a framework of purpose and consent for data security and consumer privacy
TRANSCRIPT
A Framework of Purpose and Consent for Data Security & Consumer PrivacyAurélie Pols – Mind Your Privacy
Presented by: Aurélie Pols@AureliePols
The SUN went down on Privacy
“You have zero privacy anyway, get over it”, Scott McNealy, CEO of Sun Microsystems, January 1999
At eMetrics in Boston in 2006, this turned into
“Privacy is Dead Aurélie, get over it!”
Call me a bore, I’ve been listening to the helicopters coming, while humming Wagner’s Ride of the Valkyries
Customer DataEmployee DataCompetitive Data
Data Exhaust
Presented by: Aurélie Pols@AureliePols
Evolving tides?• The World Economic Forum – Personal Data: The
Emergence of a New Asset Class (2011)
• The EU GDPR – General Data Protection Regulation
(2012- 2015?)
• The OECD – Guidelines on the Protection of Privacy &
Transborder Flows of Personal Data (1980, reviewed in 2013)
• The UN – The Right to Privacy in the Digital Age (2014)
Presented by: Aurélie Pols@AureliePols
Total Privacy fines worldwide6 weeks into 2014, the world total in Privacy damages had reached 50% of last year’s record: $74 million
Source: http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_privacy_fines?taxonomyId=84&pageNumber=3
Presented by: Aurélie Pols@AureliePols
And of course data breaches
Target, JPMorgan, Home Depot,…But what happens After the breach?
Presented by: Aurélie Pols@AureliePols
How many lawsuits is Target facing?
140totaling over $750 million
Presented by: Aurélie Pols@AureliePols
Global solutions?
Compliance?
Privacy?
Security?
Moving targets
Presented by: Aurélie Pols@AureliePols
A Global Privacy PerspectiveUS & UK EU ASIA
Common Law Continental Law Partially continental law influenced
Class actions Fines (by DPAs: Data Protection Agencies)
Amended New
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen
Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per US state “Personal Data” => Risk levels: low, medium, high, extremely high
Presented by: Aurélie Pols@AureliePols
If you collect PII… thenUS & UK EU
Common Law Continental Law
Class actions Fines (by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per state Risk levels: low, medium, high, extremelyhigh
Presented by: Aurélie Pols@AureliePols
So what is considered PII?Personal Information (based on the definition commonly used by most US states)
i Name, such as full name, maiden name, mother‘s maiden name, or alias
ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number
iii Address information, such as street address or email address
iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)
v Telephone numbers, including mobile, business, and personal numbers.Information identifying personally owned property, such as vehicle registration number or title number and related information
Source: information based on
current ongoing analysis (partial
results)
Presented by: Aurélie Pols@AureliePols
PII vs. Risk levels: US vs. EU
Risk level
Data type & Information Security Measures
Extremely high(profiling of sensitive data: probability of being pregnant => Target?)
PII
Low risk data type(clickstream data)
High(sensitive data: health, financial, political views, sexual orientation, …)Medium
(profiling: typically retargeting through cookies)
Presented by: Aurélie Pols@AureliePols
PERSONAL DATA
EU Directive 95/46/EC, Article 2ª.
Shall mean any information relating to an identified or identifiable natural person ('data subject');
an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
Presented by: Aurélie Pols@AureliePols
Controller vs. ProcessorWeb property: Big corporation, SME
Customer: visitor, voter, citizen, …
Intermediaries: tools, agencies, consultancies,
…
Data Flow
Responsibility
Privacy Rights
Presented by: Aurélie Pols@AureliePols
12 Responsibilities of a Data Controller1. Inform participants
2. Obtain informed consent
3. Ensure the data held is accurate
4. Delete personal data when it is no longer needed => delete or anonymize
5. Protect against unauthorized destruction, loss, alteration and disclosure => security
6. Contract with Data Processors responsibly
7. Take care transferring data out of Europe
8. If you collect “special” categories of data, get specialist advice
9. Deal with any data subject access requests
10. If the assessment is high stakes, ensure there is review of any automated decision making
11. Appoint a Data Protection Officer (DPO) and train staff
12. Work with supervisory authorities and respond to complaintsSource: http://blog.questionmark.com/responsibilities-of-a-data-controller-when-assessing-knowledge-skills-and-abilities
Presented by: Aurélie Pols@AureliePols
Role playing exampleSurveymonkey: https://www.surveymonkey.com/mp/policy/privacy-policy
Presented by: Aurélie Pols@AureliePols
Purpose, Consent & Data Uses
Purpose
Consent
FIPPs
Data for approved
use
From:Purpose
Consent
FIPPsData analysis or merging
New business
opportunity
To:
Big Data is Killing the Privacy Framework
Presented by: Aurélie Pols@AureliePols
FIPPs? Fair Information Privacy Practices
Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg
Presented by: Aurélie Pols@AureliePols
What about security?
Data Collection
Pro
cess
es R
eso
urce
s
DPO
Presented by: Aurélie Pols@AureliePols
Implement Information Security Measures
Source: http://www.softbank.jp/en/corp/csr/management/info_security/efforts/
Presented by: Aurélie Pols@AureliePols
Who has access?
Source: Privacy Green seal, specific audit for analytics tools & data agencies
Presented by: Aurélie Pols@AureliePols
HQLOCAL SUBSIDIARY
1
Customer Terms & Conditions Applicable Security Measures???
LOCAL SUBSIDIARY
1
LOCAL SUBSIDIARY
2
LOCAL SUBSIDIARY
3
LOCAL SUBSIDIARY
4
Where does it sit? Cloud/SaaS
Presented by: Aurélie Pols@AureliePols
DATA IS A RISK BECAUSE IT EXISTSData has become a valuable asset
Presented by: Aurélie Pols@AureliePols
Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
Presented by: Aurélie Pols@AureliePols
Limiting Risk of holding data
Data Minimization PrincipleLimit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose
Data Retention PoliciesSet of guidelines that describes which data will be archived, how long it will be kept. Permanent deletion of the retained data is part of any effective data retention policy.
Presented by: Aurélie Pols@AureliePols
Data Retention Policies
• Delete the data, everywhere!
• Anonymize or De-identify the dataBy Ann Cavoukian and Khaled El Emam, June 2011,http://www.ipc.on.ca/images/Resources/anonymization.pdf
Presented by: Aurélie Pols@AureliePols
Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada
1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents Privacy-invasive events before they happen
2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of Privacy by ensuring that personal data are automatically protected in any given IT system or business practice
3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s an essential component of the core functionality being delivered
4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false dichotomies
5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle management of information, end-to-end
6. Visibility and Transparency – Keep it Open: operating according to the stated promises and objectives, subject to independent verification
7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults, appropriate notice, and empowering user-friendly options
Privacy by Design (PbD) 7 Fundamental Principles
Presented by: Aurélie Pols@AureliePols
X collects the dataX de-identifies the
data
X pass the de-identified data on
to Y for use
Y possibly re-identifies the
individual
Default: • Purpose • Consent• FIPPs
Q1: Additional Privacy notice if de-identification of data?
Q2: does PbD stop here or also apply to use by company Y?
Q3: and now what?
Inform the individual?
ICO (UK) “Anonymisation Code of Practice”: no, once it’s anonymized, it’s not regulated data
Anonymize or de-identify data
Presented by: Aurélie Pols@AureliePols
A continuum of re-identification risks
Risk level
Big Data merging
Unbreakable de-identification
Expressly identifying personal information
Problem 1: varying global definitions of PII
Question 2: How to assess the risk mitigation value + only relevant on top of de-identification?
Question 3 (links back to Q3): Legal obligations for those using the de-identified data, company Y?
Question 4 (same as Q3): How to inform citizens?
Presented by: Aurélie Pols@AureliePols
FROM DATA LIFECYCLES TO DATA FLOWS
Strategic and tactical uses of data Privacy
Presented by: Aurélie Pols@AureliePols
Example of data flow issuesQuantified self movement
Personal “health” data
Direction of flow is essential
Consequences on Privacy Policy
Presented by: Aurélie Pols@AureliePols
Entreprise goal User goals
Privacy Policy
Requirements
Privacy Mechanisms
Procedures & Processes
Privacy Awareness Training
Quality Assurance
And escalation procedures to attribute responsibilityShould we do this analysis?
Presented by: Aurélie Pols@AureliePols
The “Magnum” Plan• Document your data set-up
– Define data lifecycles & flows (+ access)
• Set-up a compliance check-list:
– Applicable legislations (sector, territory)
• Evaluate your risks
• Follow-up with information security measures
• Attribute responsibility