1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter...
-
Upload
elfrieda-mccormick -
Category
Documents
-
view
213 -
download
0
Transcript of 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter...
![Page 1: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/1.jpg)
1
Privacy issues on pan-European White Pages
service
4rd TF-LSD Meeting Amsterdam, 29.10.2001
Peter Gietz
![Page 2: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/2.jpg)
2
Agenda Some more texts P3P NEEDS solution Privacy issues of the CIP WPS Organizational and technical
solutions
![Page 3: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/3.jpg)
3
New valuable texts Commission of the European
Communities: Proposal for a Directive of the European Parliament and the Council concerning the processing of personal data and the protection of prvacy in the electronic communications sector, Brussels, 12.7.2000, COM(2000) 385 final, 2000/0189 (COD)• Changes to Directive 97/66/EC to enlargen the scope
from telephone to general data traffic
![Page 4: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/4.jpg)
4
Other texts Data protection in the European
Union• Introductory text that discusses the matter for
the user Directory Workshop: Data Privacy
Protection, 4.4.2001, ISSS/WS-DIR, www.cenorm.be/isss/Workshop/dir/Details/dataprot.htm• Short and introductory
![Page 5: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/5.jpg)
5
P3P a new standard The Platform for Privacy
Preferences 1.0. (P3P1.0) Specification, W3C Working Draft 28. September 2001• Concerns privacy of information supplied to
Web sites• RDF/XML descriptions of privacy policies that
can be automatically processed in HTTP client server communication
![Page 6: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/6.jpg)
6
P3P vocabulary excerpt
Data categories, e.g.:• Physical contact information• Online contact information• Computer information
Consequences• Human readable description of the results of agreeing to
a proposal Purpose• Purposes for collecting data
Recipients• Who else than the service provider
gets access to the data
![Page 7: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/7.jpg)
7
P3P and Directories When using Webgateways with
possibilities to add or modify data P3P usage is obvious
Data structures could be used:• To store privacy statements of directory services• to store user privacy preferences
More research is needed
![Page 8: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/8.jpg)
8
Who else is working on this?
Walter M. Tveter, University of Oslo: Privacy aspects of the NEEDS project• Educational institutions (EIs) are owner and
controller and thus responsible• NRNs are processors and service provider on
their behalf• EIs grant rights to NRNs via contract• NRNs grant rights to other NRNs via contract• EIs have all contacts to subjects
and national data protectionagencies
![Page 9: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/9.jpg)
9
Privacy Issues Controller and processor are the
maintainers of the actual data server
Do the maintainer of the index service have the same legal bindings to the data subject?
If not all data subjects have consented to transmission to unadequate legislation countries, transmission to those countries has to be prevented
![Page 10: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/10.jpg)
10
Organizational Solutions
• Define and stick to purpose of service• Call for a data protection officer• Define who is the controller and who is processor• Define and restrict population of data subjects• Define procedures how the data are gathered
and processed• Inform data subjects about e.g. via email:• Who collected data • What data • For what purpose• About the rights of the data subject
![Page 11: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/11.jpg)
11
Organizational Solut. contd.
• Define procedure of informing the data subjects about rights and data updates
• Define how data subjects can make use of their rights (e.g. via signed e-mail, Web-Formular)
• Better have user consent when he applies for a user account
• Only collect minimum set of data attributes
• Publish and disseminate all organizational definitions in a policy text
![Page 12: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/12.jpg)
12
Technical Solutions• Establish adequate security against loss, damage
and unlawful access or manipulation of the data• Restrict maximum number of retrievable entries• Disallow wildcards• Restrict number of searchable attributes• Do robots detection and refuse services to them
![Page 13: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/13.jpg)
13
Issue of export to third countries:
Either:• Restrict access to user from countries with
adequate privacy legislation• Disallow access from proxies
Or:• Let the subject decide to be visable• Only in it‘s own institution
• Only within the own country (???)
• Only within the EU
• World wide
![Page 14: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/14.jpg)
14
Technical Solut. contd.
• Encrypt Indexobjects while on the net• Define Crawler policies• Only let registered crawlers access the data• Enforce digital signatures for e-Mail-consent of
the data subjects
![Page 15: 1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, 29.10.2001 Peter Gietz Peter.gietz@DAASI.de.](https://reader035.fdocuments.in/reader035/viewer/2022072011/56649e355503460f94b2477a/html5/thumbnails/15.jpg)
15
How to proceed? We should restrict ourselfes to
EC-Direcives But not quote a lot of it
A template privacy policy text should be included
A template privacy policy P3P definition should be included?
Contact Working Party?