a framework of purpose and consent for data security and consumer privacy

A Framework of Purpose and Consent for Data Security & Consumer PrivacyAurélie Pols – Mind Your Privacy

Presented by: Aurélie Pols@AureliePols

The SUN went down on Privacy

“You have zero privacy anyway, get over it”, Scott McNealy, CEO of Sun Microsystems, January 1999

At eMetrics in Boston in 2006, this turned into

“Privacy is Dead Aurélie, get over it!”

Call me a bore, I’ve been listening to the helicopters coming, while humming Wagner’s Ride of the Valkyries

Customer DataEmployee DataCompetitive Data

Data Exhaust


Evolving tides?• The World Economic Forum – Personal Data: The

Emergence of a New Asset Class (2011)

• The EU GDPR – General Data Protection Regulation

(2012- 2015?)

• The OECD – Guidelines on the Protection of Privacy &

Transborder Flows of Personal Data (1980, reviewed in 2013)

• The UN – The Right to Privacy in the Digital Age (2014)


Total Privacy fines worldwide6 weeks into 2014, the world total in Privacy damages had reached 50% of last year’s record: $74 million

Source: http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_privacy_fines?taxonomyId=84&pageNumber=3

http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_privacy_fines?taxonomyId=84&pageNumber=3


And of course data breaches

Target, JPMorgan, Home Depot,…But what happens After the breach?


How many lawsuits is Target facing?

140totaling over $750 million


THE QUESTION IS NOT IF, IT’S WHEN


Global solutions?

Compliance?

Privacy?

Security?

Moving targets


A Global Privacy PerspectiveUS & UK EU ASIA

Common Law Continental Law Partially continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Amended New

Privacy Personal Data Protection (PDP)

Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per US state “Personal Data” => Risk levels: low, medium, high, extremely high


If you collect PII… thenUS & UK EU

Common Law Continental Law

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)

Business focused Citizen focused

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremelyhigh


So what is considered PII?Personal Information (based on the definition commonly used by most US states)

i Name, such as full name, maiden name, mother‘s maiden name, or alias

ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number

iii Address information, such as street address or email address

iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)

v Telephone numbers, including mobile, business, and personal numbers.Information identifying personally owned property, such as vehicle registration number or title number and related information

Source: information based on

current ongoing analysis (partial

results)


PII vs. Risk levels: US vs. EU

Risk level

Data type & Information Security Measures

Extremely high(profiling of sensitive data: probability of being pregnant => Target?)

PII

Low risk data type(clickstream data)

High(sensitive data: health, financial, political views, sexual orientation, …)Medium

(profiling: typically retargeting through cookies)


PERSONAL DATA

EU Directive 95/46/EC, Article 2ª.

Shall mean any information relating to an identified or identifiable natural person ('data subject');

an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;


EVERY TIME YOU USE THE ACRONYM PII

A cat dies!


Privacy Role Playing in the EU


Controller vs. ProcessorWeb property: Big corporation, SME

Customer: visitor, voter, citizen, …

Intermediaries: tools, agencies, consultancies,

…

Data Flow

Responsibility

Privacy Rights


12 Responsibilities of a Data Controller1. Inform participants

2. Obtain informed consent

3. Ensure the data held is accurate

4. Delete personal data when it is no longer needed => delete or anonymize

5. Protect against unauthorized destruction, loss, alteration and disclosure => security

6. Contract with Data Processors responsibly

7. Take care transferring data out of Europe

8. If you collect “special” categories of data, get specialist advice

9. Deal with any data subject access requests

10. If the assessment is high stakes, ensure there is review of any automated decision making

11. Appoint a Data Protection Officer (DPO) and train staff

12. Work with supervisory authorities and respond to complaintsSource: http://blog.questionmark.com/responsibilities-of-a-data-controller-when-assessing-knowledge-skills-and-abilities

http://blog.questionmark.com/responsibilities-of-a-data-controller-when-assessing-knowledge-skills-and-abilities


Role playing exampleSurveymonkey: https://www.surveymonkey.com/mp/policy/privacy-policy

https://www.surveymonkey.com/mp/policy/privacy-policy


Purpose, Consent & Data Uses

Purpose

Consent

FIPPs

Data for approved

use

From:Purpose

Consent

FIPPsData analysis or merging

New business

opportunity

To:

Big Data is Killing the Privacy Framework


FIPPs? Fair Information Privacy Practices

Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg

https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg


What about security?

Data Collection

Pro

cess

es R

eso

urce

s

DPO


Implement Information Security Measures

Source: http://www.softbank.jp/en/corp/csr/management/info_security/efforts/

http://www.softbank.jp/en/corp/csr/management/info_security/efforts/


Who has access?

Source: Privacy Green seal, specific audit for analytics tools & data agencies


HQLOCAL SUBSIDIARY

1

Customer Terms & Conditions Applicable Security Measures???

LOCAL SUBSIDIARY

1

LOCAL SUBSIDIARY

2

LOCAL SUBSIDIARY

3

LOCAL SUBSIDIARY

4

Where does it sit? Cloud/SaaS


DATA IS A RISK BECAUSE IT EXISTSData has become a valuable asset


Data lifecycles

Analytics => Follow the Money

Privacy => Follow the Data

Legal: Procedures/Processes, Compliance & Risks Assessments


Limiting Risk of holding data

Data Minimization PrincipleLimit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose

Data Retention PoliciesSet of guidelines that describes which data will be archived, how long it will be kept. Permanent deletion of the retained data is part of any effective data retention policy.


Data Retention Policies

• Delete the data, everywhere!

• Anonymize or De-identify the dataBy Ann Cavoukian and Khaled El Emam, June 2011,http://www.ipc.on.ca/images/Resources/anonymization.pdf

http://www.ipc.on.ca/images/Resources/anonymization.pdf


Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada

1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents Privacy-invasive events before they happen

2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of Privacy by ensuring that personal data are automatically protected in any given IT system or business practice

3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s an essential component of the core functionality being delivered

4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false dichotomies

5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle management of information, end-to-end

6. Visibility and Transparency – Keep it Open: operating according to the stated promises and objectives, subject to independent verification

7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults, appropriate notice, and empowering user-friendly options

Privacy by Design (PbD) 7 Fundamental Principles


X collects the dataX de-identifies the

data

X pass the de-identified data on

to Y for use

Y possibly re-identifies the

individual

Default: • Purpose • Consent• FIPPs

Q1: Additional Privacy notice if de-identification of data?

Q2: does PbD stop here or also apply to use by company Y?

Q3: and now what?

Inform the individual?

ICO (UK) “Anonymisation Code of Practice”: no, once it’s anonymized, it’s not regulated data

Anonymize or de-identify data


A continuum of re-identification risks

Risk level

Big Data merging

Unbreakable de-identification

Expressly identifying personal information

Problem 1: varying global definitions of PII

Question 2: How to assess the risk mitigation value + only relevant on top of de-identification?

Question 3 (links back to Q3): Legal obligations for those using the de-identified data, company Y?

Question 4 (same as Q3): How to inform citizens?


FROM DATA LIFECYCLES TO DATA FLOWS

Strategic and tactical uses of data Privacy


Example of data flow issuesQuantified self movement

Personal “health” data

Direction of flow is essential

Consequences on Privacy Policy


Entreprise goal User goals

Privacy Policy

Requirements

Privacy Mechanisms

Procedures & Processes

Privacy Awareness Training

Quality Assurance

And escalation procedures to attribute responsibilityShould we do this analysis?


WRAPPING UP


The “Magnum” Plan• Document your data set-up

– Define data lifecycles & flows (+ access)

• Set-up a compliance check-list:

– Applicable legislations (sector, territory)

• Evaluate your risks

• Follow-up with information security measures

• Attribute responsibility

Gracias!

a framework of purpose and consent for data security and consumer privacy

Data & Analytics

data breachestarget

privacy damages

dead aurlie

us statepersonal data

passport number

personal information

social security number

drivers license number