IAPP CIPT – Core Privacy Concepts

1. Foundational elements for embedding privacy in IT (1)

Hi guys. In this lesson, we’ll discuss about foundational elements for embedding privacy in it. Without privacy policies in place and proper training for employees, it is extremely difficult to ensure that employees are following proper privacy practices. An organizational privacy policy is the first essential piece of collateral material needed for an effective privacy program. The privacy policy must come before a privacy notice is created, as the notice is a reflection of a company’s privacy policy. Likewise, setting up privacy training is not practical until a policy is in place. Let’s take a look at organizational privacy notice. The Privacy Notice is an external instrument that informs the outside world about an organization’s privacy practices. It is a reflection of the organization and its commitment to privacy and can affect its brand. It provides transparency for consumers and comfort for privacy advocates. In some jurisdictions, it’s a legal requirement.

The sheer size of a privacy notice can be daunting to the average website visitor. Having a Privacy Notice that fits on the one page and covers the most important aspects of an organization’s privacy practices will go a long way towards setting the website visitor at ease. There are a list of sections that should exist in a privacy Notice, and they include information that consumers as well as privacy advocates and regulators will want to know about. Organizations with fewer or more complex data handling practices may require fewer or more sections. What data is collected. This is one of the most important pieces of the Privacy Notice, as it lets everyone know what data is collected and by extension, what data is not collected. This declaration should include data that is observed inferred and declared directly from users, as well as data collected from third party.

How Collected Data is Used this section describes how collected data is used across the organization. It should provide a general description of data usage, including how the data may be used by all groups across the organization. How Collected Data is Shared this section should cover how data is shared not only outside the organization, but with which teams across the organization. User control over Collected Data this section should describe how users can control the collection and use of their data. There should be a description of any preference or configuration management system that will help users manage how their data is collected or used. Controlling marketing Contact Users should be able to control how and when an organization contacts them. Service and transactional emails are expected when an individual creates a relationship with an organization or purchases a product.

However, those same individuals should not have to be subjected to marketing emails in order to receive service emails. Use of Cookies and Other Tracking Mechanisms Cookies are the main mechanisms by which organizations keep track of visitors to their websites. However, companies may use Flash cookies, locally stored objects, HTML five storage fingerprinting, or some other means to track users. A description should be provided to users about the tracking mechanism. Gaining Access to Data the Naughty should explain how users can access the data an organization holds on them. Resolving Privacy Issues this section should describe how users can resolve privacy issues they may have within an organization. This can be handled via an online form, email address, phone number or postal address.

Date of Privacy Notice and Changes to Privacy Notice Users should be made aware of how often a privacy notice may be changed and how they will be informed of changes. Users should be also provided with the means to see previous versions of a privacy notice. Let’s now take a look at the organizational privacy policy. The Privacy Policy is the guiding set of privacy principles used by teams within an organization to help them understand their privacy obligations as they develop software and services, create marketing campaigns, work with vendors, and engage the general public.

Privacy Policy also serves as a guide for all organizational activities and drives the commitments made within the privacy notice. Because of the eventual impact of the Privacy Policy, those creating it should be careful not to make the policy overly prescriptive and or restrictive, as this could limit the business potential of some groups. The Organizational Privacy Policy should provide general guidelines while giving business groups the flexibility to provide more prescriptive rules that support their business goals.

An organization’s privacy policy should, at a minimum, cover the following topics Types of Data Classification Data Collection Principles this description should indicate the notification control protection requirement, minimization requirements, and sharing limits for collected data. Protection of Data The type of protection required, be it encryption or access control, will typically vary based on the classification of the data. Data Retention Period treatment of Sensitive Data The definition of sensitive data can be elusive as everyone has a different idea of what is sensitive and that can change with context. Most jurisdictions agree that specific medical and financial data is sensitive.

However, religion, political views, ethnicity, sexual preference and entertainment choices can be considered sensitive to certain people and locals. Sharing of data across Groups A policy should describe the management of data as it is shared across groups within an organization. It is important that the policy take into account the privacy commitments made at the time by the group originally collecting the data. Sharing of data with partners and vendors creation of Departmental Privacy Policies Groups within an organization will often create a privacy policy that covers their specific processing of collected data. These policies must not conflict with the organizational policy. The organizational privacy team should be involved in the sign off of departmental privacy policies.

As the organization’s privacy policy evolves, departmental policies must be updated to reflect any changes that might impact these policies. Performance of Privacy Reviews A privacy policy should outline when and how privacy reviews should occur. Participation in a Privacy Response Center All organizations should have a privacy response center in place that responds to external privacy incidents. The Privacy Policy should detail how groups within the organizations should be involved in the Privacy Response Center and indicate the obligations of each group in response to a privacy incident. Responding to Privacy Inquiries Privacy inquiries can be received by organizations that are not caused by a privacy incident.

Regulators, consumer advocates, or journalists may have general questions about an organization’s privacy practices, notifications, or plan. The Privacy Policy should describe how privacy inquiries will be handled and who should be involved in the response to privacy inquiries and responding to data requests. Data requests can come from users who own the data, law enforcement agencies, or third parties wishing to have access to data. An organization’s privacy policy should indicate the conditions under which data requests will be honored and outlined the process for verifying the rightful owner of the data. Let’s take a look at the organizational security policy. Organizational security policies help to protect an organization’s infrastructure and vital resources. It is the security policies that help maintain an organization’s privacy policies.

An organization should go through a security review to determine where its risks are. Performing a privacy impact assessment, which will be discussed later, can help identify where security practices will need to be applied in order to mitigate privacy risks. An evaluation should be done for every data source to understand what security measures need to be in place to protect it. Sometimes simply putting inadequate access control is enough. At other times, more advanced access controls, password protection, encryption, and isolation techniques may have to be deployed. We’ll discuss about four areas access control, encryption, password control, and intrusion detection. Regarding access Control, this is a mechanism by which access permission to resource is managed. An Access Control List, or ACL, consists of a series of access control entries.

Each entry contains the name of an entity and the type of access the entity has to a particular resource. There are different types of access controls that may be implemented on a system. Discretionary Access Control is a mechanism by which a user has complete control over all the resources he or she owns. It’s called DAC or DAC. Mandatory access Control is a mechanism where only the administrator can assign access rights to a resource. Role based Access Control manages an entity’s access to resources based on organizational roles. And Attribute Based access Controls is an extension of role based access control in that it permits the addition of attributes to refine an entity’s description. Encryption is an important tool for protecting sensitive data. Two examples of encryption, SSL Protocol and TLS protocol, help to protect data that is transmitted directly from client to server machines and server to server machines. SSL is commonly used to protect communications between a browser and web server.

TLS is often used to protect email as it is transmitted between email servers for protecting data at rest, symmetric and asymmetric encryption can be used. Hashing is also a method of protecting data that uses a cryptographic key to encrypt, but does not allow the data to let her be decrypted. Password Control access to computers, files, databases, websites, networks, and other resources containing sensitive data can be controlled by a password. Each resource can be accessed using a separate user account with its own ID and password. Or a single sign on mechanism can permit access to multiple resources using a single user account. Intrusion detection attacks on data can come from external entities wishing to gain access to an organization’s network resources. Organizations big and small are constantly under attack from outsiders desiring access to organizational data. All of these exploits can cause threats to an organization’s privacy resilience. To protect themselves from external threats, organizations should deploy intrusion detection systems.

2. Foundational elements for embedding privacy in IT (2)

Let’s discuss about incident response, security and privacy perspectives. Having a mature incident response program is an important part of any privacy program. Sometimes it is the only way that an organization’s customers can submit a privacy issue. The incident Response program should consist of an Incident Response Center web form, email address, phone number, and representatives from on public relations, legal, privacy and security. The Privacy Response Form should be easily accessible from the organization’s privacy notice as well as easy to use. Providing a selection setting with privacy categories is one way to simplify the requests. I am kindly inviting you to take a look at my full course regarding incident response and GDPR and you will find a lot of useful information as well as documents that you may use in your instant response process. Let’s take a look around security and privacy in Systems Development Lifecycle or SDLC.

The Systems development lifecycle consists of several phases from project initiation to maintenance or disposal, including security and privacy. Evaluations at each phase in the SDLC helps to streamline the process and save time overall for privacy. Privacy by design should be incorporated into the process. Also, the collection, processing, sharing and retention practices of the data should be analyzed. To ensure security risks are mitigated.

An analysis of access, control, intrusion detection, and resource protection measures should be made. Let’s take a look at the enterprise architecture and data flows. According to Gartner, enterprise architecture is a discipline for proactively and holistically leading enterprise responsive to disruptive forces by identifying and analyzing the execution of change toward desired business vision and outcomes. EA delivers value by presenting business and It leaders with signature ready recommendation for adjusting policies and projects to achieve target business outcomes that capitalize on relevant business disruptions. EA is used to steer decision making toward evolution of the future state architecture.

Data flows should be designed such that they maximize utility of organizational data while maintaining compliance with organizational responsibilities. A data flow diagram as the one in the slide over here provides a graphical means to illustrate the flow of data across an organization. The diagram can show the origin of data indicating whether the origin was an individual, external entity, internal group, or process. It can show which processes and data stores are involved in the data flow, how the data may evolve as it flows across processes, and even where data might flow across geographical borders. Let’s take a look at privacy impact assessment, or PIAs.

The PIA is one of the most important parts of a privacy program. It helps an organization identify its privacy risks and measure the criticality of each risk. The result of the PIA can facilitate an action plan for addressing each risk. In a small organization, the privacy team can perform the risk assessment. In large organizations, the risk assessment responsibilities may have to be spread out across teams. Using the assistance of external party can help to streamline the process. Risks can be addressed in several ways avoid, mitigate, accept, or transfer. Avoid risk the organization can decide that it will no longer process credit card transactions. Instead, it will rely on a third party service to process them.

Mitigate risk your organization can decide to encrypt the credit card number during collection and storage and place tight restrictions on access to credit card data. Accept risk your organization can decide that it would be too costly to use a third party to process its credit card transaction or to modify systems to encrypt the numbers. It may instead rely on current practices to protect the credit card data and hope for the best. Or transfer risk the organization can purchase business insurance to cover the firm in the case of a data breach.

3. Common Privacy Principles

Hi, guys. In this lesson, we’ll discuss about common privacy principles or the eight dos. Each organization should govern itself by a core set of privacy Principles that cover how personal information under its control is processed. These principles can serve as a framework for employees to follow as they develop their internal policies. Collection Limitation is the first one. This principle covers the restraint from the excessive collection of personal information. Organizations should limit the amount of data they collect in order to minimize privacy risk and legal liability that can come from excessive data collection. Data Quality this principle covers the idea that organizations that collect personal Information should make efforts to maintain the quality of the information.

When collecting personal information, organizations should ensure that they have collected all the information that was requested and that the information is not modified during transmission or storage. Purpose Specification this principle covers the expression of purpose for which Personal Information is collected. Whenever Personal Information is collected, the purpose for its collection should be expressed to the individual.

This notification should be provided to the user before the collection. Once the data has been collected, the purpose for its collection should not change without providing notice to the user and obtaining consent to apply the new purpose to the previously collected information. Use Limitation this principle covers the idea that the use of Personal Information should be limited within an organization.

Any usage should be covered by the privacy notice in effect at the time the Personal Information was collected. Security Safeguards organizations have an obligation to provide security for the data they collect from users. The level of security should match the sensitivity of the data being collected. For aggregate data that simply lists the number of site visitors and the pages they viewed, a low level of security is probably okay unless it is critical.

Business Data Openness The principle encourages organizations to be open about the personal Information they collect and the privacy principles that govern their treatment of such information. Individual Participation this principle provides the ability for an individual to receive confirmation from an organization that the organization holds data collected from or relating to the individual. If such data exists, the individual should have the right to request and receive such data from the organization in a timely manner and at a reasonable cost. Upon granting the data request, the organization should deliver the data to the individual in a format that is intelligible to that person. .

Accountability this principle covers the idea that whenever an organization plans to transfer an individual’s Personal Information, it should obtain consent from the individual or exercise extreme care in handling the Personal Information. So, as a conclusion, a great house starts with a great foundation. The bigger the house, the better the foundation must be. If a company wants to be great at privacy, it must be begin with the foundational elements of privacy.

• Category: Uncategorized