United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Implementing Privacy Policy in Justice Information Sharing:
A Technical Framework
John Ruegg, Chair, Global Technical Privacy Task Teamand
Dr. Alan Harbitter, IJIS Institute
10/31/2007
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Topics• Approach Overview• Privacy Policy Technical Framework and
Components• Applying the Framework to a Simple Use Case• Implementing the Framework• Task Progress Summary
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Underlying Principles and Assumptions• Do not invent new technology• Focus on the domain-specific components required for
interoperability (e.g., standards, specific metadata)• For now, focus on access rather than collection• Assume that there is a written policy in place• Briefly, we are going to
– Identify technologies to translate written privacy policy in machine-readable form
– Define the pieces necessary to link justice information systems to that policy
United StatesDepartment of Justice
Technical Framework
Audittrail
Environmentalconditions
Written policy
Obligations
Actions: release, modify, access, delete, …
Response
message
Content metadata
Electronic policy
statements (dynamic, federated)
PEP
PDP
Request
message
Identitycredentials
PEP: Policy Enforcement PointPDP: Policy Decision Point
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Example Electronic Privacy Policy Rule
• Specific to justice applications– Allow (oc) law enforcement ORIs (uc) to perform
Updates (a) on criminal history records (dc) under the condition where the ORI is the record owner (c) for criminal history reporting (p) requiring logging of actions (o)
uc: User categoriesa: Actionsdc: Data categoriesc: Conditionsp: Purposeso: ObligationsOc: Outcome
United StatesDepartment of Justice
Simple Use Case: A Cross-Jurisdictional Traffic Stop
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Implementation Cost Considerations• Balance cost, risk, and complexity
– Human MOU with no technical implementation standards
– Low-hanging fruit such as encryption of portable media (memory sticks, laptops, etc.)
– Larger investment and support required for fine-grained than for coarse-grained authorization
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
It’s Not All Technology • Training and outreach• Legal research of laws governing privacy and disclosure
requirements• Establishment of information stewards and policy decision makers
– Confidentiality of personal information– Appropriate Use Practices– Appropriate dissemination policy– Physical security measures– Procedural measures– Policy on portable devices/media – Separation of security administration roles
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Global Tech Privacy Team Status Update • First draft report delivery—June 2007• Global Working Groups, GESC, and IJIS reviews—
July/August 2007 • Final draft—executive review and ready for release
in fall 2007• Follow-up and next steps—currently under
consideration by GAC GESC: Global Executive Steering CommitteeIJIS: Integrated Justice Information System Institute
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Next Steps• Action items and assignments
– Privacy Policy Pilot Projects • Global Security Working Group (GSWG)• Global Privacy Information Quality Working Group (GPIQWG)
– Continued integration with Justice Reference Architecture (JRA)
• Global Infrastructure Standards Working Group (GISWG)
– Mature metadata and integrate with NIEM/GJXDM/GFIPM
• XML Structure Task Force (XSTF)
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Recommendations• Adopt the Privacy Policy Technical Framework• Adopt the common set of standards and metadata
that are specific to the justice domain and aligned with current initiatives
• Develop a transition strategy for moving to enterprise electronic policy services
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
Questions?
United StatesDepartment of Justice
www.it.ojp.gov/globalwww.it.ojp.gov/global
GAC Recommendations1. Adopt Implementing Privacy Policy in Justice
Information Sharing: A Technical Framework2. Recommend as resource Implementing Privacy
Policy in Justice Information Sharing: A Technical Framework Executive Summary Flyer
3. Recommend as resource Global Federated Identity and Privilege Management Executive Summary Flyer