Add to collection(s) Add to saved
  1. Social Science
  2. Political Science

University of Toronto FIPPA & HR

University of Toronto
Basic Privacy
January 24, 2012
PRIVACY
1. What is it?
2. Why does it matter?
3. How does it work?
4. How is it regulated?
5. What should you do?
PRIVACY: WHAT IS IT?
PERSONAL INFORMATION IS…
INFORMATION ABOUT AN IDENTIFIABLE INDIVIDUAL,
including, but not limited to; ethnic origin, race, religion, age,
sex, sexual orientation, education, financial, employment,
medical, psychiatric, psychological or criminal information,
identifying numbers; S.I.N., home address, home phone
number, photos, videos, identifiable recordings of individual,
name appearing with / revealing other personal information etc.
NOT if acting in business or professional capacity
eg. name, position, routine work information
IDENTIFIABILITY; SPECIAL CASES
Aggregated/statistical data usually not individually linkable BUT
ABSENCE OF NAMES OR OBVIOUS IDENTIFIERS MAY MISLEAD:
-small-cell principle … One of these seven people is HIV positive…
The more factors you have, the likelier identification becomes;
-Asian women over age 50, with income over $200k/yr, who drive a
Volvo, with postal code in M3H ….
Notorious/known events/facts;
The B.C. pig farmer who… or The driver of the vehicle which killed…
Future identifiability; eg, tissue samples (are the information) DNA…
Khaled el emam on reidentifiability: http://www.ehealthinformation.ca/
PRIVACY: WHAT IS IT? DEFINITIONS
1. Privacy of the person
- ‘bodily privacy’, blood samples, etc.
2. Privacy of personal behaviour
- religion, politics, etc., including ‘media privacy’
3. Privacy of personal communications
- ‘interception privacy’, various media
4. Privacy of personal data
- ‘data/information privacy’, control of data
PRIVACY: WHAT IS IT? To be left alone
“THE RIGHT TO PRIVACY” (Warren & Brandeis, 1890)
“…right of the individual to be let alone.” …
-in the face of changing technology - photos in newspapers
‘Instantaneous photographs and newspaper
enterprise have invaded the sacred precincts of
private and domestic life; and numerous
mechanical devices threaten to make good the
prediction that "what is whispered in the
closet shall be proclaimed from the housetops.“’
http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
PRIVACY: WHAT IS IT?
INFORMATION PRIVACY
[The key principle of modern privacy laws]
Control over collection, use, disclosure, retention and
destruction of your personal information
Privacy principles embodied in “Fair Information
Practices.”
Informational self-determination
PRIVACY: WHAT IS IT? FAIR
INFORMATION PRACTICES
•
OECD Guidelines on the Protection of Privacy and Transborder Flows
of Personal Data (1980);
http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
•
European Union Directive on Data Protection (1995/1998);
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML
•
CSA Model Code for Protection of Personal Information (1996);
http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code/article/principles-in-summary
•
United States Safe Harbor Agreement (2000) and EU reaction;
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML
•
Global Privacy Standard (2006).
www.ipc.on.ca/images/Resources/up-gps.pdf
•
IPC’s Privacy By Design Principles
http://privacybydesign.ca/about/principles
CSA PRIVACY CODE PRINCIPLES
1. Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the
organization's compliance with the following principles.
2. Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
3. Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be
collected by fair and lawful means.
5. Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or
as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the stated purposes.
6. Accuracy
Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.
7. Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
8. Openness
An organization shall make specific information about its policies and practices relating to the management of personal information readily available
to individuals.
9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to
that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals
accountable for the organization's compliance.
http://www.csa.ca/standards/privacy/code/Default.asp?articleID=5286&language=english
PRIVACY: WHAT IS IT?
PRIVACY BY DESIGN PRINCIPLES
1.
Proactive, not reactive, preventive, not remedial
2.
Privacy as the default
3.
Privacy embedded into design
4.
Full functionality, positive-sum, not zero sum
5.
End-to-end security, lifecycle protection
6.
Visibility and transparency
7.
Respect for User Privacy
www.privacybydesign.ca
PRIVACY
1. Why does it matter?
People want/need it
It’s “good for business”
It is a legal requirement
PRIVACY LAWS ARE…
A blunt instrument for individual control over PI
An approximated solution for everybody because we have weak technology
To do things right, you’d need a smart agent or matrix of rights … that would
-know where all of your personal information is at all times
-carry out your wishes and needs in real time
-get it right for all your various institutions/companies/friends/family, etc
-report back to you in real time of collections, uses, disclosures, etc of your pi and
-operate at the level of individual data items, not gross categories
Privacy laws and institutions can`t support this level of control so they err on
the side of preventing broadly defined unauthorized disclosure/destruction
Maybe in the future; meanwhile, IPC federated identity ideas interesting…
http://www.ipc.on.ca/images/Resources/F-PIA_2.pdf
LAWS BASED ON CSA PRINCIPLES
Federal
Personal Information Protection and Electronic Documents Act PIPEDA
Strongly consent-based; Incorporates CSA Code Principles;
regulates commercial activity with personal information, inter-provincial
data flows and federally-regulated endeavours like banking, insurance and
telecommunications
(ousted by substantially similar provincial laws), Que, Alta, BC and PHIPA
http://laws.justice.gc.ca/en/showtdm/cs/P-8.6
…and Ontario Personal Health Information Protection Act;
PHIPA
Consent based—health data is important/sensitive—regulates health
information, explicit consent/ability to “shape” treatment, deemed consent
for treatment, BUT research without consent , mandatory disclosure to
eliminate/reduce significant risk of bodily harm
http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm#BK54
NOTICE-BASED PRIVACY LAWS
Some public sector privacy statutes…like
Ontario Freedom of Information and Protection of Privacy Act
FIPPA
Notice-based – because government must conduct certain activities– once you are
notified of collection of your personal information (for a lawfully authorized activity) you
may be have no control – although some consent-based opting out is possible for
activities, no choice because Government is only supplier or
The activity is not (totally or necessarily) optional; eg:
-standard setting
-regulation, licensing, tracking/updating entitlements
-law enforcement
-emergency disclosure, public health and safety
http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm
Also true of some other provincial privacy laws and Canadian public sector privacy law
http://laws.justice.gc.ca/en/showtdm/cs/P-21
PRIVACY
1. How does it work?
Give people notice > “reasonable expectations”
Then stick to notices – and legal requirements
Use adequate security/practices
There are limits to privacy (user control)
U of T NOTICE of COLLECTION
•
The University of Toronto respects your privacy. Personal
information that you provide to the University is collected
pursuant to section 2(14) of the University of Toronto Act,
1971. It is collected for the purpose of administering
admissions, registration, academic programs, universityrelated student activities, activities of student societies,
financial assistance and awards, graduation and
university advancement, and for the purpose of statistical
reporting to government agencies. At all times it will be
protected in accordance with the Freedom of Information and
Protection of Privacy Act. If you have questions, please refer
to www.utoronto.ca/privacy or contact the University Freedom
of Information and Protection of Privacy Coordinator at 416946-7303, McMurrich Building, room 201, 12 Queen's Park
Crescent West, Toronto, ON, M5S 1A8.
PRIVACY LAWS REGULATE
Collection
Use
Disclosure
Retention
Destruction
Of personal information
COLLECTION
Three requirements:
1. Must have legal authority to collect
•
•
Statutory authorization, law enforcement or
necessary for program delivery, teaching purposes etc.
•
(for the proper administration of a lawfully authorized activity)
2. Must collect directly from individual
•
Limited exceptions including consent
3. Must provide notice of collection indicating;
•
•
•
Legal authority
Principal intended uses of the personal information
Individual to contact with questions
USE AND DISCLOSURE
•
For original or consistent purpose (see notice of collection)
•
With the individual’s consent
•
Internally on a need-to-know basis
•
To comply with legislation, other legal requirements
•
For specific compassionate circumstances
•
Where necessary for fundraising
• With periodic notices & opt-outs
•
limited other circumstances
SECURITY vs. PRIVACY
• Privacy involves institution’s legal obligations, especially for
collection, use, disclosure, retention and destruction of
personal information, in support of individual privacy
• Privacy is a legal right/obligation of individual/institution
• FIPPA part III sets out privacy protections
• Security comprises lock-and-key measures; data integrity,
protection, confidentiality and identity authentication
• Security supports and is a key enabler for privacy
• FIPPA General Reg. s. 4 lists security requirements
• There can be no privacy without security
SECURITY
• End-to-end (full lifecycle, all contexts)
• Physical
• Technical / IT systems
• Administrative / behavioural (incl. policy)
• Data should be protected like other assets
• No universal due diligence standards but …
PAPER VS. ELECTRONIC RECORDS
Historic disclosure of records in paper form can be a poor basis for putting them online
Eg.
-property assessment records
-records of town/city council meetings
-records of administrative tribunals
-certain types of licensing records
-voters lists
Balance possible privacy impacts against benefits/objectives of proposed activity
Electronic posting unlike historical availability of paper records (practical obscurity)
-(world) wide distribution (beyond local interests)
-easy copying/aggregation into other databases/uses
-loss of control by originating body
-persistence beyond control of originating body
U.S. papers on practical obscurity:
http://www.nyls.edu/user_files/1/3/4/17/49/Vol49no3p967-992.pdf
http://repositories.cdlib.org/cgi/viewcontent.cgi?article=1022&context=ischool
PRIVACY
1. What should I do?
Give users clear information
Support User rights and expectations
Keep it simple
Know your organization
SETTING REAL WORLD (legal) LIMITS
What is possible?
technology / business etc.
Philosophy
Beliefs
What do people
need, want, fear?
Principles
Government response to public expectations
Law
Policy
Practices
PRIVACY LIMITS
Privacy (in data protection laws) is never absolute; some exceptions for:
-Law enforcement
-Public health
-Legal processes (generally supersede statutory privacy protections)
subpoenas, summonses, court orders, etc.
-Other legislation
emergency management, health protection, anti-terrorism etc.
…data protection laws are made by law-makers, who may discover new
priorities, exceptions or other reasons to change or abrogate privacy.
The balance is found in the same way as other political/social balances.
Public involvement, consultation and advocacy help to guide politicians…
WORK REASONABLY
WITHIN LEGAL LIMITS – AND IN UNREGULATED ACTIVITIES
If you can, do the activity without personal information. Be creativeanonymize, use non-identifying token; eg. IPC HWY 407 solution:
http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=335
-Is the personal information NECESSARY
If personal information is NECESSARY for an activity; balance privacy
interests being compromised against the value of the activity; eg.
-public health surveillance threshold:
Where between the common cold & SARS??
Beware erroneous (often well-established) misconceptions:
-business may want more information than needed for a transaction
-law enforcement personnel may look for a lot of data on everybody
-a building manager may want access to video surveillance records..
How do you decide what is right…what is enough?
HELP SET USEFUL PRIVACY LIMITS
ALWAYS ask:
What EXACTLY is the activity or function?
What EXACTLY are the objectives of the activity? -- get a COMPLETE list
Determine what actions are NECESSARY to achieve the objectives, then (and only then)
-Define and list EXHAUSTIVELY what PI is NECESSARY to accomplish the actions
-Check existing legal parameters; can you collect, use, disclose the PI?
-Even if you can legally collect, use, disclose etc., or are UNREGULATED:
-can you do the task without PI?
-if not, can you get away with less/partial information?
-Consider how well the activity can be delivered with more or less PI
-Consider financial impacts/benefits of having/using more or less PI
-How can you minimize/eliminate privacy risks?
Remember risks of having PI – breaches, data loss, ID theft, etc.
Consider impact on your client/employer of a breach or misuse of data;
For example, IPC/MTO arrangement re access to driver and vehicle license databases
http://www.ipc.on.ca/images/Resources/up-1num_25.pdf
PRIVACY IMPACT ASSESSMENTS
A living document that develops with a project to
Identify privacy risks for leadership attention by
By setting examining and evaluating:
Project data flows at transactional level, evaluating against;
law, standards, policy/practice, community expectation
eg. PHIPA, FIPPA, PbD, CSA,
Institution policies, practices, community consultations
A team effort; IT, Security, Privacy, Legal, etc…
Results in a listing of residual privacy risks for leadership
to accept, or remedy; Roger Clarke historical PIA paper:
http://www.rogerclarke.com/DV/PIAHist-08.html
ABOUT SECURITY
Most security measures can’t guarantee confidentiality
They make unauthorized access difficult so information
is less likely to be accessed.
Well chosen and applied security reduces the probability
unauthorized access as much as circumstances and
resources permit.
ELECTRONIC RECORD SECURITY
Keep electronic records of confidential information in a
secure server environment.
Access confidential records securely – through
encrypted channels, such as virtual private networks.
Only remove confidential records from a secure server
with authorization, operational need, and it there is no
other reasonable means to accomplish the task.
Out of secure server environment, keep confidential
electronic records encrypted (eg. in transit and storage).
Server drives likely to be encrypted soon.
CLOUD COMPUTING; TWO PAPERS
Privacy in the Clouds – IPC
User-centric identity management infrastructure
… will be the answer
http://www.ipc.on.ca/images/Resources/privacyintheclouds.pdf
Roger Clarke Cloud Computing paper:
“Cloud computing emerged during 2006-09 as a
fashion item….”
http://www.rogerclarke.com/EC/CCEF.html
WHEN YOU OWN THE SYSTEM
Your IT / security staff should know your systems,
existing and planned
Data flows should be understood and finely mapped
This activity is key to privacy or threat/risk assessments
Even if you are outsourcing, do this detailed work for any
“in house” components or parts of the system/service
WHEN YOU DO NOT OWN THE SYSTEM
Do all you can to understand the vendor’s systems as well
and completely as possible:
Ask for detailed data flows, systems maps, etc.
Have your IT / security staff meet the vendor’s
Enter into NDAs as necessary to learn as much as possible
But the vendor might not let you see enough for you to
assess privacy/security to your satisfaction
You will have to establish trust,
…..based on assurances that you can verify
CHECKING OUT THE VENDOR
Cloud or not, check:
•
Institutional procurement process/experts;
•
RFI, RFP, etc
•
Reference checks,
•
Information from other clients,
•
Letters of recommendation
•
Reputation, past record
•
Compliance with/breach of legislative requirements
•
Certifications
•
Interview the contractor
SOME POSSIBLE
VENDOR ASSURANCES
Compliance with your privacy/security requirements
Confidentiality; no information sale, tracking, data mining…
Governing law … preferably Ontario
No disclosures except as required by law
Staff training, need-to-know access, confid. Agreements
No third party contractors, or standards as for staff
Data minimization
Breach notification, investigation, remediation/mitigation
Security; IT, physical, administrative/behavioural
Periodic update and maintained currency of assurances
Location of servers, data, etc, etc, etc…
SECURING ASSURANCES
A negotiation with your vendor, involving:
Procurement
IT/CIO staff
Legal
Privacy
Other experts as required….
ASSURANCES MUST BE VERIFIED
Operational Audits
Security Audits
Active Security Testing
Etc…
All to be incorporated into your agreement(s)
ORGANIZATIONAL SUGGESTIONS
Keep it simple!!
Use simple binary rules; -Confidential or not -Secured or not
Provide clear guidance/rules --- avoid fuzzy lines, difficult distinctions
If it’s not officially designated as public, it’s confidential
If it’s electronic, keep it in a secure institutional server or keep it encrypted
If it’s hard copy, keep in a locked cabinet inside a locked, non-public space
Provost’s security guideline
http://www.provost.utoronto.ca/policy/FIPPA_-_Guideline_Regarding_Security_for_Personal_and_Other_Confidential_Information.htm
ORGANIZATIONAL SUGGESTIONS
Know the Organization:
Mission, purposes, rules
How is it governed?
How is it administered?
Think like an executive….big picture
Avoid becoming a “narrow” expert
FREEDOM OF INFORMATION AND
PROTECTION OF PRIVACY OFFICE
Rafael Eskenazi – FIPP Director
Tel: (416) 946-5835
E-Mail: rafael.eskenazi@utoronto.ca
University of Toronto FIPP Office
McMurrich Building, Room 201
12 Queen’s Park Crescent West
Toronto, ON M5S 1A8
Fax: (416) 978-6657
Related documents
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Instance Based Social Network Representation
Instance Based Social Network Representation
Using Social Media in Research: Privacy, Trust, & Ethics
Using Social Media in Research: Privacy, Trust, & Ethics
DS1 - Claran Mc Mahon CyPsy RCSI
DS1 - Claran Mc Mahon CyPsy RCSI
Final project PowerPoint
Final project PowerPoint
Download