PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Do You Know Your Privacy Risks?
MerriBethLavagnino,ChiefRiskOfficerIndianaUniversity
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E Privacy definition
“Privacyistheclaimofindividuals,groupsorinstitutionstodetermineforthemselveswhen,how,andtowhatextentinformationaboutthemiscommunicatedtoothers.”
– AlanWestin:Privacy&Freedom,1967
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E But, it’s a moving target…
“Eachindividual iscontinuallyengagedinapersonaladjustmentprocessinwhichhebalancesthedesireforprivacywiththedesirefordisclosureandcommunication.”
– AlanWestin:Privacy&Freedom,1967
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Here’s how you do a privacy assessment of a service, project, initiative, app, etc.!• IdentifythepotentialPrivacyHarms• Determinewhatyourinstitution’spositionwillbe– UsethePrivacyPrinciplestodevisewaystoreducetheharms
– Youmustdotheminimumrequiredbylaw,but,youalsocanchoosetodomorethanisrequiredbylaw
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
First, identify the Privacy Harms
• BrainstormthepossibleharmssoyoucantrytoANTICIPATE(andthenplantoreduceorevenavoid)theseharms
• Manytheoristsinthisarea–WilliamProsserin1960– AlanWestinin1967– DanielJ.Solove’s 2008“TaxonomyofPrivacy”
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Whatthepersonmightthink: “They arecollectinginformationaboutwhatI amdoing- morethantheyshould!”Examplesinclude:
§ Surveillance—watching,listeningto,orrecordinganindividual’sactivities
§ Interrogation— inappropriatelyprobingforinformation§ Visual— viewingprivateactivitieswithouttheindividual’s
knowledge§ Communications—tappingyourphone,email,Internettraffic§ TooMuchInformation(TMI)— askingfor“private"information
unnecessarily
TheInformationCollectionHarm
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Whatthepersonmightthink: “They havealotofdataaboutme,andtheyarestoring,manipulating,andusingit!” Examplesinclude:§ Aggregation— combiningpiecesofinformationaboutan
individualthatwerecollectedfromdifferentsources§ Identification— linkingunidentifiedinformationelementsto
particularindividuals§ Insecurity— failuretoprotectinformationfromleaksand
unauthorizedaccess§ Secondaryuse— useofcollectedinformationforapurpose
differentfromtheuseforwhichitwascollected,withouttheindividual’sconsent
§ Exclusion—usingdatatoexcludeanindividual,especiallyifthedatawasincorrectorinterpretedincorrectly
TheInformationProcessingHarm
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Whatthepersonmightthink: “They spreadortransferinformationaboutme—morethanIthinktheyshould!”Examplesinclude:§ Breachofconfidentiality— breakinganagreementtokeep
informationconfidential§ Disclosure— disclosingdatatopersonsorentities theindividual
doesn’texpect§ Exposure— revealingintimate information,asinapublic
exposureofprivatefacts§ Increasedaccessibility— amplifyingtheaccessibility ofinfo§ Blackmail— athreattodisclosepersonalinformation§ Appropriation— theuseofanindividual’s identity,suchasusinga
nameorpicture,withouttheindividual’spermission§ Distortion— disseminating falseormisleading informationabout
individuals
TheInformationDisseminationHarm
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Whatthepersonmightthink: “They comeintomyspaceandcontactme,ortellmewhattodo!”Examplesinclude:§ Invasionsintoprivateaffairs§ Invasiveactsthatdisturbanindividual’stranquilityorsolitude§ Decisionalinterference— enteringintoanindividual’sdecisions
regardingherprivateaffairs§ Unwantedemail— didyouknowthatunwanted
communicationsintoanindividual’spersonalspace,includingheremailinbox,isconsideredaprivacyinvasion?
§ Unwantedphonecalls—enteringintoanindividual’spersonalspacebycallinghispersonalphonenumber(especiallyifitisamobilephone)
§ Enteringaroomwithoutknocking
TheInvasionHarm
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Once you’ve identified the possible HARMS...
• ThenusethePrivacyPRINCIPLEStodesigncontrols/safeguardsthatappropriatelyaddressthoseharms
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Sources of privacy principles• AmericanInstituteofCertifiedPublicAccountants,Inc.
(AICPA)andCanadianInstituteofCharteredAccountants(CICA).GenerallyAcceptedPrivacyPrinciples.August,2009.
• U.S.FederalTradeCommission(FTC).FairInformationPracticePrinciples.1998.
• OrganisationforEconomicCo-operationandDevelopment(OECD).OECDGuidelinesontheProtectionofPrivacyandTransborder FlowsofPersonalData.1980,revised2013.
• U.S.DepartmentofHomelandSecurity(DHS).DHSFairInformationPracticePrinciples.2008.
• U.S.WhiteHouse.ConsumerDataPrivacyinaNetworkedWorld(a.k.a.ConsumerPrivacyBillofRights). 2012.
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Different terminology…but same general concepts
DHS
• Transparency• IndividualParticipation• PurposeSpecification• DataMinimization• UseLimitation• DataQualityand
Integrity• Security• Accountabilityand
Auditing
GAPP• Management• Notice• ChoiceandConsent• Collection• UseandRetention• Access• DisclosuretoThird
Parties• SecurityforPrivacy• Quality• Monitoringand
EnforcementIndianaUniversityPrivacyPrinciples:https://protect.iu.edu/online-safety/program/principles.html
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
§ Usually,theeasiestwaytoaddressprivacyharmsisbyidentifyingawaytoinform,orprovide“notice”tousersofinstitutionalpracticesaroundthedatacollectedfromthem.
§ Postingaprivacypolicyonyourwebsite,orexplainingonaformorloginscreentheplansforthedatathatuserswillenter,isawaytoprovidenotice.
TheNoticePrinciple
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
• Addressprivacyharmsbyidentifyingawaytoobtainimplicitorexplicitconsentfromindividualswithrespecttothecollection,use,disclosure,andretentionoftheirinformation.
• Choicemayapplyto"secondaryuses"—thatis,usesbeyondtheoriginalreasonsforwhichthedatawasprovided.
• Choicemaybe"optin"(datawillnotbesharedwithoutconsent),or"optout"(usermustrequesttostopthesharingorcontacting).
• Considerprovidingcheckboxestoindicateconsenttovarioususes.
TheChoice&ConsentPrinciple
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
• Privacyharmscanbeaddressedbyreviewingwhatdataisbeingcollectedandensurethatyouarecollectingonlytheinformationneededtoachievethepurposesidentified,insupportoftheorganization’smission,andasoutlinedinthenotice.
• EspeciallycriticalareverysensitiveorriskypiecesofdatasuchasSocialSecuritynumbers,creditcardnumbers,bankaccountnumbers,andhealthinformation.– Doyoustillhaveasignificantbusinesspurposeforit?– Ifnot,STOPCOLLECTINGit!– Ifso,makesureyouPROTECTit!
TheCollectionLimitationPrinciple
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
• Addressprivacyharmsbyreviewingwhatinformationyouaredisclosingtowhom.Whatthirdpartiesdoyousharetheinformationwith?
• Ensurethatyouaredisclosinginformationtoothersonlyasoutlinedinthenoticeandonlyasconsentedto—eitherimplicitlyorexplicitly.
• Reviewcontractswiththirdpartiesregularly,toensureup-to-dateandappropriatedataprotectionlanguage!
TheDisclosureLimitationPrinciple
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Conclusion and Questions
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
CopyrightMerriBethLavagnino,2016.Thisworkistheintellectualpropertyoftheauthor.Permission isgrantedforthismaterialtobesharedfornon-commercial,educationalpurposes, provided thatthiscopyrightstatementappearsonthereproduced
materialsandnoticeisgiventhatthecopyingisbypermissionof theauthor.Todisseminateotherwiseortorepublish requireswritten
permission fromtheauthor.