University of Toronto Basic Privacy

January 24, 2012

PRIVACY
1. What is it? 2. Why does it matter?

3. How does it work?

4. How is it regulated? 5. What should you do?

PRIVACY: WHAT IS IT? PERSONAL INFORMATION IS

INFORMATION ABOUT AN IDENTIFIABLE INDIVIDUAL,
including, but not limited to; ethnic origin, race, religion, age, sex, sexual orientation, education, financial, employment, medical, psychiatric, psychological or criminal information, identifying numbers; S.I.N., home address, home phone number, photos, videos, identifiable recordings of individual, name appearing with / revealing other personal information etc.

NOT if acting in business or professional capacity

eg. name, position, routine work information

IDENTIFIABILITY; SPECIAL CASES

Aggregated/statistical data usually not individually linkable BUT ABSENCE OF NAMES OR OBVIOUS IDENTIFIERS MAY MISLEAD: -small-cell principle One of these seven people is HIV positive The more factors you have, the likelier identification becomes; -Asian women over age 50, with income over $200k/yr, who drive a Volvo, with postal code in M3H . Notorious/known events/facts; The B.C. pig farmer who or The driver of the vehicle which killed Future identifiability; eg, tissue samples (are the information) DNA Khaled el emam on reidentifiability: http://www.ehealthinformation.ca/

PRIVACY: WHAT IS IT? DEFINITIONS

1. Privacy of the person
- bodily privacy, blood samples, etc.

2. Privacy of personal behaviour

- religion, politics, etc., including media privacy

3. Privacy of personal communications

- interception privacy, various media

4. Privacy of personal data

- data/information privacy, control of data

PRIVACY: WHAT IS IT? To be left alone

THE RIGHT TO PRIVACY (Warren & Brandeis, 1890) right of the individual to be let alone. -in the face of changing technology - photos in newspapers

Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the housetops.
http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html

PRIVACY: WHAT IS IT? INFORMATION PRIVACY

[The key principle of modern privacy laws]
Control over collection, use, disclosure, retention and destruction of your personal information Privacy principles embodied in Fair Information Practices.

Informational self-determination

PRIVACY: WHAT IS IT? FAIR INFORMATION PRACTICES

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980);
http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

European Union Directive on Data Protection (1995/1998);

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

CSA Model Code for Protection of Personal Information (1996);

http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code/article/principles-in-summary

United States Safe Harbor Agreement (2000) and EU reaction;

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML

Global Privacy Standard (2006).

www.ipc.on.ca/images/Resources/up-gps.pdf

IPCs Privacy By Design Principles

http://privacybydesign.ca/about/principles

CSA PRIVACY CODE PRINCIPLES

1. Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention

Personal information shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the stated purposes.

6. Accuracy
Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.

7. Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness
An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals.

9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

http://www.csa.ca/standards/privacy/code/Default.asp?articleID=5286&language=english

PRIVACY: WHAT IS IT? PRIVACY BY DESIGN PRINCIPLES

1. 2. 3. 4. 5. Proactive, not reactive, preventive, not remedial Privacy as the default Privacy embedded into design Full functionality, positive-sum, not zero sum End-to-end security, lifecycle protection

6.
7.

Visibility and transparency

Respect for User Privacy

www.privacybydesign.ca

PRIVACY
1. Why does it matter? People want/need it Its good for business It is a legal requirement

PRIVACY LAWS ARE

A blunt instrument for individual control over PI

An approximated solution for everybody because we have weak technology

To do things right, youd need a smart agent or matrix of rights that would -know where all of your personal information is at all times -carry out your wishes and needs in real time -get it right for all your various institutions/companies/friends/family, etc -report back to you in real time of collections, uses, disclosures, etc of your pi and -operate at the level of individual data items, not gross categories Privacy laws and institutions can`t support this level of control so they err on the side of preventing broadly defined unauthorized disclosure/destruction Maybe in the future; meanwhile, IPC federated identity ideas interesting http://www.ipc.on.ca/images/Resources/F-PIA_2.pdf

LAWS BASED ON CSA PRINCIPLES

Federal Personal Information Protection and Electronic Documents Act PIPEDA Strongly consent-based; Incorporates CSA Code Principles; regulates commercial activity with personal information, inter-provincial data flows and federally-regulated endeavours like banking, insurance and telecommunications (ousted by substantially similar provincial laws), Que, Alta, BC and PHIPA http://laws.justice.gc.ca/en/showtdm/cs/P-8.6 and Ontario Personal Health Information Protection Act; PHIPA Consent basedhealth data is important/sensitiveregulates health information, explicit consent/ability to shape treatment, deemed consent for treatment, BUT research without consent , mandatory disclosure to eliminate/reduce significant risk of bodily harm
http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm#BK54

NOTICE-BASED PRIVACY LAWS

Some public sector privacy statuteslike Ontario Freedom of Information and Protection of Privacy Act FIPPA
Notice-based because government must conduct certain activities once you are notified of collection of your personal information (for a lawfully authorized activity) you may be have no control although some consent-based opting out is possible for activities, no choice because Government is only supplier or The activity is not (totally or necessarily) optional; eg: -standard setting -regulation, licensing, tracking/updating entitlements -law enforcement -emergency disclosure, public health and safety http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm

Also true of some other provincial privacy laws and Canadian public sector privacy law http://laws.justice.gc.ca/en/showtdm/cs/P-21

PRIVACY
1. How does it work? Give people notice > reasonable expectations Then stick to notices and legal requirements Use adequate security/practices There are limits to privacy (user control)

U of T NOTICE of COLLECTION
The University of Toronto respects your privacy. Personal information that you provide to the University is collected pursuant to section 2(14) of the University of Toronto Act, 1971. It is collected for the purpose of administering admissions, registration, academic programs, universityrelated student activities, activities of student societies, financial assistance and awards, graduation and university advancement, and for the purpose of statistical reporting to government agencies. At all times it will be protected in accordance with the Freedom of Information and Protection of Privacy Act. If you have questions, please refer to www.utoronto.ca/privacy or contact the University Freedom of Information and Protection of Privacy Coordinator at 416946-7303, McMurrich Building, room 201, 12 Queen's Park Crescent West, Toronto, ON, M5S 1A8.

PRIVACY LAWS REGULATE

Collection Use Disclosure Retention

Destruction
Of personal information

COLLECTION
Three requirements:

1. Must have legal authority to collect

Statutory authorization, law enforcement or necessary for program delivery, teaching purposes etc.
(for the proper administration of a lawfully authorized activity)

2. Must collect directly from individual

Limited exceptions including consent

3. Must provide notice of collection indicating;

Legal authority Principal intended uses of the personal information Individual to contact with questions

USE AND DISCLOSURE

For original or consistent purpose (see notice of collection)

With the individuals consent Internally on a need-to-know basis To comply with legislation, other legal requirements For specific compassionate circumstances Where necessary for fundraising With periodic notices & opt-outs limited other circumstances

SECURITY vs. PRIVACY

Privacy involves institutions legal obligations, especially for collection, use, disclosure, retention and destruction of personal information, in support of individual privacy
Privacy is a legal right/obligation of individual/institution FIPPA part III sets out privacy protections

Security comprises lock-and-key measures; data integrity, protection, confidentiality and identity authentication
Security supports and is a key enabler for privacy FIPPA General Reg. s. 4 lists security requirements

There can be no privacy without security

SECURITY
End-to-end (full lifecycle, all contexts)
Physical Technical / IT systems Administrative / behavioural (incl. policy)

Data should be protected like other assets

No universal due diligence standards but

PAPER VS. ELECTRONIC RECORDS

Historic disclosure of records in paper form can be a poor basis for putting them online Eg. -property assessment records -records of town/city council meetings -records of administrative tribunals -certain types of licensing records -voters lists Balance possible privacy impacts against benefits/objectives of proposed activity Electronic posting unlike historical availability of paper records ( practical obscurity) -(world) wide distribution (beyond local interests) -easy copying/aggregation into other databases/uses -loss of control by originating body -persistence beyond control of originating body U.S. papers on practical obscurity: http://www.nyls.edu/user_files/1/3/4/17/49/Vol49no3p967-992.pdf http://repositories.cdlib.org/cgi/viewcontent.cgi?article=1022&context=ischool

PRIVACY
1. What should I do? Give users clear information

Support User rights and expectations

Keep it simple Know your organization

SETTING REAL WORLD (legal) LIMITS

What is possible? technology / business etc. Philosophy Beliefs What do people need, want, fear? Principles

Government response to public expectations

Law

Policy
Practices

PRIVACY LIMITS
Privacy (in data protection laws) is never absolute; some exceptions for: -Law enforcement -Public health -Legal processes (generally supersede statutory privacy protections) subpoenas, summonses, court orders, etc. -Other legislation emergency management, health protection, anti-terrorism etc. data protection laws are made by law-makers, who may discover new priorities, exceptions or other reasons to change or abrogate privacy. The balance is found in the same way as other political/social balances. Public involvement, consultation and advocacy help to guide politicians

WORK REASONABLY
WITHIN LEGAL LIMITS AND IN UNREGULATED ACTIVITIES If you can, do the activity without personal information. Be creativeanonymize, use non-identifying token; eg. IPC HWY 407 solution:
http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=335

-Is the personal information NECESSARY If personal information is NECESSARY for an activity; balance privacy interests being compromised against the value of the activity; eg. -public health surveillance threshold: Where between the common cold & SARS?? Beware erroneous (often well-established) misconceptions: -business may want more information than needed for a transaction -law enforcement personnel may look for a lot of data on everybody -a building manager may want access to video surveillance records.. How do you decide what is rightwhat is enough?

HELP SET USEFUL PRIVACY LIMITS

ALWAYS ask: What EXACTLY is the activity or function? What EXACTLY are the objectives of the activity? -- get a COMPLETE list Determine what actions are NECESSARY to achieve the objectives, then (and only then) -Define and list EXHAUSTIVELY what PI is NECESSARY to accomplish the actions -Check existing legal parameters; can you collect, use, disclose the PI? -Even if you can legally collect, use, disclose etc., or are UNREGULATED: -can you do the task without PI? -if not, can you get away with less/partial information? -Consider how well the activity can be delivered with more or less PI -Consider financial impacts/benefits of having/using more or less PI -How can you minimize/eliminate privacy risks?

Remember risks of having PI breaches, data loss, ID theft, etc. Consider impact on your client/employer of a breach or misuse of data;
For example, IPC/MTO arrangement re access to driver and vehicle license databases http://www.ipc.on.ca/images/Resources/up-1num_25.pdf

PRIVACY IMPACT ASSESSMENTS

A living document that develops with a project to Identify privacy risks for leadership attention by By setting examining and evaluating: Project data flows at transactional level, evaluating against; law, standards, policy/practice, community expectation eg. PHIPA, FIPPA, PbD, CSA, Institution policies, practices, community consultations A team effort; IT, Security, Privacy, Legal, etc Results in a listing of residual privacy risks for leadership to accept, or remedy; Roger Clarke historical PIA paper: http://www.rogerclarke.com/DV/PIAHist-08.html

ABOUT SECURITY

Most security measures cant guarantee confidentiality They make unauthorized access difficult so information is less likely to be accessed. Well chosen and applied security reduces the probability unauthorized access as much as circumstances and resources permit.

ELECTRONIC RECORD SECURITY

Keep electronic records of confidential information in a secure server environment. Access confidential records securely through encrypted channels, such as virtual private networks. Only remove confidential records from a secure server with authorization, operational need, and it there is no other reasonable means to accomplish the task. Out of secure server environment, keep confidential electronic records encrypted (eg. in transit and storage). Server drives likely to be encrypted soon.

CLOUD COMPUTING; TWO PAPERS

Privacy in the Clouds IPC User-centric identity management infrastructure will be the answer
http://www.ipc.on.ca/images/Resources/privacyintheclouds.pdf

Roger Clarke Cloud Computing paper: Cloud computing emerged during 2006-09 as a fashion item.
http://www.rogerclarke.com/EC/CCEF.html

WHEN YOU OWN THE SYSTEM

Your IT / security staff should know your systems, existing and planned

Data flows should be understood and finely mapped This activity is key to privacy or threat/risk assessments
Even if you are outsourcing, do this detailed work for any in house components or parts of the system/service

WHEN YOU DO NOT OWN THE SYSTEM

Do all you can to understand the vendors systems as well and completely as possible: Ask for detailed data flows, systems maps, etc. Have your IT / security staff meet the vendors Enter into NDAs as necessary to learn as much as possible But the vendor might not let you see enough for you to assess privacy/security to your satisfaction You will have to establish trust, ..based on assurances that you can verify

CHECKING OUT THE VENDOR

Cloud or not, check: Institutional procurement process/experts; RFI, RFP, etc Reference checks,

Information from other clients,

Letters of recommendation Reputation, past record

Compliance with/breach of legislative requirements

Certifications Interview the contractor

SOME POSSIBLE VENDOR ASSURANCES

Compliance with your privacy/security requirements Confidentiality; no information sale, tracking, data mining Governing law preferably Ontario No disclosures except as required by law

Staff training, need-to-know access, confid. Agreements

No third party contractors, or standards as for staff Data minimization Breach notification, investigation, remediation/mitigation Security; IT, physical, administrative/behavioural Periodic update and maintained currency of assurances Location of servers, data, etc, etc, etc

SECURING ASSURANCES
A negotiation with your vendor, involving: Procurement

IT/CIO staff
Legal Privacy Other experts as required.

ASSURANCES MUST BE VERIFIED

Operational Audits
Security Audits Active Security Testing Etc All to be incorporated into your agreement(s)

ORGANIZATIONAL SUGGESTIONS
Keep it simple!!
Use simple binary rules; -Confidential or not -Secured or not
Provide clear guidance/rules --- avoid fuzzy lines, difficult distinctions If its not officially designated as public, its confidential If its electronic, keep it in a secure institutional server or keep it encrypted If its hard copy, keep in a locked cabinet inside a locked, non-public space Provosts security guideline
http://www.provost.utoronto.ca/policy/FIPPA_-_Guideline_Regarding_Security_for_Personal_and_Other_Confidential_Information.htm

ORGANIZATIONAL SUGGESTIONS
Know the Organization:
Mission, purposes, rules

How is it governed?

How is it administered? Think like an executive.big picture Avoid becoming a narrow expert

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY OFFICE

Rafael Eskenazi FIPP Director Tel: (416) 946-5835 E-Mail: [email protected] University of Toronto FIPP Office McMurrich Building, Room 201 12 Queens Park Crescent West Toronto, ON M5S 1A8 Fax: (416) 978-6657