Privacy Awareness SFS Seminar

Jari Alvinen/Nokia CTO Compatibility and Industry Collaboration 2013-11-26

1

© Nokia 2013 Privacy_Awareness-SFS_Seminar-2013-11-07 Author FD

Privacy Awareness 1.  WHY – Putting Privacy in Business Context − 

Real life incidents 2.  WHAT – EU GDPR and ISO 29100 −  Terminology −  Roles within the Privacy Framework −  Privacy Principles −  Essence of privacy −  Personally Identifiable Information and Identifiability 3.  HOW – Compliance or Accountability −  CIPL view on Accountability −  Elements of an Accountable Privacy Program −  Privacy related business processes 4.  HOW - Privacy Engineering & Assurance simplified −  Privacy data lifecycle −  Design principles favoring privacy −  Privacy impact assessment −  Privacy risk management −  Assessing privacy maturity 2

2013 Instagram case •  Facebook owned photo sharing social network site changed its Terms of Use so it could exploit members' photographs for profit - without compensating the owners •  Impact: Daily active users fell from almost 16.3 to about 7.6 million and some Brand damage caused (”To do a Zuckerberg” and ”To be Instagrammed” marketing term coined)

3

1999 Intel Pentium III • 

Pentium III included a unique, retrievable, identification number, called PSN (Processor Serial Number) that could be read by software through the CPUID instruction if feature not disabled through the BIOS Impact: Product design decisions had far-reaching impact on consumers' online privacy. Intel's market dominance, coupled with the lack of accurate material about the privacy implications of the PSN, and the inability of individuals to control the use of the PSN, placed consumer privacy at risk. Regulatory response: EU Parliament action to prevent chips from computer destined to EU consumers and public acquisition. Formal inquiry averted by Intel decision to remove PSN feature on Tualatin-based Pentium IIIs, and the feature was not carried through to the Pentium 4 or Pentium M.

• 

• 

4

2013 HTC America Affair •  HTC was punished by the US govt for negligence in security engineering −  No security training for engineering staff −  No security reviews or testing for vulnerabilities −  Not following well-known secure coding practices −  No process of receiving and addressing vulnerability reports from third parties

•  Millions of devices vulnerable in so many ways (read the fine print) •  HTC was required to fix all of these and to establish a comprehensive security program ... AND undergo independent security assessments every other year for the next 20 years

5

2012 Google tracking case •  Circumvented Apple privacy safeguards on Safari browsers •  Stanford research discovers DoubleClick over-riding cookie control •  Millions of consumer effected •  FTC imposes record fine •  Prompts EU investigations

6

8th , 1 c e D nd nday st in: This ju greed on Mo to 37 states a a Google ay $17 million a wide n i p a o i t b m onal to i u t l i 2013 o d d C a f trict o his is . the Dis settlement. T TC fine F n g o i n l i l i reach 22.3 m s u o i v the pre

Average cost of unauthorized disclosure (Bracketed number defines the benchmark sample size)

Source: http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf

7

Why is privacy important? ü Authorities are doing joint-enforcement on major companies Example: Facebook Ø Canadian, US, Nordic, Irish regulators investigated complaints and found violations ü Increasing public policy maker interest in mobile technologies Example: Positioning technologies Ø More and more laws globally 8

Enforcement Actions: € Fines € Penalties € Cost of remediation € Forced privacy program € 20 year external audit € Deletion of unlawfully collected data € Sales stops, recalls

Privacy Awareness 1.  WHY – Putting Privacy in Business Context − 

Real life incidents 2.  WHAT – EU GDPR and ISO 29100 −  Terminology −  Roles within the Privacy Framework −  Privacy Principles −  Essence of privacy −  Personally Identifiable Information and Identifiability 3.  HOW – Compliance or Accountability −  Elements of an Accountable Privacy Program −  Privacy related business processes 4.  HOW - Privacy Engineering simplified −  Privacy data lifecycle −  Design principles favoring privacy −  Privacy impact assessment −  Privacy risk management −  Assessing privacy maturity

9

EU GDPR and ISO 29100 •  By 2015 EU data protection regulations will be based on the proposed General Data Protection Regulation •  Potential harmonizing DP effect across EU businesses •  ISO 29100 defines a Privacy Framework that reflects many of the proposed components of the GDPR •  Contributions to the standard came from representatives from EU, US, CA, AU and NZ based DPA organizations •  Privacy Framework includes: •  •  •  •  •  •  •  10

Terminology Roles and interactions Recognizing PII Privacy safeguarding requirements Privacy policy Privacy controls Privacy principles

Terminology (29100 §2) • 

• 

• 

Identifiability (tunnistettavuus) condition which results in a PII principal being identified, directly or indirectly, on the basis of a given set of PII Personally Identifiable Information (henkilötieto)(PII) - any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal PII Controller (henkilötiedon rekisterinpitäjä) - privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes

11

•  PII Principal (rekisteröity) - natural person to whom the personally identifiable information (PII) relates •  PII Processor (henkilötiedon käsittelijä) - privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller •  privacy breach (tietosuojarikkomus) situation where PII is processed in violation of one or more relevant privacy safeguarding requirements •  privacy safeguarding requirements (yksityisyyden suojaamisen vaatimukset) - set of requirements an organization has to take into account when processing personally identifiable information (PII) with respect to the privacy protection of PII

Roles within the privacy framework •  DPA, Data Privacy Authority, Information Privacy Commissioner, (tietosuoja viranomainen) etc is the independent legal authority for administering privacy rules within a country •  The consumer is the PII Principal •  The PII Controller is entity that determines purposes and means of processing consumer’s personal data and is RESPONSIBLE for data processing of data subject’s PII •  The PII Processor performs information processing on behalf of the Data Controller

12

Data Protection Authority (DPA)

PII Principal

PII Controller

PII Processor

Sometimes a reference is also made to a Third Party, which can be viewed as outside this privacy framework, but the responsibility of the Data Controller.

Privacy Principles (29100 §5) 1. 

2. 

3. 

4.  5. 

6. 

13

Consent and choice (Suostumus ja valinnanvapaus) PII Principal has choice on and has Opt-In to PII processing Purpose legitimacy and specification (Tarkoituksen laillisuus ja määrittely) Processing complies with laws, giving notice before processing Collection limitation (Tiedonkeruun rajoittaminen) Within laws and necessary for specified purposes Data minimization (Tiedonkäsittelyn rajoittaminen) Minimize the processing of PII Use, retention and disclosure limitation (Käytön, säilytyksen ja luovuttamisen rajoittaminen) Also applies to limitation on cross-border transfers Accuracy and quality (Oikeellisuus ja laatu) Measure to assure validity and correctness of PII processing

7. 

Openness, transparency and notice (Avoimuus, läpinäkyvyys ja ilmoittaminen)

Clear, complete and accessible information on PII processing 8.  Individual participation and access (Omien tietojen tarkistusoikeus) PII Principal access to review their PII and correct inaccuracies 9.  Accountability (Vastuullisuus) Demonstrate care in duty toward PII Principal for PII stewardship 10.  Information security (Tietoturvallisuus) Protecting PII under its authority with appropriate controls 11.  Privacy compliance (Tietosuojavaatimusten noudattaminen) Verifying and demonstrating adherence to laws with internal or 3rd party audits

Essence of privacy Privacy emerges from personally identifiable data Personal data or information •  Any information relating to an identified or identifiable natural person, an individual

+ Identifiability •  (Nymity) The measure of the degree that personal data can be associated with an individual

14

Personal data/information •  • 

• 

•  • 

• 

Relates to information about a natural person When the data can be associated with an individual, it is referred to as Personally Identifiable Information (PII) Criteria for linkability of data to an individual is a hot-topic within the privacy community Sensitive PII must be treated specially Generally, if PII is of a racial, religious, political, sexual orientation, medical nature, it is characterized as Sensitive; but other categories should also be consisted Also commonly referred to as Personal Data 15

Basic data (E.G. first name, last name, mobile number) Address data (E.G. postal code, email address) Restricted categories of data (E.G. racial or ethnic origin, religion, trade union membership – if allowed by applicable law) Social networking related data (E.G.. metadata of pictures uploaded, site activity information) Location data (E.G. GPS coordinates or mobile network base station ID) Identifiers (E.G. IMEI, device identifiers, IPaddress) System data is information about how individual users are using the system (E.G. log files) Monetary data transactions (E.G. credit card number, account information)

These are some of the categories of personal data to consider when identifying the PII in your particular project

Components of identifiability •  Identifiability (Tunnistettavuus)

•  A measure of degree which information is personally identifiable. The identity measurement takes place on a continuum, from full anonymity (the state of being without name) to full verinymity (being truly named)

•  Linkability (Yhdistettävyys)

•  A measure of degree to which data elements are linkable to true name of the data subject, where unlinkability meant different records cannot be linked together and related to a specific personal identity. In this regard, complex interrelations have been taken into account, as it may be organized and/or made possible in different ways

•  Observability (Tarkkailtavuus)

•  A measure of the degree to which identity or linkability are affected by the use of a system. It considers, in fact, any other factor relative to data processing (time, location, data contents) that can potentially affect the degree of identity and/or linkability Note: Finnish translations in this slide not official ones

16

Privacy Awareness 1.  WHY – Putting Privacy in Business Context − 

Real life incidents 2.  WHAT – EU GDPR and ISO 29100 −  Terminology −  Roles within the Privacy Framework −  Privacy Principles −  Essence of privacy −  Personally Identifiable Information and Identifiability 3.  HOW – Compliance or Accountability −  Elements of an ACCOUNTABLE privacy program −  Privacy related business processes 4.  HOW - Privacy Engineering simplified −  Privacy data lifecycle −  Design principles favoring privacy −  Privacy impact assessment −  Privacy risk management −  Assessing privacy maturity

17

Compliance or Accountability •  Goal of being privacy compliance may not be sufficient for avoiding regulatory actions against your company •  Data protection authorities (DPA) now expect organizations to demonstrate their good intentions •  Accountability has roots in 1980 OECD privacy guidelines •  Accountability framework builds trust between DPA and organizations for the handling of personal data •  Accountability means being able to show how your company has holistically integrated privacy best practices •  Centre for Information & Policy Leadership (CIPL) has defined a global DPA endorsed approach to Accountability Data Protection Accountability: The Essential Elements 18

Elements of an Accountable privacy program 1. Executive Accountability and oversight

ü Internal senior executive oversight and responsibility for data privacy and data protection

2. Policies and processes to implement them ü Binding and enforceable written policies and procedures that reflect applicable laws, regulations and industry standards, including procedures to put those policies into effect

3. Staffing and delegation ü Allocation of resources to ensure that the organization's privacy program is appropriately staffed by adequately trained personnel

4. Education and awareness

ü Existence of up-to-date education and awareness programs to keep employees and on-site contractors aware of data protection obligations

5. Risk assessment and mitigation ü Ongoing risk assessment and mitigation planning for new products, services, technologies and business models. ü  Periodic Program risk assessment to review the totality of the accountability program

6. Event management and complaint handling

ü Procedures for responding to inquiries, complaints and data protection breaches

7. Internal enforcement ü Internal enforcement of the organization's policies and discipline for non-compliance

8. Redress ü Provision of remedies for those whose privacy has been put risk

Not just compliant but accountable 19

Privacy related business processes •  •  •  •  •  •  •  •  • 

Quality management process Risk management process Assessment process Security engineering process Business continuity process Customer care process Incident response management process External communications process Authority request/lawful intercept process

20

Privacy Awareness 1.  WHY – Putting Privacy in Business Context − 

Real life incidents 2.  WHAT – EU GDPR and ISO 29100 −  Terminology −  Roles within the Privacy Framework −  Privacy Principles −  Essence of privacy −  Personally Identifiable Information and Identifiability 3.  HOW – Compliance or Accountability −  Elements of an ACCOUNTABLE privacy program −  Privacy related business processes 4.  HOW - Privacy Engineering & Assurance simplified −  Privacy data lifecycle −  Design principles favoring privacy −  Privacy impact assessment −  Privacy risk management −  Assessing privacy maturity

21

Privacy Engineering & Assurance simplified Privacy Engineering Planning Threat Assessment and Mitigation Requirements identification

Principles, Policies, Procedures, Requirements, Patterns

Engineering/Implementation Consultation, addressing new topics, cultivating requirements

Evidence

Privacy Assurance

Review Against requirements Can be standalone

Go-live / OK Sign-off

22

Evidence

Evidence

Privacy data lifecycle •  Also called the Consumer Data Lifecycle , it is a fundamental component of the privacy knowledge base •  Define the actions related to personal data within the privacy framework •  When analyzing the data flow in your specifications, you should also consider the complete lifecycle for the associated PII •  Within the EU, collection, itself is considered to be an act of processing ! 23

Collection

xDeletion

Transfer

Processing

Storage

Design principles that favor privacy •  •  •  •  •  •  •  •  •  •  •  • 

Purpose clarity for collection, use, storage, transfer Specify a Data Management plan Data security (confidentiality, integrity, availability) Data minimization Limit retention of personal data Reduce data linkability with de-identification Better yet, delete data when purpose fulfilled Emphasis on the complete product lifecycle Have consumer centric defaults Understand your incident response plan Identify and report security & privacy metrics regularly Commit to continual improvement 24

Privacy impact assessment •  EU GDPR Article 33 promulgates PIA for public/privacy orgs •  Produces evidence of implementing Privacy by Design •  Conducted by staff when when personal information is collected, used or disclosed in a product or service •  Re-conducted if material changes made to product or service •  ISO 29134 (WD) will standardize methodology Identify

describe the project, including the aims, whether any personal information will be handled, inherent privacy principles

Analyze

identify the personal information flows, classify data, identify relevant regulations, privacy requirements, privacy impact

Verify Simplify

change system and processes to only collect/store/process essential data for minimum period with a data deletion plan

Secure

use industry best practices for safeguarding personal data through life cycle, providing consumer control over their data

Remediate 25

validate that only essential data is collected and processed for legitimate purposes required by the product or service

Attest

identify remaining risk, level of harm and mitigation plan to eliminate or reduce risk to acceptable level record findings, gain sponsor commitment to implement any needed changes, report results to management

Privacy risk assessment •  •  •  • 

Produces evidence of minimization of possible privacy risk Conducted by business team with input from PIA evidence Re-conducted if material changes made to product or service ISO 31000 defines an applicable risk management framework

26

Context

establish external, internal context for risk, risk management process and risk assessment criteria to be used

Identify

identify sources of risk, areas of impact, events and causes, potential consequences

Analyze

consider causes and sources of risk, positive & negative consequences, both tangible and intangible

Evaluate

make decisions based on risk analysis, which risks need treatment and the priority for treatment implementation

Treat

select remediation based on avoiding, taking on, removing, changing potential for, changing harm of, sharing of risk

Monitor & Review

assures controls effective, learn and improve, detect context changes, identify new risks, measure KPI

Improve

commit to constant improvement of the overall risk footprint

Privacy capability assessment •  •  •  • 

Provides a method for advancement of your privacy program Conducted to measure baseline and incremental changes Part of a commitment to accountability, constant improvement ISO 29190 (CD) will standardize a methodology Plan Assess

rate the current capability against target capability

Review

identify sub-optimal capabilities to be improved and overall improvement plan

Report

communicate to management the assessment activity, results, improvement actions and next scheduled assessment

Improve

27

agree on privacy capability assessment model (e.g., context or business process based) and assessment scale to be used

implement improvement plan

Benediction: Privacy Contextuality

28

Privacy triangle of trust Hint To avoid the complexities of the contextual nature of privacy, REMEMBER to account for the three main stakeholder positions when dealing with a privacy related issue, policy or business decision!

29

Source: David Hoffman/Intel

5. References

30  

30  

References OECD Privacy Principles EU Data Protection Directive 95/46/EC EU Proposed General Data Protection Regulation ISO 29100 from ISO(Finnish translation from SFS) CIPL Implementing Accountability CIPL Accountability Self-Assessment Tool

[email protected] 31