Title:
1(No Transcript)
2Saying what you do and doing what you say
Arguments and Prospects for an International
Privacy Standard
- Colin J. Bennett
- Department of Political Science
- University of Victoria, BC.
- cjb_at_uvic.ca
- Robin Bayley
- Linden Consulting Inc. Victoria, BC.
rmbayley_at_shaw.ca
3Why organizations registered to ISO 9001 should
have better personal information management
- Awareness of their operating systems and personal
data holdings - Staff training
- Must think through and address regulatory
requirements - Ability to capitalize on outside expertise,
through conformity assessment process
4Requirements of a Privacy Management Standard
- Translation of Fair Information Principles into
language and format of standards - Provision of guidance for implementing the
principles in organizations - Appropriate conformity assessment tools for
business size and data sensitivity - Audit guide
- Accreditation system for privacy auditors
5Overlap between quality management and data
protection
- Transparency of policy and purpose
- Procedures for interaction with data subjects
- Complaints resolution
- Access and correction requests
- Consent provision and withdrawal
- Personal data management procedures
- Data security
- Data quality
- Data retention
6Motivations for adoption of privacy standards
- Through Educational and Regulatory Powers of Data
Protection Authorities - Through Desire for Competitive Advantage
- Through Referencing the Standard in Contracts
7Initiatives for Privacy Management Standardization
- National Standards Bodies
- Canadian Standards Association (CSA)
- American National Standards Institute (ANSI)
- International Standardization Organization (ISO)
- Work of JTC-1 of ISO and International
Electro-Technical Commission (IEC) - European Committee for Standardization/Information
Society Standardization System (CEN/ISSS) - International Security, Trust, and Privacy
Alliance (ISTPA).
8 Standards Briefing
- John Hopkinson ISSPCS-Prac CISSP ISP CDRP
- Security Strategist, EWA /IIT
- President ISSEA
- Chair CAC-JTC1/TCIT
9ISO/IEC JTC 1
- JTC 1 is unique
- It is a hybrid of both ISO and IEC
- 30 of customers are other standards developers
- It produces Base Standards
- It must always assume the worst case
- Has been developing standards related to Privacy
for the last 7 to 10 years
10ISO/IEC JTC 1/SC 17
- Concerned with privacy related to card
technology applications - Includes data on smart optical cards
- Not currently reviewing standards for privacy
- The chair authored two Privacy Impact assessments
for advanced card technologies
11ISO/IEC JTC 1/SC 27
- Created a new WG for Privacy, projects on
- A Privacy Framework
- A Privacy Reference Architecture
- Privacy infrastructures
- Anonymity and credentials
- Specific Privacy Enhancing Technologies (PETs)
- Privacy Engineering
12ISO/IEC JTC 1/SC 31
- Develops standards for RFID
- Is starting to consider Privacy
- Added the Kill bit function to the ISO/IEC
18000-6 standard - Memory blocks include password protection
13ISO/IEC JTC 1/SC 32
- Standards for data mgt and interchange including
e-commerce - Deal with e-Business, Metadata, Database
Languages, SQL Multimedia Application
Packages - Recognizes individual as a sub-type of Person,
have rights which e-Business standards must
support
14ISO/IEC JTC 1/SC 36
- Standards of Learning, Education Training
- Support for legal requirements
- Surveying members for specifics of National
requirements - Most important standard
- ISO/IEC 24751 Individualized Adaptability and
Accessibility in e-Learning, Education and
Training
15ISO/IEC JTC 1/SC 37
- Develop standards for Biometrics
- Has started to consider Privacy
- Working on
- Cross-Jurisdictional and Societal Aspects of
Implementation of Biometric Technologies - Guide to the Accessibility, Privacy and Health
and Safety Issues in the deployment of Biometric
Systems for Commercial Application
16Other Standards Development
- Several Consortia are active, including
- ISSEA
- ISTPA
- OASIS
- OMG
- W3C
- Likely several others
17Canadian Privacy Standardization Strategy
- 21 22 Feb 2007 OPC, CSA, SCC, CGSB
- Privacy Standardization Roadmap
- What is available What is needed
- Workshop Report
- , Special Needs, Conformance, sharing Best
Practices,Timing critical, Engagement
18ISSUES
- ISO/IEC JTC 1 and others
- A lack of coordination of Privacy activities
- No real focal point for Privacy work
- Lack harmonized privacy principles
- Need Privacy community technical standards
cooperation
19Making Privacy Operational
- Updating the ISTPA Privacy Framework
- John T. Sabo
- President, International Security Trust and
Privacy Alliance (ISTPA) - Director Global Government Relations
- CA, Inc.
20What is the ISTPA?
- The International Security, Trust, and Privacy
Alliance (ISTPA), founded in 1999, is a global
alliance of companies, institutions and
technology providers working together to clarify
and resolve existing and evolving issues related
to security, trust, and privacy. - ISTPAs focus is on the protection of personal
information (PI) - See www.istpa.org
ISTPA
21Privacy Reality Complex, Challenging
National Security
Technology
Evolving nature and concepts of Privacy
Global Laws
Regulations
Standards
Information Society
Industry
Rapid Change
Digital Economy
Forces
22Global Privacy Laws and Policies Wide Variance
OECD Privacy Principles
Fair Information Practices
HIPAA
APEC Privacy Framework
EU Data Directive
U.S. Privacy Act
CSA Model Code
23ISTPAs Perspective on Privacy
- Operational - Solution Focus
- Migrate to privacy engineering discipline
- Privacy framework supporting full privacy
lifecycle - Not a policy framework rather this is a
technical framework for business processes and
supporting IT systems - Platform for multidisciplinary collaboration
- Must address variations in law and policies
- Industry Specific Use Cases
ISTPA
24ISTPA Framework v 1.1 Concepts
- An open, policy configurable set of collaborating
services and capabilities used to guide the
analysis, design and implementation and
assessment of privacy solutions and
infrastructure - An architectural approach that provides a
template usable by IT architects and program
managers to develop interoperable applications
25ISTPA Privacy v 1.1 Framework Services
- Control policy data management
- Certification credentials, trusted processes
- Interaction - manages data/preferences/notice
- Negotiation of agreements, rules, privileges
- Agent software that carries out processes
- Usage data use, aggregation, anonymization
- Audit independent, verifiable accountability
- Validation - checks accuracy of PI
- Enforcement including redress for violations
- Access - subject correct/update PI
26ISTPA Framework Submitted as ISO Publicly
Available Specification
- Submitted by ISSEA (International Systems
Security Engineering Association) in October 2003
- 2004 - Balloting was to close December 11, 2004
- Caused significant discussion, including Privacy
Technology Study Group under ISO JTC-1 - Withdrawal requested November 22, 2004 for
additional work
27 Recent Work Analysis of Privacy Principles
Making Privacy Operational
- Select representative global privacy laws
directives - Analyze disparate language, definitions and
expressed requirements - Parse expressed requirements into working set of
privacy principles - Cross-map and derive common and unique
requirements
28Selected Laws, Directives, Codes
- US FTC Fair Information Practice Principles
- US-EU Safe Harbor Privacy Principles
- Australian Privacy Act
- Japan Personal Information Protection Act
- APEC Privacy Framework
- California Security Breach Bill
- The Privacy Act of 1974 (U.S.)
- OECD Privacy Guidelines
- UN Guidelines
- EU Data Protection Directive
- Canadian Standards Association Model Code
- Health Insurance Portability and Accountability
Act (HIPAA)
29Derived Core Privacy Principles
- Accountability
- Notice
- Consent
- Collection Limitation
- Use Limitation
- Disclosure
- Access Correction
- Security/Safeguards
- Data Quality
- Enforcement
- Openness
- Additionally
- Anonymity
- Data Flow
- Sensitivity
30 Example Notice Principle Includes
- definition of the personal information collected
- its use (purpose specification)
- its disclosure to parties within or external to
the entity - practices associated with the maintenance and
protection of the information
- options available to the data subject regarding
the collectors privacy practices - changes made to policies or practices
- information provided to data subject at
designated times and under designated
circumstances
31Next Steps Path to ISTPA Privacy Framework v 2.0
- Use Analysis study to evaluate existing Framework
full document available online - Analysis being used by external organizations
- Complete expansion of Framework functions,
including function labeling - Continue collaboration with ISSEA on security
mapping - Continue development of Master Toolset project to
make Framework more accessible and usable - Expected draft v 2.0 2008
32Questions?
john.t.sabo_at_ca.comwww.istpa.org