university of toronto basic privacy january 24, 2012
TRANSCRIPT
University of TorontoUniversity of Toronto
Basic Privacy Basic Privacy
January 24, 2012January 24, 2012
PRIVACYPRIVACY
1. What is it?
2. Why does it matter?
3. How does it work?
4. How is it regulated?
5. What should you do?
PRIVACY: WHAT IS IT? PRIVACY: WHAT IS IT? PERSONALPERSONAL INFORMATIONINFORMATION IS… IS…
INFORMATION ABOUT AN IDENTIFIABLE INDIVIDUAL,
including, but not limited to; ethnic origin, race, religion, age, sex, sexual orientation, education, financial, employment, medical, psychiatric, psychological or criminal information, identifying numbers; S.I.N., home address, home phone number, photos, videos, identifiable recordings of individual, name appearing with / revealing other personal information etc.
NOT if acting in business or professional capacity eg. name, position, routine work information
IDENTIFIABILITY; SPECIAL CASESIDENTIFIABILITY; SPECIAL CASES
Aggregated/statistical data usually not individually linkable BUT
ABSENCE OF NAMES OR OBVIOUS IDENTIFIERS MAY MISLEAD:
-small-cell principle … One of these seven people is HIV positive…
The more factors you have, the likelier identification becomes;-Asian women over age 50, with income over $200k/yr, who drive a Volvo, with postal code in M3H ….
Notorious/known events/facts; The B.C. pig farmer who… or The driver of the vehicle which killed…
Future identifiability; eg, tissue samples (are the information) DNA…
Khaled el emam on reidentifiability: http://www.ehealthinformation.ca/
PRIVACY: WHAT IS IT? DEFINITIONSPRIVACY: WHAT IS IT? DEFINITIONS
1. Privacy of the person- ‘bodily privacy’, blood samples, etc.
2. Privacy of personal behaviour- religion, politics, etc., including ‘media privacy’
3. Privacy of personal communications- ‘interception privacy’, various media
4. Privacy of personal data- ‘data/information privacy’, control of data
PRIVACY: WHAT IS IT? To be left alonePRIVACY: WHAT IS IT? To be left alone
“THE RIGHT TO PRIVACY” (Warren & Brandeis, 1890)
“…right of the individual to be let alone.” … -in the face of changing technology - photos in newspapers
‘Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops.“’
http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
PRIVACY: WHAT IS IT? PRIVACY: WHAT IS IT? INFORMATION PRIVACYINFORMATION PRIVACY
[The key principle of modern privacy laws]
Control over collection, use, disclosure, retention and destruction of your personal information
Privacy principles embodied in “Fair Information Practices.”
Informational self-determination
PRIVACY: WHAT IS IT? FAIR PRIVACY: WHAT IS IT? FAIR INFORMATION PRACTICESINFORMATION PRACTICES
• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980);
http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
• European Union Directive on Data Protection (1995/1998); http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML
• CSA Model Code for Protection of Personal Information (1996); http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code/article/principles-in-summary
• United States Safe Harbor Agreement (2000) and EU reaction;http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML
• Global Privacy Standard (2006). www.ipc.on.ca/images/Resources/up-gps.pdf
• IPC’s Privacy By Design Principleshttp://privacybydesign.ca/about/principles
CSA PRIVACY CODE PRINCIPLESCSA PRIVACY CODE PRINCIPLES1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
2. Identifying Purposes The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
3. Consent The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
4. Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
5. Limiting Use, Disclosure and Retention Personal information shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the stated purposes.
6. Accuracy Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.
7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
8. Openness An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals.
9. Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.
http://www.csa.ca/standards/privacy/code/Default.asp?articleID=5286&language=english
PRIVACY: WHAT IS IT?PRIVACY: WHAT IS IT? PRIVACY BY DESIGN PRINCIPLESPRIVACY BY DESIGN PRINCIPLES
1. Proactive, not reactive, preventive, not remedial
2. Privacy as the default
3. Privacy embedded into design
4. Full functionality, positive-sum, not zero sum
5. End-to-end security, lifecycle protection
6. Visibility and transparency
7. Respect for User Privacy
www.privacybydesign.ca
PRIVACYPRIVACY
1. Why does it matter?
People want/need it
It’s “good for business”
It is a legal requirement
PRIVACY LAWS ARE…PRIVACY LAWS ARE…A blunt instrument for individual control over PI
An approximated solution for everybody because we have weak technology
To do things right, you’d need a smart agent or matrix of rights … that would
-know where all of your personal information is at all times
-carry out your wishes and needs in real time
-get it right for all your various institutions/companies/friends/family, etc
-report back to you in real time of collections, uses, disclosures, etc of your pi and
-operate at the level of individual data items, not gross categories
Privacy laws and institutions can`t support this level of control so they err on
the side of preventing broadly defined unauthorized disclosure/destruction
Maybe in the future; meanwhile, IPC federated identity ideas interesting…
http://www.ipc.on.ca/images/Resources/F-PIA_2.pdf
LAWS BASED ON CSA PRINCIPLESLAWS BASED ON CSA PRINCIPLES
Federal Personal Information Protection and Electronic Documents Act PIPEDA Strongly consent-based; Incorporates CSA Code Principles; regulates commercial activity with personal information, inter-provincial data flows and federally-regulated endeavours like banking, insurance and telecommunications(ousted by substantially similar provincial laws), Que, Alta, BC and PHIPA http://laws.justice.gc.ca/en/showtdm/cs/P-8.6
…and Ontario Personal Health Information Protection Act; PHIPAConsent based—health data is important/sensitive—regulates health information, explicit consent/ability to “shape” treatment, deemed consent for treatment, BUT research without consent , mandatory disclosure to eliminate/reduce significant risk of bodily harmhttp://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm#BK54
NOTICE-BASED PRIVACY LAWSNOTICE-BASED PRIVACY LAWSSome public sector privacy statutes…like
Ontario Freedom of Information and Protection of Privacy Act FIPPANotice-based – because government must conduct certain activities– once you are notified of collection of your personal information (for a lawfully authorized activity) you may be have no control – although some consent-based opting out is possible for activities, no choice because Government is only supplier or
The activity is not (totally or necessarily) optional; eg:
-standard setting
-regulation, licensing, tracking/updating entitlements
-law enforcement
-emergency disclosure, public health and safety
http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm
Also true of some other provincial privacy laws and Canadian public sector privacy law
http://laws.justice.gc.ca/en/showtdm/cs/P-21
PRIVACYPRIVACY
1. How does it work?
Give people notice > “reasonable expectations”
Then stick to notices – and legal requirements
Use adequate security/practices
There are limits to privacy (user control)
U of T NOTICE of COLLECTIONU of T NOTICE of COLLECTION• The University of Toronto respects your privacy. Personal
information that you provide to the University is collected pursuant to section 2(14) of the University of Toronto Act, 1971. It is collected for the purpose of administering admissions, registration, academic programs, university-related student activities, activities of student societies, financial assistance and awards, graduation and university advancement, and for the purpose of statistical reporting to government agencies. At all times it will be protected in accordance with the Freedom of Information and Protection of Privacy Act. If you have questions, please refer to www.utoronto.ca/privacy or contact the University Freedom of Information and Protection of Privacy Coordinator at 416-946-7303, McMurrich Building, room 201, 12 Queen's Park Crescent West, Toronto, ON, M5S 1A8.
PRIVACY LAWS REGULATEPRIVACY LAWS REGULATE
Collection
Use
Disclosure
Retention
Destruction
Of personal information
COLLECTIONCOLLECTION Three requirements:
1. Must have legal authority to collect• Statutory authorization, law enforcement or • necessary for program delivery, teaching purposes etc.
• (for the proper administration of a lawfully authorized activity)
2. Must collect directly from individual• Limited exceptions including consent
3. Must provide notice of collection indicating;• Legal authority• Principal intended uses of the personal information• Individual to contact with questions
USE AND DISCLOSUREUSE AND DISCLOSURE
• For original or consistent purpose (see notice of collection)
• With the individual’s consent
• Internally on a need-to-know basis
• To comply with legislation, other legal requirements
• For specific compassionate circumstances
• Where necessary for fundraising• With periodic notices & opt-outs
• limited other circumstances
SECURITYSECURITY vs. PRIVACY vs. PRIVACY
• Privacy involves institution’s legal obligations, especially for collection, use, disclosure, retention and destruction of personal information, in support of individual privacy• Privacy is a legal right/obligation of individual/institution• FIPPA part III sets out privacy protections
• Security comprises lock-and-key measures; data integrity, protection, confidentiality and identity authentication• Security supports and is a key enabler for privacy• FIPPA General Reg. s. 4 lists security requirements
• There can be no privacy without security
SECURITYSECURITY
• End-to-end (full lifecycle, all contexts)• Physical• Technical / IT systems• Administrative / behavioural (incl. policy)
• Data should be protected like other assets• No universal due diligence standards but …
PAPER VS. ELECTRONIC RECORDSPAPER VS. ELECTRONIC RECORDSHistoric disclosure of records in paper form can be a poor basis for putting them onlineEg.-property assessment records-records of town/city council meetings-records of administrative tribunals-certain types of licensing records-voters listsBalance possible privacy impacts against benefits/objectives of proposed activity
Electronic posting unlike historical availability of paper records (practical obscurity)-(world) wide distribution (beyond local interests)-easy copying/aggregation into other databases/uses-loss of control by originating body-persistence beyond control of originating body
U.S. papers on practical obscurity:http://www.nyls.edu/user_files/1/3/4/17/49/Vol49no3p967-992.pdfhttp://repositories.cdlib.org/cgi/viewcontent.cgi?article=1022&context=ischool
PRIVACYPRIVACY
1. What should I do?
Give users clear information
Support User rights and expectations
Keep it simple
Know your organization
SETTING REAL WORLD (legal) LIMITSSETTING REAL WORLD (legal) LIMITS
Principles
Practices
Law
What do people need, want, fear?
Philosophy
Policy
What is possible? technology / business etc.
Government response to public expectations
Beliefs
PRIVACY LIMITSPRIVACY LIMITS
Privacy (in data protection laws) is never absolute; some exceptions for:
-Law enforcement
-Public health
-Legal processes (generally supersede statutory privacy protections)
subpoenas, summonses, court orders, etc.
-Other legislation
emergency management, health protection, anti-terrorism etc.
…data protection laws are made by law-makers, who may discover new priorities, exceptions or other reasons to change or abrogate privacy.
The balance is found in the same way as other political/social balances. Public involvement, consultation and advocacy help to guide politicians…
WORK REASONABLYWORK REASONABLY
WITHIN LEGAL LIMITS – AND IN UNREGULATED ACTIVITIESIf you can, do the activity without personal information. Be creative- anonymize, use non-identifying token; eg. IPC HWY 407 solution: http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=335
-Is the personal information NECESSARY
If personal information is NECESSARY for an activity; balance privacy interests being compromised against the value of the activity; eg.-public health surveillance threshold:
Where between the common cold & SARS??Beware erroneous (often well-established) misconceptions: -business may want more information than needed for a transaction -law enforcement personnel may look for a lot of data on everybody -a building manager may want access to video surveillance records..
How do you decide what is right…what is enough?
HELP SET USEFUL PRIVACY LIMITSHELP SET USEFUL PRIVACY LIMITSALWAYS ask:
What EXACTLY is the activity or function?
What EXACTLY are the objectives of the activity? -- get a COMPLETE list
Determine what actions are NECESSARY to achieve the objectives, then (and only then)
-Define and list EXHAUSTIVELY what PI is NECESSARY to accomplish the actions
-Check existing legal parameters; can you collect, use, disclose the PI?
-Even if you can legally collect, use, disclose etc., or are UNREGULATED:
-can you do the task without PI?
-if not, can you get away with less/partial information?
-Consider how well the activity can be delivered with more or less PI
-Consider financial impacts/benefits of having/using more or less PI
-How can you minimize/eliminate privacy risks?
Remember risks of having PI – breaches, data loss, ID theft, etc.
Consider impact on your client/employer of a breach or misuse of data;
For example, IPC/MTO arrangement re access to driver and vehicle license databases
http://www.ipc.on.ca/images/Resources/up-1num_25.pdf
PRIVACY IMPACT ASSESSMENTSPRIVACY IMPACT ASSESSMENTS
A living document that develops with a project to
Identify privacy risks for leadership attention by
By setting examining and evaluating:
Project data flows at transactional level, evaluating against;
law, standards, policy/practice, community expectation
eg. PHIPA, FIPPA, PbD, CSA,
Institution policies, practices, community consultations
A team effort; IT, Security, Privacy, Legal, etc…
Results in a listing of residual privacy risks for leadership to accept, or remedy; Roger Clarke historical PIA paper:
http://www.rogerclarke.com/DV/PIAHist-08.html
ABOUT SECURITYABOUT SECURITY
Most security measures can’t guarantee confidentiality
They make unauthorized access difficult so information is less likely to be accessed.
Well chosen and applied security reduces the probability unauthorized access as much as circumstances and resources permit.
ELECTRONIC RECORD SECURITYELECTRONIC RECORD SECURITY
Keep electronic records of confidential information in a secure server environment.
Access confidential records securely – through encrypted channels, such as virtual private networks.
Only remove confidential records from a secure server with authorization, operational need, and it there is no other reasonable means to accomplish the task.
Out of secure server environment, keep confidential electronic records encrypted (eg. in transit and storage).
Server drives likely to be encrypted soon.
CLOUD COMPUTING; TWO PAPERSCLOUD COMPUTING; TWO PAPERS
Privacy in the Clouds – IPC
User-centric identity management infrastructure … will be the answerhttp://www.ipc.on.ca/images/Resources/privacyintheclouds.pdf
Roger Clarke Cloud Computing paper:
“Cloud computing emerged during 2006-09 as a fashion item….”
http://www.rogerclarke.com/EC/CCEF.html
WHEN YOU OWN THE SYSTEMWHEN YOU OWN THE SYSTEM
Your IT / security staff should know your systems,
existing and planned
Data flows should be understood and finely mapped
This activity is key to privacy or threat/risk assessments
Even if you are outsourcing, do this detailed work for any “in house” components or parts of the system/service
WHEN YOU DO NOT OWN THE SYSTEMWHEN YOU DO NOT OWN THE SYSTEM
Do all you can to understand the vendor’s systems as well and completely as possible:
Ask for detailed data flows, systems maps, etc.
Have your IT / security staff meet the vendor’s
Enter into NDAs as necessary to learn as much as possible
But the vendor might not let you see enough for you to assess privacy/security to your satisfaction
You will have to establish trust,
…..based on assurances that you can verify
CHECKING OUT THE VENDORCHECKING OUT THE VENDOR
Cloud or not, check:
• Institutional procurement process/experts;
• RFI, RFP, etc
• Reference checks,
• Information from other clients,
• Letters of recommendation
• Reputation, past record
• Compliance with/breach of legislative requirements
• Certifications
• Interview the contractor
SOME POSSIBLE SOME POSSIBLE VENDOR ASSURANCESVENDOR ASSURANCES
Compliance with youryour privacy/security requirements
Confidentiality; no information sale, tracking, data mining…
Governing law … preferably Ontario
No disclosures except as required by law
Staff training, need-to-know access, confid. Agreements
No third party contractors, or standards as for staff
Data minimization
Breach notification, investigation, remediation/mitigation
Security; IT, physical, administrative/behavioural
Periodic update and maintained currency of assurances
Location of servers, data, etc, etc, etc…
SECURING ASSURANCESSECURING ASSURANCES
A negotiation with your vendor, involving:
Procurement
IT/CIO staff
Legal
Privacy
Other experts as required….
ASSURANCES MUST BE VERIFIEDASSURANCES MUST BE VERIFIED
Operational Audits
Security Audits
Active Security Testing
Etc…
All to be incorporated into your agreement(s)
ORGANIZATIONAL SUGGESTIONSORGANIZATIONAL SUGGESTIONS
Keep it simple!!
Use simple binary rules; -Confidential or not -Secured or not
Provide clear guidance/rules --- avoid fuzzy lines, difficult distinctions
If it’s not officially designated as public, it’s confidential
If it’s electronic, keep it in a secure institutional server or keep it encrypted
If it’s hard copy, keep in a locked cabinet inside a locked, non-public space
Provost’s security guideline
http://www.provost.utoronto.ca/policy/FIPPA_-_Guideline_Regarding_Security_for_Personal_and_Other_Confidential_Information.htm
ORGANIZATIONAL SUGGESTIONSORGANIZATIONAL SUGGESTIONS
Know the Organization:
Mission, purposes, rules
How is it governed?
How is it administered?
Think like an executive….big picture
Avoid becoming a “narrow” expert
FREEDOM OF INFORMATION AND FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY OFFICEPROTECTION OF PRIVACY OFFICE
Rafael Eskenazi – FIPP DirectorTel: (416) 946-5835E-Mail: [email protected]
University of Toronto FIPP OfficeMcMurrich Building, Room 20112 Queen’s Park Crescent WestToronto, ON M5S 1A8Fax: (416) 978-6657