- PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Description:

... registered to ISO 9001 should have better personal information management. Awareness of their operating systems and personal data holdings. Staff training ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 33
Provided by: privacycon
Category:
Tags:

less

Transcript and Presenter's Notes

Title:


1
(No Transcript)
2
Saying what you do and doing what you say
Arguments and Prospects for an International
Privacy Standard
  • Colin J. Bennett
  • Department of Political Science
  • University of Victoria, BC.
  • cjb_at_uvic.ca
  • Robin Bayley
  • Linden Consulting Inc. Victoria, BC.
    rmbayley_at_shaw.ca

3
Why organizations registered to ISO 9001 should
have better personal information management
  • Awareness of their operating systems and personal
    data holdings
  • Staff training
  • Must think through and address regulatory
    requirements
  • Ability to capitalize on outside expertise,
    through conformity assessment process

4
Requirements of a Privacy Management Standard
  • Translation of Fair Information Principles into
    language and format of standards
  • Provision of guidance for implementing the
    principles in organizations
  • Appropriate conformity assessment tools for
    business size and data sensitivity
  • Audit guide
  • Accreditation system for privacy auditors

5
Overlap between quality management and data
protection
  • Transparency of policy and purpose
  • Procedures for interaction with data subjects
  • Complaints resolution
  • Access and correction requests
  • Consent provision and withdrawal
  • Personal data management procedures
  • Data security
  • Data quality
  • Data retention

6
Motivations for adoption of privacy standards
  • Through Educational and Regulatory Powers of Data
    Protection Authorities
  • Through Desire for Competitive Advantage
  • Through Referencing the Standard in Contracts

7
Initiatives for Privacy Management Standardization
  • National Standards Bodies
  • Canadian Standards Association (CSA)
  • American National Standards Institute (ANSI)
  • International Standardization Organization (ISO)
  • Work of JTC-1 of ISO and International
    Electro-Technical Commission (IEC)
  • European Committee for Standardization/Information
    Society Standardization System (CEN/ISSS)
  • International Security, Trust, and Privacy
    Alliance (ISTPA).

8
Standards Briefing
  • John Hopkinson ISSPCS-Prac CISSP ISP CDRP
  • Security Strategist, EWA /IIT
  • President ISSEA
  • Chair CAC-JTC1/TCIT

9
ISO/IEC JTC 1
  • JTC 1 is unique
  • It is a hybrid of both ISO and IEC
  • 30 of customers are other standards developers
  • It produces Base Standards
  • It must always assume the worst case
  • Has been developing standards related to Privacy
    for the last 7 to 10 years

10
ISO/IEC JTC 1/SC 17
  • Concerned with privacy related to card
    technology applications
  • Includes data on smart optical cards
  • Not currently reviewing standards for privacy
  • The chair authored two Privacy Impact assessments
    for advanced card technologies

11
ISO/IEC JTC 1/SC 27
  • Created a new WG for Privacy, projects on
  • A Privacy Framework
  • A Privacy Reference Architecture
  • Privacy infrastructures
  • Anonymity and credentials
  • Specific Privacy Enhancing Technologies (PETs)
  • Privacy Engineering

12
ISO/IEC JTC 1/SC 31
  • Develops standards for RFID
  • Is starting to consider Privacy
  • Added the Kill bit function to the ISO/IEC
    18000-6 standard
  • Memory blocks include password protection

13
ISO/IEC JTC 1/SC 32
  • Standards for data mgt and interchange including
    e-commerce
  • Deal with e-Business, Metadata, Database
    Languages, SQL Multimedia Application
    Packages
  • Recognizes individual as a sub-type of Person,
    have rights which e-Business standards must
    support

14
ISO/IEC JTC 1/SC 36
  • Standards of Learning, Education Training
  • Support for legal requirements
  • Surveying members for specifics of National
    requirements
  • Most important standard
  • ISO/IEC 24751 Individualized Adaptability and
    Accessibility in e-Learning, Education and
    Training

15
ISO/IEC JTC 1/SC 37
  • Develop standards for Biometrics
  • Has started to consider Privacy
  • Working on
  • Cross-Jurisdictional and Societal Aspects of
    Implementation of Biometric Technologies
  • Guide to the Accessibility, Privacy and Health
    and Safety Issues in the deployment of Biometric
    Systems for Commercial Application

16
Other Standards Development
  • Several Consortia are active, including
  • ISSEA
  • ISTPA
  • OASIS
  • OMG
  • W3C
  • Likely several others

17
Canadian Privacy Standardization Strategy
  • 21 22 Feb 2007 OPC, CSA, SCC, CGSB
  • Privacy Standardization Roadmap
  • What is available What is needed
  • Workshop Report
  • , Special Needs, Conformance, sharing Best
    Practices,Timing critical, Engagement

18
ISSUES
  • ISO/IEC JTC 1 and others
  • A lack of coordination of Privacy activities
  • No real focal point for Privacy work
  • Lack harmonized privacy principles
  • Need Privacy community technical standards
    cooperation

19
Making Privacy Operational
  • Updating the ISTPA Privacy Framework
  • John T. Sabo
  • President, International Security Trust and
    Privacy Alliance (ISTPA)
  • Director Global Government Relations
  • CA, Inc.

20
What is the ISTPA?
  • The International Security, Trust, and Privacy
    Alliance (ISTPA), founded in 1999, is a global
    alliance of companies, institutions and
    technology providers working together to clarify
    and resolve existing and evolving issues related
    to security, trust, and privacy.
  • ISTPAs focus is on the protection of personal
    information (PI)
  • See www.istpa.org

ISTPA
21
Privacy Reality Complex, Challenging
National Security
Technology
Evolving nature and concepts of Privacy
Global Laws
Regulations
Standards
Information Society
Industry
Rapid Change
Digital Economy
Forces
22
Global Privacy Laws and Policies Wide Variance
OECD Privacy Principles
Fair Information Practices
HIPAA
APEC Privacy Framework
EU Data Directive
U.S. Privacy Act
CSA Model Code
23
ISTPAs Perspective on Privacy
  • Operational - Solution Focus
  • Migrate to privacy engineering discipline
  • Privacy framework supporting full privacy
    lifecycle
  • Not a policy framework rather this is a
    technical framework for business processes and
    supporting IT systems
  • Platform for multidisciplinary collaboration
  • Must address variations in law and policies
  • Industry Specific Use Cases

ISTPA
24
ISTPA Framework v 1.1 Concepts
  • An open, policy configurable set of collaborating
    services and capabilities used to guide the
    analysis, design and implementation and
    assessment of privacy solutions and
    infrastructure
  • An architectural approach that provides a
    template usable by IT architects and program
    managers to develop interoperable applications

25
ISTPA Privacy v 1.1 Framework Services
  • Control policy data management
  • Certification credentials, trusted processes
  • Interaction - manages data/preferences/notice
  • Negotiation of agreements, rules, privileges
  • Agent software that carries out processes
  • Usage data use, aggregation, anonymization
  • Audit independent, verifiable accountability
  • Validation - checks accuracy of PI
  • Enforcement including redress for violations
  • Access - subject correct/update PI

26
ISTPA Framework Submitted as ISO Publicly
Available Specification
  • Submitted by ISSEA (International Systems
    Security Engineering Association) in October 2003
    - 2004
  • Balloting was to close December 11, 2004
  • Caused significant discussion, including Privacy
    Technology Study Group under ISO JTC-1
  • Withdrawal requested November 22, 2004 for
    additional work

27
Recent Work Analysis of Privacy Principles
Making Privacy Operational
  • Select representative global privacy laws
    directives
  • Analyze disparate language, definitions and
    expressed requirements
  • Parse expressed requirements into working set of
    privacy principles
  • Cross-map and derive common and unique
    requirements

28
Selected Laws, Directives, Codes
  • US FTC Fair Information Practice Principles
  • US-EU Safe Harbor Privacy Principles
  • Australian Privacy Act
  • Japan Personal Information Protection Act
  • APEC Privacy Framework
  • California Security Breach Bill
  • The Privacy Act of 1974 (U.S.)
  • OECD Privacy Guidelines
  • UN Guidelines
  • EU Data Protection Directive
  • Canadian Standards Association Model Code
  • Health Insurance Portability and Accountability
    Act (HIPAA)

29
Derived Core Privacy Principles
  • Accountability
  • Notice
  • Consent
  • Collection Limitation
  • Use Limitation
  • Disclosure
  • Access Correction
  • Security/Safeguards
  • Data Quality
  • Enforcement
  • Openness
  • Additionally
  • Anonymity
  • Data Flow
  • Sensitivity

30
Example Notice Principle Includes
  • definition of the personal information collected
  • its use (purpose specification)
  • its disclosure to parties within or external to
    the entity
  • practices associated with the maintenance and
    protection of the information
  • options available to the data subject regarding
    the collectors privacy practices
  • changes made to policies or practices
  • information provided to data subject at
    designated times and under designated
    circumstances

31
Next Steps Path to ISTPA Privacy Framework v 2.0
  • Use Analysis study to evaluate existing Framework
    full document available online
  • Analysis being used by external organizations
  • Complete expansion of Framework functions,
    including function labeling
  • Continue collaboration with ISSEA on security
    mapping
  • Continue development of Master Toolset project to
    make Framework more accessible and usable
  • Expected draft v 2.0 2008

32
Questions?
john.t.sabo_at_ca.comwww.istpa.org
Write a Comment
User Comments (0)
About PowerShow.com