Title: Dealing with Privacy Obligations in Enterprises
1Dealing withPrivacy Obligations in Enterprises
Marco Casassa Mont marco.casassa-mont_at_hp.com
Trusted Systems Lab Hewlett-Packard Labs,
Bristol, UK
- 28-30 September 2004
- ISSE 2004
- Berlin, Germany
2Presentation Outline
- Setting the Context Privacy and Privacy
Obligations - Analysis of Privacy Obligations, Issues and
Requirements - Privacy Obligations Related Work
- Privacy Obligations Our Work
-
- Discussion and Next Steps
- Conclusions
3Our Approach
- Focus on Privacy Obligations for Personal Data
- in Enterprises
- Explore the problem from a technical angle
- how to Model, Manage, Enforce and Monitor
Privacy - Obligations
- Recognise it is not only a matter of technology
- but also involves laws, legislation, processes
and - human intervention. Nevertheless Automation
- can help.
4- Setting the Context
- Privacy and
- Privacy Obligations
5Privacy an Important Aspect of Regulatory
Compliance
6Privacy is a very Complex Topic
7Privacy and Personal Data Core Concepts
Privacy management has strong implications on how
Personal Identifiable Information - PII data
- (personal documents, personal digital
information, etc.) is managed by other parties
accessing that data
Applications Services
Employees, Partners, Third Parties, Etc.
Personal Data
PEOPLE
Enterprises/Organisations
8Focus on Management of Privacy for Personal Data
within Enterprises
9Privacy and Personal Data Importance of Privacy
Laws, Legislation and Guidelines
- OECD Privacy Guidelines and Policies
- EU Legislation
- Various US Laws and Legislations
- HIPPA
- COPPA
- GLB, etc.
- Safe Harbour Policies
- Various Local and National Data Protection
Initiatives - http//www.privacyinternational.org/survey/p
hr2003/ - Organisations and Enterprise Privacy
Guidelines/Policies -
10Privacy for Personal Data Principles
Privacy Policies
11Privacy Policies Rights, Permissions and
Obligations
Privacy Permissions
Privacy Obligations
Privacy Rights
Privacy Policies
12Focus on Privacy Obligations
-
- Focus on Privacy Obligations Why?
- Lot of technical work has already been done
- in the space of Privacy Rights and
Permissions. - More details will be presented in the Related
Work Section -
- The overall Management of Privacy Obligations
- from a technical perspective, as first-class
citizens, - is still a green field and open to research.
- Privacy Obligations are a key aspect of
- regulatory compliance.
13- Analysis of
- Privacy Obligations
14Privacy Obligations Aspects
Classifications of Types of Obligations
Technologies to deal with Management of Privacy
Obligations
Management of Obligations Refinement, Control,
Enforcement, Monitoring
Privacy Obligations
Common Patterns and Requirements
15Privacy Obligation Refinement Abstract vs.
Refined
Obligations can be very abstract
Every financial institution has an affirmative
and continuing obligation to respect customer
privacy and protect the security and
confidentiality of customer information
Gramm-Leach-Bliley Act
- More refined Privacy Obligations dictate
- responsibilities with respect of Personal
Information -
- Notice Requirements
- Enforcement of opt-in/opt-out options
- Limits on reuse of Information and Information
Sharing - Data Retention limitations
-
16Privacy Obligations 1st Classification
1. Transactional Obligations Privacy obligations
that are immediately enforced, when
interactions/transactions involves PII data
e.g. Notify the owner of PII data when someone
accesses it (i.e. linked to an
access control decision) 2. Data Retention and
Handling Obligations Privacy obligations dealing
with deletion and management of PII data,
usually driven by time-based events e.g.
Delete PII data in X hours/days/months/years
starting from its disclosure 3.
Other event-driven Obligations Privacy
obligations triggered by events that relate to
contextual and application-relevant data, based
on usage of data, trust information, etc.
e.g. Delete PII data after it has been accessed
X times
17Privacy Obligations 2nd Classification
1. Short-Term Obligations Obligations to be
fulfilled immediately or in a short period of
time. Their implications in terms of resources
needed to fulfill them is limited in time e.g.
delete all customer PII data stored in their
account after 30 days if the customer
does not confirm their registration 2.
Long-term Obligations Obligations that might
have long term implications in terms of
resources needed to fulfill them e.g. delete
all PII data of customers after 7 years 3.
Ongoing Obligations Obligations that might be
short or long termed. They imply an ongoing
fulfillment of activities e.g. - every month
notify me that you still store my PII data
- notify me every time this data is
disclosed to a third party
18Privacy Obligations and Access Control
Obligations Contextual to Access Control These
obligations include most of the transactional
obligations and obligations that can be
fulfilled after an authorization decision e.g.
- notify me when you access my PII data
- delete my data after accessing it -
check for the trustworthiness of your platform
when you access PII data - log your
access and intent in this third party audit
server Obligations Unrelated to Access Control
These obligations are unrelated to access
control decisions. Part of data retention
obligations, long-term obligations and ongoing
obligations belong to this category e.g. -
delete customers PII data after 7 years it has
been stored independently by the
fact it is accessed - notify me every
month if you still have PII data of mine
19Who is Setting Privacy Obligations?
Obligations can be set by PII Data Subjects or
Third Parties on their behalf People usually
set privacy obligations that are related to the
visible and operational aspects of their PII
data. They usually dictate constraints on the
usage of PII data, required interactions and
actions (notifications, deletions, etc.),
opt-in/opt-out choices Obligations can be set
by Enterprises or imposed by Legislation Organis
ations need to support privacy obligations
dictated by legislation, laws and internal
guidelines. These privacy obligations can be
seen as default obligations that users are
entitled to.
20- Privacy Obligations
- Common Aspects and
- Requirements
21Privacy Obligations Common Aspects
- Timeframe (period of validity) of obligations
- Events/Contexts that trigger the need to
- fulfil obligations
- Target of an obligation (PII data)
- Actions/Tasks to be Enforced
- Entities responsible for enforcing obligations
- Exceptions and special cases
22Dealing with Privacy Obligations Important
Issues and Requirements 1/2
- Modelling/Representation of Privacy Obligations
- Association of Obligations to Data
- Mapping Obligations into Enforceable Actions
- Compliance of Refined Policies to high-level
Policies - Tracking the evolution of Obligation Policies
23Privacy Obligations Important Issues and
Requirements 2/2
- Dealing with long-term Obligation Aspects
- Accountability Management
- User Involvement
- Complexity and Cost of Instrumenting
Applications - and Services
24- Privacy Obligations
- Related Work
25Technical Work in this Space 1/2
- Technical advancements have been made to deal
- with Privacy Rights, Permissions and
Obligations - - Extended access control and authorization
mechanisms - built to check and enforce privacy permissions
- against users rights, data purpose, intents
- Approaches to deal with privacy obligations
available for - data retention solutions and document
management - systems.
- They are very focused and limited in terms of
obligation - expressiveness and system functionalities.
26Technical Work in this Space 2/2
- Recent important work done in this space
-
- IBM Enterprise Privacy Architecture, including
- a policy management system, a privacy
enforcement - system and audit
-
- Initial work on privacy obligations in the
context of - Enterprise Privacy Authorization Language
(EPAL) - lead by IBM
27EPAL and Privacy Obligation Management
User, Application, Service,
EPAL-driven Authorization and Enforcement
Obligation Management And Enforcement
Personal and Private Information
Privacy Management Framework
28EPAL and Privacy Obligation Management
Source http//www.w3.org/Submission/2003/SUBM-EPA
L-20031110/
29EPAL and Privacy Obligation Management
- EPAL main limitations when dealing with privacy
obligations - EPAL (and related privacy architecture) is
focuses on an - authorization and access control perspective
of privacy - EPAL does not model or describe obligations it
provides - place-holders for them
- Privacy obligations are considered as
second-class - citizens, as they are only considered in an
authorization - context
30- Privacy Obligations
- Our Technical Work
31Privacy Obligations Our Approach to Address the
Problems
- Deal with Privacy Obligations as first-class
citizens in the - context of Enterprises and Organisations
recognise its - importance for Regulatory Compliance
- Recognise the importance of separation of
concerns - explore how to explicitly represent, manage
and - enforce privacy obligations without imposing
any dominant - view (for example, the authorization
perspective) - Research and work on longer-term issues, such as
- accountability, stronger associations of
obligations to data, - obligation versioning and tracking
-
32Dealing with Privacy Obligations Our High Level
Model
33Privacy Obligations Our Technical Work
Technical Work and Research on Privacy
Obligations 1 Modelling and Representation
of Obligations 2 An Obligation Management
System (OMS) for Management, Enforcement
and Monitoring of Obligations 3
Accountability and Strong Association of
Obligations to Personal Data 4 Prototype
341 Privacy Obligations Modelling and
Representation
Privacy Obligation
Obligation Identifier
Actions
Additional Metadata (Future Extensions)
351 Privacy Obligations Format Example
ltobligation idgfrbg7645gt45"gt
lttargetgt ltdatabasegt ltdbnamegtCustomerslt/d
bnamegt lttnamegtCustomerslt/tnamegt
ltlocatorgt ltkey nameUserID"gtoid_a83
b8afdfc44df3b-7f9clt/keygt lt/locatorgt
ltdata attr"part"gt ltitemgtcreditcardlt/itemgt
ltitemgtfirstnamelt/itemgt lt/datagt lt/databasegt
lt/targetgt ltobligationitem sid"1"gt
ltmetadatagt lttypegtLONGTERMlt/typ
egt ltdescriptiongtDelete
firstname,surname at Sat Aug 15 172621 BST
2004.lt/descriptiongt lt/metadatagt
lteventsgt lteventgt lttypegtTIME
OUTlt/typegt ltdate now"no"gt
ltyeargt2004lt/yeargt ltmonthgt08lt/monthgt
ltdaygt14lt/daygt lthourgt17lt/hourgtltminutegt26lt
/minutegt lt/eventgt lt/eventsgt
ltactionsgt ltactiongt
lttypegtDELETElt/typegt ltdata
attr"part"gt ltitemgtcreditcardlt/itemgt
ltitemgtfirstnamelt/itemgt lt/datagt
lt/actiongt lt/actionsgt lt/obligationitemgt lt/o
bligationgt
362 Our Privacy Obligations Management
System (OMS)
- Explicit Management of Privacy Obligations
- within Enterprises
- Core Functionalities
- Processing
- Scheduling
- Enforcing
- Monitoring of Privacy Obligations
372 OMS as part of an Identity
Management System
Model of Identity Management Systems
382 OMS High Level System Architecture
Applications and Services
Data Subjects
Admins
Privacy-enabled Portal
Events Handler
Obligation Monitoring Service
Monitoring Task Handler
Admins
Obligation Server
Workflows
Obligation Enforcer
Obligation Scheduler
Information Tracker
Action Adaptors
ENTERPRISE
Audit Server
Data Ref.
Obligation
Obligation Store Versioning
Confidential Data
392 OMS High Level System Architecture
Applications and Services
Data Subjects
Privacy-enabled Portal
Setting Privacy Obligations On Personal Data
Admins
Obligation Server
Obligation Scheduler
ENTERPRISE
Audit Server
Data Ref.
Obligation
Obligation Store Versioning
Confidential Data
402 OMS High Level System Architecture
Applications and Services
Data Subjects
Enforcing Privacy Obligations
Admins
Events Handler
Admins
Workflows
Obligation Enforcer
Information Tracker
Obligation Scheduler
Action Adaptors
ENTERPRISE
Audit Server
Data Ref.
Obligation
Obligation Store Versioning
Confidential Data
412 OMS High Level System Architecture
Applications and Services
Data Subjects
Admins
Events Handler
Obligation Monitoring Service
Monitoring Privacy Obligations
Monitoring Task Handler
Workflows
Obligation Enforcer
Information Tracker
Action Adaptors
ENTERPRISE
Audit Server
Data Ref.
Obligation
Obligation Store Versioning
Confidential Data
423 OMS Towards Strong Association of
Obligations to Data and Accountability
Applications and Services
Subjects
Admins
Privacy-enabled Portal
Events Handler
Obligation Monitoring Service
Obligation Server
Monitoring Task Handler
Admins
Workflows
Obligation Enforcer
Obligation Scheduler
Information Tracker
Key Mgmt Service
Action Adaptors
ENTERPRISE
Audit Server
Data Ref.
Obligation
encrypted data sticky obligation
Obligation Store Versioning
Confidential Data
Encryption Sticky Policies based on IBE crypto
or traditional RSA crypto
434 OMS Prototype Core System Components
44Discussion 1/2
- Our system is an initial step towards the
explicit management, enforcement and monitoring
of privacy obligations plenty of space for
refinements and improvements - We assume that the enterprise is willing to be
compliant to privacy obligations. Additional
assurance and accountability can be added by
hardening the audit server and involving trusted
third parties
45Discussion 2/2
- We introduced and discussed a centralised OMS
system potential for bottlenecks. Exploring how
to distribute it - Security is required to control the access to
obligations and PII data by Administrators and
Users - We did not discuss the implications of long-terms
obligation management in terms of requirements
for reliability, survivability and longevity of
the platforms running our system. Related work
can be leveraged in this space
46Next Steps
- Refinement of our concepts, OMS architecture and
- further research
- Addressing open issues such as obligation
life-cycle management, overall efficiency, - stickiness of privacy obligations to PII data
- Further research to be done in the context of the
EU PRIME project
47Conclusions
- Privacy obligations are a key aspect of privacy.
They are first-class citizens need to be
explicitly managed - The management of privacy obligations is
important for enterprises and organisations as
part of the overall Regulatory Compliance - We introduced our research and technical work in
the privacy obligation management space.
Described an Obligation Management System (OMS)
to schedule, enforce and monitor privacy
obligations - Open issues OMS efficiency, scalability, strong
association of privacy obligations to data - Our research and work are in progress. Part of
this work will be done in the context of the EU
PRIME project
48 49Some Privacy Definitions
- The quality of being secluded from the
presence or view of others - The right of an individual to be secure from
unauthorized disclosure - of information about oneself that is
contained in documents and - digital data
- Ensuring that individuals maintain the right
to control what - information is collected about them and how
it is used as well - For citizens and consumers, freedom from
unauthorized intrusion. - For organizations, privacy involves the
policies that determine what - information is gathered, how it is used, and
how customers are - informed and involved in this process.
Privacy is a legal issue, but - it is also an information security issue
-
-
-
50Terminology Consent, Intent, Data Purpose,
Privacy Policy
51Terminology Aspects of Privacy Policy related to
Personal Data
Privacy Policies
Personal DATA CONSENT
Check Requirements (Intent against data Purposes
and Consent, etc.)
Failure (no access)
Actions
Data Subject
Personal Data and Consent
Success
Dictate Access Constraints
- Partial Data Access
- (filter Data)
- Data Transformation/Encryption
- Data Subjects Constraints
-
Request for DATA INTENT
Privacy Policy Enforcement
Data Requestors
Actions
Actual Accessed Data
ENTERPRISE
52Privacy Enforcement on Data Access Control
Intent, Purpose, Consent,
53Enterprises Regulatory Compliance and
Enforcement of Privacy Policies
- It is a very complex problem
- The full enforcement of privacy rights,
permissions - and obligations cannot usually be achieved
- only via technical solutions
- Processes, best practices and good behaviours
are - important
- However, being able to automate aspects of
privacy - policy enforcement and reduce involved costs
is of - primarily importance, especially for
enterprises - and organisations
54Privacy Obligation Refinement Abstract vs.
Refined
- Even more refined Privacy Obligations specify
- technical constraints on Personal Information
- Notify Data Owners every time their Personal
Data is - involved in a Transaction or Accessed by
Personnel - Access/Changes to Personal Data must be
Audited - Delete Personal Information after 7 Years
- Delete Personal Information of Customers whom
- do not come back to this web site within 30
days -
55Privacy Policies Rights, Permissions and
Obligations - Example
- Privacy Policies in e-commerce web sites
- describe rights of users about their personal
information - describe permissions given to the involved
parties - describe obligations the involved parties are
subject to - Privacy Practices can be checked by consumers to
- decide if these practices are acceptable
- decide what to opt-in and opt-out
- who to do business with
56Privacy Obligations Who is in Control?
Direct control This is the case of a user that
can directly control and enforce privacy
obligations related to their own PII
data. Reliance on one or more third
parties This is the case where a user rely on an
enterprise to enforce his/her obligations. It
is also the case of an enterprise that relies on
another party (partner, TTP, etc.) to enforce
some of the privacy obligations it has dictated.
57Privacy Obligations Explored Types, Events and
Actions 1/2
Long-term Privacy Obligations Long-term Privacy Obligations Long-term Privacy Obligations Long-term Privacy Obligations
Events Triggering Obligations Events Triggering Obligations Actions Dictated by Obligations Actions Dictated by Obligations
Time-driven at a specific date and time (e.g. 100am 01-Jan-2005) after a certain period of time (e.g. 1 hour, 3 days, 5 minutes) after the data has being used for a certain number of times (e.g. after being used twice) in a specific timeframe Delete/ Update delete all confidential data of a given data subject partially delete data (e.g. delete only the credit card number) replace data with an updated set of data (e.g. update subjects address)
Driven by Usage and Counters at a specific date and time (e.g. 100am 01-Jan-2005) after a certain period of time (e.g. 1 hour, 3 days, 5 minutes) after the data has being used for a certain number of times (e.g. after being used twice) in a specific timeframe Hide/ Unhide hide (encrypt) all data of a subject from any access hide a part of this data from any access unhide all data unhide a part of the data
58Privacy Obligations Explored Types, Events and
Actions 2/2
Ongoing Privacy Obligations Ongoing Privacy Obligations Ongoing Privacy Obligations Ongoing Privacy Obligations
Events Triggering Obligations Events Triggering Obligations Actions Dictated by Obligations Actions Dictated by Obligations
Time-driven periodically (e.g. every month) send a report to a subject containing the status of their data and their opt-in/opt-out options (e.g. number of times being used, who has tried to access) tell the subject what data he/she has provided get updated data from subject audit the logs, report any improper use of the data
Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Notify notify the subject
Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Log take logs
Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Access default allow/disallow all access allow disallow
Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Consult get authorization from data subject get authorization from third party check according to certain condition made by the user
Others when the privacy policies changed Stop access to the data update obligation
Short-term and Transactional Privacy Obligations Short-term and Transactional Privacy Obligations Short-term and Transactional Privacy Obligations Short-term and Transactional Privacy Obligations
Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations. Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations. Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations. Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations.
59Privacy Obligations 1st Classification
Examples
- Transactional Obligations
- Notify the owner of PII data when someone
accesses it - (i.e. linked to an access control decision)
- Notify the owner of PII data when their data is
disclosed to a third party - Delete/Encrypt PII data of a user at the end of a
transaction - (or after data has been accessed)
- Ask for authorization to the owner of PII data
when someone accesses it - Ask for authorization to the owner of PII data
when their data - is disclosed to a third party
- Create an audit log when PII data is accessed
-
60Privacy Obligations 1st Classification
Examples
- 2. Data Retention and
- Handling Obligations
- Delete PII data in X hours/days/months/years
starting from now - (e.g. delete ABC data on 01/01/2010)
- Send PII data (in clear or encrypted) to entity
Y at time Z - (optional delete the local data after this
actions is performed) - Notify the owner of PII data every X
days/months/years that their data - is stored in an enterprise database
- Encrypt data under some key at a certain time
(alternative to delete) -
61Privacy Obligations 1st Classification
Examples
- 3. Other event-driven Obligations
- Delete PII data after it has been accessed X
times - e.g. delete my PII data once it has been used
one time) - Notify the owner of PII data after it has been
accessed X times -
62Example of EPAL Rule
Privacy Policy (informal) Allow a sales agent or a sales supervisor to collect a customer's data for order entry if the customer is older than 13 years of age and the customer has been notified of the privacy policy. Delete the data 3 years from now.
EPAL Privacy Rule
ruling allow
user category sales department
action store
data category customer-record
purpose order-processing
condition the customer is older than 13 years of age
obligation delete the data 3 years from now
Source http//www.w3.org/Submission/2003/SUBM-EPA
L-20031110/
63EPAL and Privacy Obligation Management
- EPAL supports Privacy Obligations
- EPAL defines an Abstract Authorization
Interface - that outputs a Decision and Obligations
- ? There is a clear fit for Transactional
Obligations but
- Is it correct to describe also Non-Transactional
(Data Retention, Other Event-driven) Privacy
Obligations within an EPAL rule? We believe it is
not - These Obligations can actually specify First
Class Policies - ? Why Embedding them in the context of
Authorization Rules? - These Obligations might need to be enabled and
enforced - independently by any Transaction or
Interaction - (e.g. Unconditionally Delete Personal Data XYZ
after 7 years )
64OMS More Technical Details
Applications and Services
Portal
Users
Admins
Privacy Portal
GUI Authoring Display
Obligation Monitoring Service
Monitoring Task Handler
Admins
Obligation Handler
Store/ Retrieve
Tracking
Workflows
Events Handler
Active Obligations
Obligation Enforcer
Association Manager
Obligation Scheduler Manager
Action Adaptors
Obligation Server
Audit Server
ENTERPRISE
Data Ref.
Obligation
Information Tracker
Audit Logs
Obligation Store Versioning
Confidential Data
654 OMS Prototype UIs
Obligation Server UI
Obligation Enforcer UI
Obligation Monitoring UI
66(No Transcript)