Lavignino Do You Know Your Privacy Risks
-
Upload
national-information-standards-organization-niso -
Category
Education
-
view
167 -
download
1
Transcript of Lavignino Do You Know Your Privacy Risks
![Page 1: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/1.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Do You Know Your Privacy Risks?
MerriBethLavagnino,ChiefRiskOfficerIndianaUniversity
![Page 2: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/2.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E Privacy definition
“Privacyistheclaimofindividuals,groupsorinstitutionstodetermineforthemselveswhen,how,andtowhatextentinformationaboutthemiscommunicatedtoothers.”
– AlanWestin:Privacy&Freedom,1967
![Page 3: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/3.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E But, it’s a moving target…
“Eachindividual iscontinuallyengagedinapersonaladjustmentprocessinwhichhebalancesthedesireforprivacywiththedesirefordisclosureandcommunication.”
– AlanWestin:Privacy&Freedom,1967
![Page 4: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/4.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Here’s how you do a privacy assessment of a service, project, initiative, app, etc.!• IdentifythepotentialPrivacyHarms• Determinewhatyourinstitution’spositionwillbe– UsethePrivacyPrinciplestodevisewaystoreducetheharms
– Youmustdotheminimumrequiredbylaw,but,youalsocanchoosetodomorethanisrequiredbylaw
![Page 5: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/5.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
First, identify the Privacy Harms
• BrainstormthepossibleharmssoyoucantrytoANTICIPATE(andthenplantoreduceorevenavoid)theseharms
• Manytheoristsinthisarea–WilliamProsserin1960– AlanWestinin1967– DanielJ.Solove’s 2008“TaxonomyofPrivacy”
![Page 6: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/6.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Whatthepersonmightthink: “They arecollectinginformationaboutwhatI amdoing- morethantheyshould!”Examplesinclude:
§ Surveillance—watching,listeningto,orrecordinganindividual’sactivities
§ Interrogation— inappropriatelyprobingforinformation§ Visual— viewingprivateactivitieswithouttheindividual’s
knowledge§ Communications—tappingyourphone,email,Internettraffic§ TooMuchInformation(TMI)— askingfor“private"information
unnecessarily
TheInformationCollectionHarm
![Page 7: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/7.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Whatthepersonmightthink: “They havealotofdataaboutme,andtheyarestoring,manipulating,andusingit!” Examplesinclude:§ Aggregation— combiningpiecesofinformationaboutan
individualthatwerecollectedfromdifferentsources§ Identification— linkingunidentifiedinformationelementsto
particularindividuals§ Insecurity— failuretoprotectinformationfromleaksand
unauthorizedaccess§ Secondaryuse— useofcollectedinformationforapurpose
differentfromtheuseforwhichitwascollected,withouttheindividual’sconsent
§ Exclusion—usingdatatoexcludeanindividual,especiallyifthedatawasincorrectorinterpretedincorrectly
TheInformationProcessingHarm
![Page 8: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/8.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Whatthepersonmightthink: “They spreadortransferinformationaboutme—morethanIthinktheyshould!”Examplesinclude:§ Breachofconfidentiality— breakinganagreementtokeep
informationconfidential§ Disclosure— disclosingdatatopersonsorentities theindividual
doesn’texpect§ Exposure— revealingintimate information,asinapublic
exposureofprivatefacts§ Increasedaccessibility— amplifyingtheaccessibility ofinfo§ Blackmail— athreattodisclosepersonalinformation§ Appropriation— theuseofanindividual’s identity,suchasusinga
nameorpicture,withouttheindividual’spermission§ Distortion— disseminating falseormisleading informationabout
individuals
TheInformationDisseminationHarm
![Page 9: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/9.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Whatthepersonmightthink: “They comeintomyspaceandcontactme,ortellmewhattodo!”Examplesinclude:§ Invasionsintoprivateaffairs§ Invasiveactsthatdisturbanindividual’stranquilityorsolitude§ Decisionalinterference— enteringintoanindividual’sdecisions
regardingherprivateaffairs§ Unwantedemail— didyouknowthatunwanted
communicationsintoanindividual’spersonalspace,includingheremailinbox,isconsideredaprivacyinvasion?
§ Unwantedphonecalls—enteringintoanindividual’spersonalspacebycallinghispersonalphonenumber(especiallyifitisamobilephone)
§ Enteringaroomwithoutknocking
TheInvasionHarm
![Page 10: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/10.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Once you’ve identified the possible HARMS...
• ThenusethePrivacyPRINCIPLEStodesigncontrols/safeguardsthatappropriatelyaddressthoseharms
![Page 11: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/11.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Sources of privacy principles• AmericanInstituteofCertifiedPublicAccountants,Inc.
(AICPA)andCanadianInstituteofCharteredAccountants(CICA).GenerallyAcceptedPrivacyPrinciples.August,2009.
• U.S.FederalTradeCommission(FTC).FairInformationPracticePrinciples.1998.
• OrganisationforEconomicCo-operationandDevelopment(OECD).OECDGuidelinesontheProtectionofPrivacyandTransborder FlowsofPersonalData.1980,revised2013.
• U.S.DepartmentofHomelandSecurity(DHS).DHSFairInformationPracticePrinciples.2008.
• U.S.WhiteHouse.ConsumerDataPrivacyinaNetworkedWorld(a.k.a.ConsumerPrivacyBillofRights). 2012.
![Page 12: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/12.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Different terminology…but same general concepts
DHS
• Transparency• IndividualParticipation• PurposeSpecification• DataMinimization• UseLimitation• DataQualityand
Integrity• Security• Accountabilityand
Auditing
GAPP• Management• Notice• ChoiceandConsent• Collection• UseandRetention• Access• DisclosuretoThird
Parties• SecurityforPrivacy• Quality• Monitoringand
EnforcementIndianaUniversityPrivacyPrinciples:https://protect.iu.edu/online-safety/program/principles.html
![Page 13: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/13.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
§ Usually,theeasiestwaytoaddressprivacyharmsisbyidentifyingawaytoinform,orprovide“notice”tousersofinstitutionalpracticesaroundthedatacollectedfromthem.
§ Postingaprivacypolicyonyourwebsite,orexplainingonaformorloginscreentheplansforthedatathatuserswillenter,isawaytoprovidenotice.
TheNoticePrinciple
![Page 14: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/14.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
• Addressprivacyharmsbyidentifyingawaytoobtainimplicitorexplicitconsentfromindividualswithrespecttothecollection,use,disclosure,andretentionoftheirinformation.
• Choicemayapplyto"secondaryuses"—thatis,usesbeyondtheoriginalreasonsforwhichthedatawasprovided.
• Choicemaybe"optin"(datawillnotbesharedwithoutconsent),or"optout"(usermustrequesttostopthesharingorcontacting).
• Considerprovidingcheckboxestoindicateconsenttovarioususes.
TheChoice&ConsentPrinciple
![Page 15: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/15.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
• Privacyharmscanbeaddressedbyreviewingwhatdataisbeingcollectedandensurethatyouarecollectingonlytheinformationneededtoachievethepurposesidentified,insupportoftheorganization’smission,andasoutlinedinthenotice.
• EspeciallycriticalareverysensitiveorriskypiecesofdatasuchasSocialSecuritynumbers,creditcardnumbers,bankaccountnumbers,andhealthinformation.– Doyoustillhaveasignificantbusinesspurposeforit?– Ifnot,STOPCOLLECTINGit!– Ifso,makesureyouPROTECTit!
TheCollectionLimitationPrinciple
![Page 16: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/16.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
• Addressprivacyharmsbyreviewingwhatinformationyouaredisclosingtowhom.Whatthirdpartiesdoyousharetheinformationwith?
• Ensurethatyouaredisclosinginformationtoothersonlyasoutlinedinthenoticeandonlyasconsentedto—eitherimplicitlyorexplicitly.
• Reviewcontractswiththirdpartiesregularly,toensureup-to-dateandappropriatedataprotectionlanguage!
TheDisclosureLimitationPrinciple
![Page 17: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/17.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
Conclusion and Questions
![Page 18: Lavignino Do You Know Your Privacy Risks](https://reader033.fdocuments.in/reader033/viewer/2022052705/5877e0221a28abaa6c8b730b/html5/thumbnails/18.jpg)
PUBLI C SAFETYand
INSTITUT IONALA S S U R A N C E
CopyrightMerriBethLavagnino,2016.Thisworkistheintellectualpropertyoftheauthor.Permission isgrantedforthismaterialtobesharedfornon-commercial,educationalpurposes, provided thatthiscopyrightstatementappearsonthereproduced
materialsandnoticeisgiventhatthecopyingisbypermissionof theauthor.Todisseminateotherwiseortorepublish requireswritten
permission fromtheauthor.