University of TorontoUniversity of Toronto

Basic Privacy Basic Privacy

January 24, 2012January 24, 2012

PRIVACYPRIVACY

1. What is it?

2. Why does it matter?

3. How does it work?

4. How is it regulated?

5. What should you do?

PRIVACY: WHAT IS IT? PRIVACY: WHAT IS IT? PERSONALPERSONAL INFORMATIONINFORMATION IS… IS…

INFORMATION ABOUT AN IDENTIFIABLE INDIVIDUAL,

including, but not limited to; ethnic origin, race, religion, age, sex, sexual orientation, education, financial, employment, medical, psychiatric, psychological or criminal information, identifying numbers; S.I.N., home address, home phone number, photos, videos, identifiable recordings of individual, name appearing with / revealing other personal information etc.

NOT if acting in business or professional capacity eg. name, position, routine work information

IDENTIFIABILITY; SPECIAL CASESIDENTIFIABILITY; SPECIAL CASES

Aggregated/statistical data usually not individually linkable BUT

ABSENCE OF NAMES OR OBVIOUS IDENTIFIERS MAY MISLEAD:

-small-cell principle … One of these seven people is HIV positive…

The more factors you have, the likelier identification becomes;-Asian women over age 50, with income over $200k/yr, who drive a Volvo, with postal code in M3H ….

Notorious/known events/facts; The B.C. pig farmer who… or The driver of the vehicle which killed…

Future identifiability; eg, tissue samples (are the information) DNA…

Khaled el emam on reidentifiability: http://www.ehealthinformation.ca/

PRIVACY: WHAT IS IT? DEFINITIONSPRIVACY: WHAT IS IT? DEFINITIONS

1. Privacy of the person- ‘bodily privacy’, blood samples, etc.

2. Privacy of personal behaviour- religion, politics, etc., including ‘media privacy’

3. Privacy of personal communications- ‘interception privacy’, various media

4. Privacy of personal data- ‘data/information privacy’, control of data

PRIVACY: WHAT IS IT? To be left alonePRIVACY: WHAT IS IT? To be left alone

“THE RIGHT TO PRIVACY” (Warren & Brandeis, 1890)

“…right of the individual to be let alone.” … -in the face of changing technology - photos in newspapers

‘Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops.“’

http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html

PRIVACY: WHAT IS IT? PRIVACY: WHAT IS IT? INFORMATION PRIVACYINFORMATION PRIVACY

[The key principle of modern privacy laws]

Control over collection, use, disclosure, retention and destruction of your personal information

Privacy principles embodied in “Fair Information Practices.”

Informational self-determination

PRIVACY: WHAT IS IT? FAIR PRIVACY: WHAT IS IT? FAIR INFORMATION PRACTICESINFORMATION PRACTICES

• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980);

http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

• European Union Directive on Data Protection (1995/1998); http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

• CSA Model Code for Protection of Personal Information (1996); http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code/article/principles-in-summary

• United States Safe Harbor Agreement (2000) and EU reaction;http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML

• Global Privacy Standard (2006). www.ipc.on.ca/images/Resources/up-gps.pdf

• IPC’s Privacy By Design Principleshttp://privacybydesign.ca/about/principles

CSA PRIVACY CODE PRINCIPLESCSA PRIVACY CODE PRINCIPLES1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

4. Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention Personal information shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the stated purposes.

6. Accuracy Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.

7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals.

9. Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

http://www.csa.ca/standards/privacy/code/Default.asp?articleID=5286&language=english

PRIVACY: WHAT IS IT?PRIVACY: WHAT IS IT? PRIVACY BY DESIGN PRINCIPLESPRIVACY BY DESIGN PRINCIPLES

1. Proactive, not reactive, preventive, not remedial

2. Privacy as the default

3. Privacy embedded into design

4. Full functionality, positive-sum, not zero sum

5. End-to-end security, lifecycle protection

6. Visibility and transparency

7. Respect for User Privacy

www.privacybydesign.ca

PRIVACYPRIVACY

1. Why does it matter?

People want/need it

It’s “good for business”

It is a legal requirement

PRIVACY LAWS ARE…PRIVACY LAWS ARE…A blunt instrument for individual control over PI

An approximated solution for everybody because we have weak technology

To do things right, you’d need a smart agent or matrix of rights … that would

-know where all of your personal information is at all times

-carry out your wishes and needs in real time

-get it right for all your various institutions/companies/friends/family, etc

-report back to you in real time of collections, uses, disclosures, etc of your pi and

-operate at the level of individual data items, not gross categories

Privacy laws and institutions can`t support this level of control so they err on

the side of preventing broadly defined unauthorized disclosure/destruction

Maybe in the future; meanwhile, IPC federated identity ideas interesting…

http://www.ipc.on.ca/images/Resources/F-PIA_2.pdf

LAWS BASED ON CSA PRINCIPLESLAWS BASED ON CSA PRINCIPLES

Federal Personal Information Protection and Electronic Documents Act PIPEDA Strongly consent-based; Incorporates CSA Code Principles; regulates commercial activity with personal information, inter-provincial data flows and federally-regulated endeavours like banking, insurance and telecommunications(ousted by substantially similar provincial laws), Que, Alta, BC and PHIPA http://laws.justice.gc.ca/en/showtdm/cs/P-8.6

…and Ontario Personal Health Information Protection Act; PHIPAConsent based—health data is important/sensitive—regulates health information, explicit consent/ability to “shape” treatment, deemed consent for treatment, BUT research without consent , mandatory disclosure to eliminate/reduce significant risk of bodily harmhttp://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm#BK54

NOTICE-BASED PRIVACY LAWSNOTICE-BASED PRIVACY LAWSSome public sector privacy statutes…like

Ontario Freedom of Information and Protection of Privacy Act FIPPANotice-based – because government must conduct certain activities– once you are notified of collection of your personal information (for a lawfully authorized activity) you may be have no control – although some consent-based opting out is possible for activities, no choice because Government is only supplier or

The activity is not (totally or necessarily) optional; eg:

-standard setting

-regulation, licensing, tracking/updating entitlements

-law enforcement

-emergency disclosure, public health and safety

http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm

Also true of some other provincial privacy laws and Canadian public sector privacy law

http://laws.justice.gc.ca/en/showtdm/cs/P-21

PRIVACYPRIVACY

1. How does it work?

Give people notice > “reasonable expectations”

Then stick to notices – and legal requirements

Use adequate security/practices

There are limits to privacy (user control)

U of T NOTICE of COLLECTIONU of T NOTICE of COLLECTION• The University of Toronto respects your privacy.  Personal

information that you provide to the University is collected pursuant to section 2(14) of the University of Toronto Act, 1971. It is collected for the purpose of administering admissions, registration, academic programs, university-related student activities, activities of student societies, financial assistance and awards, graduation and university advancement, and for the purpose of statistical reporting to government agencies. At all times it will be protected in accordance with the Freedom of Information and Protection of Privacy Act.  If you have questions, please refer to www.utoronto.ca/privacy or contact the University Freedom of Information and Protection of Privacy Coordinator at 416-946-7303, McMurrich Building, room 201, 12 Queen's Park Crescent West, Toronto, ON, M5S 1A8.

PRIVACY LAWS REGULATEPRIVACY LAWS REGULATE

Collection

Use

Disclosure

Retention

Destruction

Of personal information

COLLECTIONCOLLECTION Three requirements:

1. Must have legal authority to collect• Statutory authorization, law enforcement or • necessary for program delivery, teaching purposes etc.

• (for the proper administration of a lawfully authorized activity)

2. Must collect directly from individual• Limited exceptions including consent

3. Must provide notice of collection indicating;• Legal authority• Principal intended uses of the personal information• Individual to contact with questions

USE AND DISCLOSUREUSE AND DISCLOSURE

• For original or consistent purpose (see notice of collection)

• With the individual’s consent

• Internally on a need-to-know basis

• To comply with legislation, other legal requirements

• For specific compassionate circumstances

• Where necessary for fundraising• With periodic notices & opt-outs

• limited other circumstances

SECURITYSECURITY vs. PRIVACY vs. PRIVACY

• Privacy involves institution’s legal obligations, especially for collection, use, disclosure, retention and destruction of personal information, in support of individual privacy• Privacy is a legal right/obligation of individual/institution• FIPPA part III sets out privacy protections

• Security comprises lock-and-key measures; data integrity, protection, confidentiality and identity authentication• Security supports and is a key enabler for privacy• FIPPA General Reg. s. 4 lists security requirements

• There can be no privacy without security

SECURITYSECURITY

• End-to-end (full lifecycle, all contexts)• Physical• Technical / IT systems• Administrative / behavioural (incl. policy)

• Data should be protected like other assets• No universal due diligence standards but …

PAPER VS. ELECTRONIC RECORDSPAPER VS. ELECTRONIC RECORDSHistoric disclosure of records in paper form can be a poor basis for putting them onlineEg.-property assessment records-records of town/city council meetings-records of administrative tribunals-certain types of licensing records-voters listsBalance possible privacy impacts against benefits/objectives of proposed activity

Electronic posting unlike historical availability of paper records (practical obscurity)-(world) wide distribution (beyond local interests)-easy copying/aggregation into other databases/uses-loss of control by originating body-persistence beyond control of originating body

U.S. papers on practical obscurity:http://www.nyls.edu/user_files/1/3/4/17/49/Vol49no3p967-992.pdfhttp://repositories.cdlib.org/cgi/viewcontent.cgi?article=1022&context=ischool

PRIVACYPRIVACY

1. What should I do?

Give users clear information

Support User rights and expectations

Keep it simple

Know your organization

SETTING REAL WORLD (legal) LIMITSSETTING REAL WORLD (legal) LIMITS

Principles

Practices

Law

What do people need, want, fear?

Philosophy

Policy

What is possible? technology / business etc.

Government response to public expectations

Beliefs

PRIVACY LIMITSPRIVACY LIMITS

Privacy (in data protection laws) is never absolute; some exceptions for:

-Law enforcement

-Public health

-Legal processes (generally supersede statutory privacy protections)

subpoenas, summonses, court orders, etc.

-Other legislation

emergency management, health protection, anti-terrorism etc.

…data protection laws are made by law-makers, who may discover new priorities, exceptions or other reasons to change or abrogate privacy.

The balance is found in the same way as other political/social balances. Public involvement, consultation and advocacy help to guide politicians…

WORK REASONABLYWORK REASONABLY

WITHIN LEGAL LIMITS – AND IN UNREGULATED ACTIVITIESIf you can, do the activity without personal information. Be creative- anonymize, use non-identifying token; eg. IPC HWY 407 solution: http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=335

-Is the personal information NECESSARY

If personal information is NECESSARY for an activity; balance privacy interests being compromised against the value of the activity; eg.-public health surveillance threshold:

Where between the common cold & SARS??Beware erroneous (often well-established) misconceptions: -business may want more information than needed for a transaction -law enforcement personnel may look for a lot of data on everybody -a building manager may want access to video surveillance records..

How do you decide what is right…what is enough?

HELP SET USEFUL PRIVACY LIMITSHELP SET USEFUL PRIVACY LIMITSALWAYS ask:

What EXACTLY is the activity or function?

What EXACTLY are the objectives of the activity? -- get a COMPLETE list

Determine what actions are NECESSARY to achieve the objectives, then (and only then)

-Define and list EXHAUSTIVELY what PI is NECESSARY to accomplish the actions

-Check existing legal parameters; can you collect, use, disclose the PI?

-Even if you can legally collect, use, disclose etc., or are UNREGULATED:

-can you do the task without PI?

-if not, can you get away with less/partial information?

-Consider how well the activity can be delivered with more or less PI

-Consider financial impacts/benefits of having/using more or less PI

-How can you minimize/eliminate privacy risks?

Remember risks of having PI – breaches, data loss, ID theft, etc.

Consider impact on your client/employer of a breach or misuse of data;

For example, IPC/MTO arrangement re access to driver and vehicle license databases

http://www.ipc.on.ca/images/Resources/up-1num_25.pdf

PRIVACY IMPACT ASSESSMENTSPRIVACY IMPACT ASSESSMENTS

A living document that develops with a project to

Identify privacy risks for leadership attention by

By setting examining and evaluating:

Project data flows at transactional level, evaluating against;

law, standards, policy/practice, community expectation

eg. PHIPA, FIPPA, PbD, CSA,

Institution policies, practices, community consultations

A team effort; IT, Security, Privacy, Legal, etc…

Results in a listing of residual privacy risks for leadership to accept, or remedy; Roger Clarke historical PIA paper:

http://www.rogerclarke.com/DV/PIAHist-08.html

ABOUT SECURITYABOUT SECURITY

Most security measures can’t guarantee confidentiality

They make unauthorized access difficult so information is less likely to be accessed.

Well chosen and applied security reduces the probability unauthorized access as much as circumstances and resources permit.

ELECTRONIC RECORD SECURITYELECTRONIC RECORD SECURITY

Keep electronic records of confidential information in a secure server environment.

Access confidential records securely – through encrypted channels, such as virtual private networks.

Only remove confidential records from a secure server with authorization, operational need, and it there is no other reasonable means to accomplish the task.

Out of secure server environment, keep confidential electronic records encrypted (eg. in transit and storage).

Server drives likely to be encrypted soon.

CLOUD COMPUTING; TWO PAPERSCLOUD COMPUTING; TWO PAPERS

Privacy in the Clouds – IPC

User-centric identity management infrastructure … will be the answerhttp://www.ipc.on.ca/images/Resources/privacyintheclouds.pdf

Roger Clarke Cloud Computing paper:

“Cloud computing emerged during 2006-09 as a fashion item….”

http://www.rogerclarke.com/EC/CCEF.html

WHEN YOU OWN THE SYSTEMWHEN YOU OWN THE SYSTEM

Your IT / security staff should know your systems,

existing and planned

Data flows should be understood and finely mapped

This activity is key to privacy or threat/risk assessments

Even if you are outsourcing, do this detailed work for any “in house” components or parts of the system/service

WHEN YOU DO NOT OWN THE SYSTEMWHEN YOU DO NOT OWN THE SYSTEM

Do all you can to understand the vendor’s systems as well and completely as possible:

Ask for detailed data flows, systems maps, etc.

Have your IT / security staff meet the vendor’s

Enter into NDAs as necessary to learn as much as possible

But the vendor might not let you see enough for you to assess privacy/security to your satisfaction

You will have to establish trust,

…..based on assurances that you can verify

CHECKING OUT THE VENDORCHECKING OUT THE VENDOR

Cloud or not, check:

• Institutional procurement process/experts;

• RFI, RFP, etc

• Reference checks,

• Information from other clients,

• Letters of recommendation

• Reputation, past record

• Compliance with/breach of legislative requirements

• Certifications

• Interview the contractor

SOME POSSIBLE SOME POSSIBLE VENDOR ASSURANCESVENDOR ASSURANCES

Compliance with youryour privacy/security requirements

Confidentiality; no information sale, tracking, data mining…

Governing law … preferably Ontario

No disclosures except as required by law

Staff training, need-to-know access, confid. Agreements

No third party contractors, or standards as for staff

Data minimization

Breach notification, investigation, remediation/mitigation

Security; IT, physical, administrative/behavioural

Periodic update and maintained currency of assurances

Location of servers, data, etc, etc, etc…

SECURING ASSURANCESSECURING ASSURANCES

A negotiation with your vendor, involving:

Procurement

IT/CIO staff

Legal

Privacy

Other experts as required….

ASSURANCES MUST BE VERIFIEDASSURANCES MUST BE VERIFIED

Operational Audits

Security Audits

Active Security Testing

Etc…

All to be incorporated into your agreement(s)

ORGANIZATIONAL SUGGESTIONSORGANIZATIONAL SUGGESTIONS

Keep it simple!!

Use simple binary rules; -Confidential or not -Secured or not

Provide clear guidance/rules --- avoid fuzzy lines, difficult distinctions

If it’s not officially designated as public, it’s confidential

If it’s electronic, keep it in a secure institutional server or keep it encrypted

If it’s hard copy, keep in a locked cabinet inside a locked, non-public space

Provost’s security guideline

http://www.provost.utoronto.ca/policy/FIPPA_-_Guideline_Regarding_Security_for_Personal_and_Other_Confidential_Information.htm

ORGANIZATIONAL SUGGESTIONSORGANIZATIONAL SUGGESTIONS

Know the Organization:

Mission, purposes, rules

How is it governed?

How is it administered?

Think like an executive….big picture

Avoid becoming a “narrow” expert

FREEDOM OF INFORMATION AND FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY OFFICEPROTECTION OF PRIVACY OFFICE

Rafael Eskenazi – FIPP DirectorTel: (416) 946-5835E-Mail: rafael.eskenazi@utoronto.ca

University of Toronto FIPP OfficeMcMurrich Building, Room 20112 Queen’s Park Crescent WestToronto, ON M5S 1A8Fax: (416) 978-6657