Dealing with Privacy Obligations in Enterprises

1
Dealing withPrivacy Obligations in Enterprises
Marco Casassa Mont marco.casassa-mont_at_hp.com
Trusted Systems Lab Hewlett-Packard Labs,
Bristol, UK

• 28-30 September 2004
• ISSE 2004
• Berlin, Germany

2
Presentation Outline

• Setting the Context Privacy and Privacy
  Obligations
• Analysis of Privacy Obligations, Issues and
  Requirements
• Privacy Obligations Related Work
• Privacy Obligations Our Work
• Discussion and Next Steps
• Conclusions

3
Our Approach

• Focus on Privacy Obligations for Personal Data
• in Enterprises
• Explore the problem from a technical angle
• how to Model, Manage, Enforce and Monitor
  Privacy
• Obligations
• Recognise it is not only a matter of technology
• but also involves laws, legislation, processes
  and
• human intervention. Nevertheless Automation
• can help.

4

• Setting the Context
• Privacy and
• Privacy Obligations

5
Privacy an Important Aspect of Regulatory
Compliance
6
Privacy is a very Complex Topic
7
Privacy and Personal Data Core Concepts
Privacy management has strong implications on how
Personal Identifiable Information - PII data
- (personal documents, personal digital
information, etc.) is managed by other parties
accessing that data
Applications Services
Employees, Partners, Third Parties, Etc.
Personal Data
PEOPLE
Enterprises/Organisations
8
Focus on Management of Privacy for Personal Data
within Enterprises
9
Privacy and Personal Data Importance of Privacy
Laws, Legislation and Guidelines

• OECD Privacy Guidelines and Policies
• EU Legislation
• Various US Laws and Legislations
• HIPPA
• COPPA
• GLB, etc.
• Safe Harbour Policies
• Various Local and National Data Protection
  Initiatives
• http//www.privacyinternational.org/survey/p
  hr2003/
• Organisations and Enterprise Privacy
  Guidelines/Policies

10
Privacy for Personal Data Principles
Privacy Policies
11
Privacy Policies Rights, Permissions and
Obligations
Privacy Permissions
Privacy Obligations
Privacy Rights
Privacy Policies
12
Focus on Privacy Obligations

• Focus on Privacy Obligations Why?
• Lot of technical work has already been done
• in the space of Privacy Rights and
  Permissions.
• More details will be presented in the Related
  Work Section
• The overall Management of Privacy Obligations
• from a technical perspective, as first-class
  citizens,
• is still a green field and open to research.
• Privacy Obligations are a key aspect of
• regulatory compliance.

13

• Analysis of
• Privacy Obligations

14
Privacy Obligations Aspects
Classifications of Types of Obligations
Technologies to deal with Management of Privacy
Obligations
Management of Obligations Refinement, Control,
Enforcement, Monitoring
Privacy Obligations
Common Patterns and Requirements
15
Privacy Obligation Refinement Abstract vs.
Refined
Obligations can be very abstract
Every financial institution has an affirmative
and continuing obligation to respect customer
privacy and protect the security and
confidentiality of customer information
Gramm-Leach-Bliley Act

• More refined Privacy Obligations dictate
• responsibilities with respect of Personal
  Information
• Notice Requirements
• Enforcement of opt-in/opt-out options
• Limits on reuse of Information and Information
  Sharing
• Data Retention limitations

16
Privacy Obligations 1st Classification
1. Transactional Obligations Privacy obligations
that are immediately enforced, when
interactions/transactions involves PII data
e.g. Notify the owner of PII data when someone
accesses it (i.e. linked to an
access control decision) 2. Data Retention and
Handling Obligations Privacy obligations dealing
with deletion and management of PII data,
usually driven by time-based events e.g.
Delete PII data in X hours/days/months/years
starting from its disclosure 3.
Other event-driven Obligations Privacy
obligations triggered by events that relate to
contextual and application-relevant data, based
on usage of data, trust information, etc.
e.g. Delete PII data after it has been accessed
X times
17
Privacy Obligations 2nd Classification
1. Short-Term Obligations Obligations to be
fulfilled immediately or in a short period of
time. Their implications in terms of resources
needed to fulfill them is limited in time e.g.
delete all customer PII data stored in their
account after 30 days if the customer
does not confirm their registration 2.
Long-term Obligations Obligations that might
have long term implications in terms of
resources needed to fulfill them e.g. delete
all PII data of customers after 7 years 3.
Ongoing Obligations Obligations that might be
short or long termed. They imply an ongoing
fulfillment of activities e.g. - every month
notify me that you still store my PII data
- notify me every time this data is
disclosed to a third party
18
Privacy Obligations and Access Control
Obligations Contextual to Access Control These
obligations include most of the transactional
obligations and obligations that can be
fulfilled after an authorization decision e.g.
- notify me when you access my PII data
- delete my data after accessing it -
check for the trustworthiness of your platform
when you access PII data - log your
access and intent in this third party audit
server Obligations Unrelated to Access Control
These obligations are unrelated to access
control decisions. Part of data retention
obligations, long-term obligations and ongoing
obligations belong to this category e.g. -
delete customers PII data after 7 years it has
been stored independently by the
fact it is accessed - notify me every
month if you still have PII data of mine
19
Who is Setting Privacy Obligations?
Obligations can be set by PII Data Subjects or
Third Parties on their behalf People usually
set privacy obligations that are related to the
visible and operational aspects of their PII
data. They usually dictate constraints on the
usage of PII data, required interactions and
actions (notifications, deletions, etc.),
opt-in/opt-out choices Obligations can be set
by Enterprises or imposed by Legislation Organis
ations need to support privacy obligations
dictated by legislation, laws and internal
guidelines. These privacy obligations can be
seen as default obligations that users are
entitled to.
20

• Privacy Obligations
• Common Aspects and
• Requirements

21
Privacy Obligations Common Aspects

• Timeframe (period of validity) of obligations
• Events/Contexts that trigger the need to
• fulfil obligations
• Target of an obligation (PII data)
• Actions/Tasks to be Enforced
• Entities responsible for enforcing obligations
• Exceptions and special cases

22
Dealing with Privacy Obligations Important
Issues and Requirements 1/2

• Modelling/Representation of Privacy Obligations
• Association of Obligations to Data
• Mapping Obligations into Enforceable Actions
• Compliance of Refined Policies to high-level
  Policies
• Tracking the evolution of Obligation Policies

23
Privacy Obligations Important Issues and
Requirements 2/2

• Dealing with long-term Obligation Aspects
• Accountability Management
• User Involvement
• Complexity and Cost of Instrumenting
  Applications
• and Services

24

• Privacy Obligations
• Related Work

25
Technical Work in this Space 1/2

• Technical advancements have been made to deal
• with Privacy Rights, Permissions and
  Obligations
• - Extended access control and authorization
  mechanisms
• built to check and enforce privacy permissions
• against users rights, data purpose, intents
  
• Approaches to deal with privacy obligations
  available for
• data retention solutions and document
  management
• systems.
• They are very focused and limited in terms of
  obligation
• expressiveness and system functionalities.

26
Technical Work in this Space 2/2

• Recent important work done in this space
• IBM Enterprise Privacy Architecture, including
• a policy management system, a privacy
  enforcement
• system and audit
• Initial work on privacy obligations in the
  context of
• Enterprise Privacy Authorization Language
  (EPAL)
• lead by IBM

27
EPAL and Privacy Obligation Management
User, Application, Service,
EPAL-driven Authorization and Enforcement
Obligation Management And Enforcement
Personal and Private Information
Privacy Management Framework
28
EPAL and Privacy Obligation Management
Source http//www.w3.org/Submission/2003/SUBM-EPA
L-20031110/
29
EPAL and Privacy Obligation Management

• EPAL main limitations when dealing with privacy
  obligations
• EPAL (and related privacy architecture) is
  focuses on an
• authorization and access control perspective
  of privacy
• EPAL does not model or describe obligations it
  provides
• place-holders for them
• Privacy obligations are considered as
  second-class
• citizens, as they are only considered in an
  authorization
• context

30

• Privacy Obligations
• Our Technical Work

31
Privacy Obligations Our Approach to Address the
Problems

• Deal with Privacy Obligations as first-class
  citizens in the
• context of Enterprises and Organisations
  recognise its
• importance for Regulatory Compliance
• Recognise the importance of separation of
  concerns
• explore how to explicitly represent, manage
  and
• enforce privacy obligations without imposing
  any dominant
• view (for example, the authorization
  perspective)
• Research and work on longer-term issues, such as
• accountability, stronger associations of
  obligations to data,
• obligation versioning and tracking

32
Dealing with Privacy Obligations Our High Level
Model
33
Privacy Obligations Our Technical Work
Technical Work and Research on Privacy
Obligations 1 Modelling and Representation
of Obligations 2 An Obligation Management
System (OMS) for Management, Enforcement
and Monitoring of Obligations 3
Accountability and Strong Association of
Obligations to Personal Data 4 Prototype
34
1 Privacy Obligations Modelling and
Representation
Privacy Obligation
Obligation Identifier
Actions
Additional Metadata (Future Extensions)
35
1 Privacy Obligations Format Example
ltobligation idgfrbg7645gt45"gt
lttargetgt ltdatabasegt ltdbnamegtCustomerslt/d
bnamegt lttnamegtCustomerslt/tnamegt
ltlocatorgt ltkey nameUserID"gtoid_a83
b8afdfc44df3b-7f9clt/keygt lt/locatorgt
ltdata attr"part"gt ltitemgtcreditcardlt/itemgt
ltitemgtfirstnamelt/itemgt lt/datagt lt/databasegt
lt/targetgt ltobligationitem sid"1"gt
ltmetadatagt lttypegtLONGTERMlt/typ
egt ltdescriptiongtDelete
firstname,surname at Sat Aug 15 172621 BST
2004.lt/descriptiongt lt/metadatagt
lteventsgt lteventgt lttypegtTIME
OUTlt/typegt ltdate now"no"gt
ltyeargt2004lt/yeargt ltmonthgt08lt/monthgt
ltdaygt14lt/daygt lthourgt17lt/hourgtltminutegt26lt
/minutegt lt/eventgt lt/eventsgt
ltactionsgt ltactiongt
lttypegtDELETElt/typegt ltdata
attr"part"gt ltitemgtcreditcardlt/itemgt
ltitemgtfirstnamelt/itemgt lt/datagt
lt/actiongt lt/actionsgt lt/obligationitemgt lt/o
bligationgt
36
2 Our Privacy Obligations Management
System (OMS)

• Explicit Management of Privacy Obligations
• within Enterprises
• Core Functionalities
• Processing
• Scheduling
• Enforcing
• Monitoring of Privacy Obligations

37
2 OMS as part of an Identity
Management System
Model of Identity Management Systems
38
2 OMS High Level System Architecture
Applications and Services
Data Subjects
Admins
Privacy-enabled Portal
Events Handler
Obligation Monitoring Service
Monitoring Task Handler
Admins
Obligation Server
Workflows
Obligation Enforcer
Obligation Scheduler
Information Tracker
Action Adaptors
ENTERPRISE
Audit Server
Data Ref.
Obligation
Obligation Store Versioning
Confidential Data
39
2 OMS High Level System Architecture
Applications and Services
Data Subjects
Privacy-enabled Portal
Setting Privacy Obligations On Personal Data
Admins
Obligation Server
Obligation Scheduler
ENTERPRISE
Audit Server
Data Ref.
Obligation
Obligation Store Versioning
Confidential Data
40
2 OMS High Level System Architecture
Applications and Services
Data Subjects
Enforcing Privacy Obligations
Admins
Events Handler
Admins
Workflows
Obligation Enforcer
Information Tracker
Obligation Scheduler
Action Adaptors
ENTERPRISE
Audit Server
Data Ref.
Obligation
Obligation Store Versioning
Confidential Data
41
2 OMS High Level System Architecture
Applications and Services
Data Subjects
Admins
Events Handler
Obligation Monitoring Service
Monitoring Privacy Obligations
Monitoring Task Handler
Workflows
Obligation Enforcer
Information Tracker
Action Adaptors
ENTERPRISE
Audit Server
Data Ref.
Obligation
Obligation Store Versioning
Confidential Data
42
3 OMS Towards Strong Association of
Obligations to Data and Accountability
Applications and Services
Subjects
Admins
Privacy-enabled Portal
Events Handler
Obligation Monitoring Service
Obligation Server
Monitoring Task Handler
Admins
Workflows
Obligation Enforcer
Obligation Scheduler
Information Tracker
Key Mgmt Service
Action Adaptors
ENTERPRISE
Audit Server
Data Ref.
Obligation
encrypted data sticky obligation
Obligation Store Versioning
Confidential Data
Encryption Sticky Policies based on IBE crypto
or traditional RSA crypto
43
4 OMS Prototype Core System Components
44
Discussion 1/2

• Our system is an initial step towards the
  explicit management, enforcement and monitoring
  of privacy obligations plenty of space for
  refinements and improvements
• We assume that the enterprise is willing to be
  compliant to privacy obligations. Additional
  assurance and accountability can be added by
  hardening the audit server and involving trusted
  third parties

45
Discussion 2/2

• We introduced and discussed a centralised OMS
  system potential for bottlenecks. Exploring how
  to distribute it
• Security is required to control the access to
  obligations and PII data by Administrators and
  Users
• We did not discuss the implications of long-terms
  obligation management in terms of requirements
  for reliability, survivability and longevity of
  the platforms running our system. Related work
  can be leveraged in this space

46
Next Steps

• Refinement of our concepts, OMS architecture and
• further research
• Addressing open issues such as obligation
  life-cycle management, overall efficiency,
• stickiness of privacy obligations to PII data
• Further research to be done in the context of the
  EU PRIME project

47
Conclusions

• Privacy obligations are a key aspect of privacy.
  They are first-class citizens need to be
  explicitly managed
• The management of privacy obligations is
  important for enterprises and organisations as
  part of the overall Regulatory Compliance
• We introduced our research and technical work in
  the privacy obligation management space.
  Described an Obligation Management System (OMS)
  to schedule, enforce and monitor privacy
  obligations
• Open issues OMS efficiency, scalability, strong
  association of privacy obligations to data
• Our research and work are in progress. Part of
  this work will be done in the context of the EU
  PRIME project

48

• BACK-UP SLIDES

49
Some Privacy Definitions

• The quality of being secluded from the
  presence or view of others
• The right of an individual to be secure from
  unauthorized disclosure
• of information about oneself that is
  contained in documents and
• digital data
• Ensuring that individuals maintain the right
  to control what
• information is collected about them and how
  it is used as well
• For citizens and consumers, freedom from
  unauthorized intrusion.
• For organizations, privacy involves the
  policies that determine what
• information is gathered, how it is used, and
  how customers are
• informed and involved in this process.
  Privacy is a legal issue, but
• it is also an information security issue

50
Terminology Consent, Intent, Data Purpose,
Privacy Policy
51
Terminology Aspects of Privacy Policy related to
Personal Data
Privacy Policies
Personal DATA CONSENT
Check Requirements (Intent against data Purposes
and Consent, etc.)
Failure (no access)
Actions
Data Subject

• - Audit
• Notification

Personal Data and Consent
Success
Dictate Access Constraints

• Partial Data Access
• (filter Data)
• Data Transformation/Encryption
• Data Subjects Constraints

Request for DATA INTENT
Privacy Policy Enforcement
Data Requestors
Actions
Actual Accessed Data

• - Audit
• Notification

ENTERPRISE
52
Privacy Enforcement on Data Access Control
Intent, Purpose, Consent,
53
Enterprises Regulatory Compliance and
Enforcement of Privacy Policies

• It is a very complex problem
• The full enforcement of privacy rights,
  permissions
• and obligations cannot usually be achieved
• only via technical solutions
• Processes, best practices and good behaviours
  are
• important
• However, being able to automate aspects of
  privacy
• policy enforcement and reduce involved costs
  is of
• primarily importance, especially for
  enterprises
• and organisations

54
Privacy Obligation Refinement Abstract vs.
Refined

• Even more refined Privacy Obligations specify
• technical constraints on Personal Information
• Notify Data Owners every time their Personal
  Data is
• involved in a Transaction or Accessed by
  Personnel
• Access/Changes to Personal Data must be
  Audited
• Delete Personal Information after 7 Years
• Delete Personal Information of Customers whom
• do not come back to this web site within 30
  days

55
Privacy Policies Rights, Permissions and
Obligations - Example

• Privacy Policies in e-commerce web sites
• describe rights of users about their personal
  information
• describe permissions given to the involved
  parties
• describe obligations the involved parties are
  subject to
• Privacy Practices can be checked by consumers to
• decide if these practices are acceptable
• decide what to opt-in and opt-out
• who to do business with

56
Privacy Obligations Who is in Control?
Direct control This is the case of a user that
can directly control and enforce privacy
obligations related to their own PII
data. Reliance on one or more third
parties This is the case where a user rely on an
enterprise to enforce his/her obligations. It
is also the case of an enterprise that relies on
another party (partner, TTP, etc.) to enforce
some of the privacy obligations it has dictated.
57
Privacy Obligations Explored Types, Events and
Actions 1/2
Long-term Privacy Obligations Long-term Privacy Obligations Long-term Privacy Obligations Long-term Privacy Obligations
Events Triggering Obligations Events Triggering Obligations Actions Dictated by Obligations Actions Dictated by Obligations
Time-driven at a specific date and time (e.g. 100am 01-Jan-2005) after a certain period of time (e.g. 1 hour, 3 days, 5 minutes) after the data has being used for a certain number of times (e.g. after being used twice) in a specific timeframe Delete/ Update delete all confidential data of a given data subject partially delete data (e.g. delete only the credit card number) replace data with an updated set of data (e.g. update subjects address)
Driven by Usage and Counters at a specific date and time (e.g. 100am 01-Jan-2005) after a certain period of time (e.g. 1 hour, 3 days, 5 minutes) after the data has being used for a certain number of times (e.g. after being used twice) in a specific timeframe Hide/ Unhide hide (encrypt) all data of a subject from any access hide a part of this data from any access unhide all data unhide a part of the data
58
Privacy Obligations Explored Types, Events and
Actions 2/2
Ongoing Privacy Obligations Ongoing Privacy Obligations Ongoing Privacy Obligations Ongoing Privacy Obligations
Events Triggering Obligations Events Triggering Obligations Actions Dictated by Obligations Actions Dictated by Obligations
Time-driven periodically (e.g. every month) send a report to a subject containing the status of their data and their opt-in/opt-out options (e.g. number of times being used, who has tried to access) tell the subject what data he/she has provided get updated data from subject audit the logs, report any improper use of the data
Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Notify notify the subject
Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Log take logs
Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Access default allow/disallow all access allow disallow
Driven by Contextual Events when the data being used when the data being transferred when the data being deleted a particular party/parties try to access data is being used for certain purpose (e.g. send advertisement) a set of data is going to be retrieved together any action predefined by the data subject Consult get authorization from data subject get authorization from third party check according to certain condition made by the user
Others when the privacy policies changed Stop access to the data update obligation
Short-term and Transactional Privacy Obligations Short-term and Transactional Privacy Obligations Short-term and Transactional Privacy Obligations Short-term and Transactional Privacy Obligations
Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations. Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations. Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations. Obligations might need to be dictated by a transaction or an interaction. The actions specified by these obligations might need to be immediately fulfilled. These actions can be the same as the ones specified by long-term and on-going obligations.
59
Privacy Obligations 1st Classification
Examples

• Transactional Obligations
• Notify the owner of PII data when someone
  accesses it
• (i.e. linked to an access control decision)
• Notify the owner of PII data when their data is
  disclosed to a third party
• Delete/Encrypt PII data of a user at the end of a
  transaction
• (or after data has been accessed)
• Ask for authorization to the owner of PII data
  when someone accesses it
• Ask for authorization to the owner of PII data
  when their data
• is disclosed to a third party
• Create an audit log when PII data is accessed

60
Privacy Obligations 1st Classification
Examples

• 2. Data Retention and
• Handling Obligations
• Delete PII data in X hours/days/months/years
  starting from now
• (e.g. delete ABC data on 01/01/2010)
• Send PII data (in clear or encrypted) to entity
  Y at time Z
• (optional delete the local data after this
  actions is performed)
• Notify the owner of PII data every X
  days/months/years that their data
• is stored in an enterprise database
• Encrypt data under some key at a certain time
  (alternative to delete)

61
Privacy Obligations 1st Classification
Examples

• 3. Other event-driven Obligations
• Delete PII data after it has been accessed X
  times
• e.g. delete my PII data once it has been used
  one time)
• Notify the owner of PII data after it has been
  accessed X times

62
Example of EPAL Rule
Privacy Policy (informal) Allow a sales agent or a sales supervisor to collect a customer's data for order entry if the customer is older than 13 years of age and the customer has been notified of the privacy policy. Delete the data 3 years from now.
EPAL Privacy Rule
ruling allow
user category sales department
action store
data category customer-record
purpose order-processing
condition the customer is older than 13 years of age
obligation delete the data 3 years from now
Source http//www.w3.org/Submission/2003/SUBM-EPA
L-20031110/
63
EPAL and Privacy Obligation Management

• EPAL supports Privacy Obligations
• EPAL defines an Abstract Authorization
  Interface
• that outputs a Decision and Obligations
• ? There is a clear fit for Transactional
  Obligations but

• Is it correct to describe also Non-Transactional
  (Data Retention, Other Event-driven) Privacy
  Obligations within an EPAL rule? We believe it is
  not
• These Obligations can actually specify First
  Class Policies
• ? Why Embedding them in the context of
  Authorization Rules?
• These Obligations might need to be enabled and
  enforced
• independently by any Transaction or
  Interaction
• (e.g. Unconditionally Delete Personal Data XYZ
  after 7 years )

64
OMS More Technical Details
Applications and Services
Portal
Users
Admins
Privacy Portal
GUI Authoring Display
Obligation Monitoring Service
Monitoring Task Handler
Admins
Obligation Handler
Store/ Retrieve
Tracking
Workflows
Events Handler
Active Obligations
Obligation Enforcer
Association Manager
Obligation Scheduler Manager
Action Adaptors
Obligation Server
Audit Server
ENTERPRISE
Data Ref.
Obligation
Information Tracker
Audit Logs
Obligation Store Versioning
Confidential Data
65
4 OMS Prototype UIs
Obligation Server UI
Obligation Enforcer UI
Obligation Monitoring UI
66
(No Transcript)