Compliance Verification for the Intelligence Enterprise

– Recommendations for First Amendment-Protected Events for State and Local Law Enforcement Agencies (and reference card)

– Criminal Intelligence Systems Operating Policies (28 CFR Part 23) Online Training


21

Global Privacy Resources• Step 6. Conduct an Annual Review

– Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities:Policy Review Checklist


22

Global’s Information Quality (IQ) Series

– Information Quality: The Foundation for Justice Decision Making

– 9 Elements of an Information Quality Program

– Information Quality Self-Assessment Tool

– Information Quality Program Guide– Available online at

www.it.ojp.gov/IQ_Resources


23

Illinois Privacy Resources• Where do I look for existing privacy policies?

– Employee handbooks– Concept of operations manuals– Standard operating procedures– Security manuals– Memoranda of understanding– User agreements– State and federal statutes


24

Illinois Privacy Resources• Local examples of privacy

standards and recommendations:

• IIJIS’ Privacy Policy Guidance, www.icjia.state.il.us/iijis/

• Illinois State Police Academy curriculum


25

Illinois Privacy Resources

IIJIS Privacy Policy Subcommittee’s charge:“Developing policies to ensure that the enhanced sharing of justice information made possible through advancing information technologies is carried outin accordance with Illinois law and its citizens’ reasonable expectation of privacy”


26

Illinois Privacy ResourcesExcerpt from IIJIS’ Mission:

“Through integrated justice information sharing we will enhance the safety, security, and quality of life in Illinois; improve the quality of justice, the effectiveness of programs, and the efficiency of operations; and ensure informed decision-making, while protecting privacy and confidentiality of information”

Strategic Issue 3: Serve justice, public safety, and homeland security needs while protecting privacy, preventing unauthorized disclosures of information, and allowing appropriate public access


27

Illinois Privacy Resources• July 27, 2010—Illinois Statewide Terrorism Intelligence

Center, Illinois State Police, successfully finalized its comprehensive privacy policy, fully meeting all ISE Privacy Guidelines and DHS standards


28

Illinois Privacy Resources• March 11, 2011—Chicago Crime Prevention and

Information Center, Chicago Police Department, finalized a comprehensive privacy policy that fully met the Information Sharing Environment (ISE) Privacy Guidelines and federal standards set by the U.S. Department of Homeland Security (DHS)


Global Success Stories


30

Global Success StoriesConnect South Dakota—NGA Privacy TA Effort “Using Global Resources, such as the SLT Policy Development Template, we were able to ‘Connect South Dakota’ (Connect SD) law enforcement in a statewide data exchange project, while ensuring the privacy rights and civil liberties of the citizens we serve. Upon completion of the Connect SD privacy policy, it was important to ensure our officers were trained on privacy protections. To accomplish this goal, we utilized Global’s line officer training video and First Amendment-protected event resources”

—Bryan Gortmaker, DirectorSouth Dakota Division of Criminal Investigation


31

Global Success StoriesCONNECT Consortium—NGA Privacy TA Effort“For several years, the Alabama Criminal Justice Information Center (ACJIC) has been involved in a multi-state initiative—called CONNECT—which has served as a proof-of-concept for sharing rich criminal justice information across state lines. Since its inception, the CONNECT leadership has recognized the importance of adopting a strong privacy and civil liberties policy to govern usage of CONNECT. Thanks to the Global SLT Policy Development Template and the Global Privacy Impact Assessment Guide, CONNECT was able to craft a model policy to meet the needs of the member states (Alabama, Kansas, Nebraska and Wyoming). Despite the fact that each state has its own set of governing laws and policies concerning the sharing of criminal justice information, the Global templates were robust enough to allow for the creation of a single policy to govern CONNECT usage” —Maury Mitchell, Director, Alabama Criminal Justice Information Center


32

Global Success Stories• Hawaii Integrated Justice Information Sharing (HIJIS)

Program—NGA Privacy TA Effort• Indiana Data Exchange (IDEx)• 77 DHS Designated Fusion Centers and 15 Regional Nodes


33

Global Success StoriesAlabama Fusion Center “DOJ’s OJP Web site pertaining to Global Privacy Resources, www.it.ojp.gov/privacy, is an amazing resource and I highly recommend it to anyone that wants to learn more about privacy, civil rights, and civil liberties. The site is designed to help with all aspects of the Privacy Program Cycle, including providing all the materials necessary to develop a comprehensive privacy policy or to evaluate an existing policy. As a relatively new Fusion Center Director, privacy was one of the first areas that I focused on and this site provided all the materials necessary to help create our program. Thanks to the DOJ subject matter experts who developed this site!” —Joe B. Davis, Ph.D., Director, Alabama Fusion Center


34

Keys to Success• Executive sponsorship• Input from stakeholders• Designation of privacy officer• Ongoing training and review


35

Technical Privacy: Resources and Success Stories• Business drivers for technical privacy enforcement:

– From user’s perspective, too many user IDs and rules to manage– From technologist’s perspective, too many users and rule

changes to manage– From enterprise’s perspective, policy experts cannot manage

policy’s implementation in applications and cannot reasonably audit for compliance

• Solution: Global’s Privacy Policy Technical Framework


36


37


38

Benefits of External Authentication• From a user’s perspective, single sign-on• From a technologist’s perspective, application no longer

contains user sign-on logic, and user tables are managed elsewhere

• From the enterprise’s perspective, trusted, shared standards for identity proofing and provisioning and deprovisioning users


39


40

Benefits of External Authentication• From a user’s perspective, not much impact• From a technologist’s perspective, application no longer

contains authorization logic• From the enterprise’s perspective, policy experts now

manage access-control policies, revised policies are implemented immediately across the suite of applications, and compliance tools can be implemented on audit data


41

Learn More: TechnicalPrivacyTraining.org• Executive briefing video• Interactive primer (seven 15-minute modules)• Readiness assessment (with case studies, surveys, and

tailored recommendations for next steps)• Implementation Guide (for your developers, with XACML

lessons and a virtual machine)• Resources• Request for technical assistance


Questions?

privacy for practitioners—real case studies illustrating privacy policy development and impact...

Documents

personal privacy

privacy policy development

comprehensive privacy

security policy

civil liberties policy

disposition information

intelligence information

concerns information