IAPP CIPT – Privacy Considerations & Techniques

1. Collection

Hi, guys. In this lesson, we’ll discuss about collection. Collection in the context of this lesson is the process of receiving data from a user, device, or entity. For the most part, collection occurs via an organization’s Web server, though it can occur via download from a third party site or media shipped to the organization. Proper collection practice practices can minimize privacy risks by helping to ensure that only the necessary data is collected and only the appropriate people access it. When collecting data from users, they should be provided with notice, choice, control, and consent as needed. There should be limits on the data being collected, and it should be secured from inappropriate access. Let’s talk about notice.

Notice is the act of informing others about a topic that might impact them. We see notices everywhere for road closures, store closures, flood warnings, buildings going up, buildings going down, warnings that a dog is around, for example. More often than not, notices warn of possible danger. When one considers the potential harm that might result from the use of data collected at a website, it seems appropriate to provide users with a privacy notice that explains the organization’s privacy practices.

In general, the privacy notice should provide the following what data is being collected, the mechanisms by which data is collected, how the data is used, who has access to the data, with whom the data may be shared, or disclosed how long the data is kept, what control the user has over the collection, usage and persistence of data how data is protected how users can access and explore their data, and how users can contact the organizations with questions or concerns.

In life, many warning signs explicitly state what people should do like sidewalk clothes, use other site. Others provide a warning that readers intuitively know how to respond to or be aware of a dog. For example, when a privacy notice states that it collects personal information and shares it with third parties, it usually provides no additional information about how users are supposed to protect themselves. The privacy notice should be informative in a way that is useful to the reader, who will, for the most part, be a consumer and not a lawyer or regulator. A simple popup or banner can inform users about cookie usage without disrupting their browsing experience. A Learn More link can provide additional information as needed. Layered privacy notices are a good way to provide transparency in a simplified format. Let’s talk about choice.

Choice provides consumers with the opportunity to have input regarding their privacy preferences. It can provide users with a say in how their data is managed by an organization. Many will agree that choice is an important tenet of privacy. However, many will argue that choice suffers similar failings as notice. While there is an exception that website services and application developers will provide consumers with a privacy notice as well as Adobe Privacy Choices, the difficulty lies in the execution of those choices. Problems can arise when there are too many choices. Facebook goes further by providing a list of privacy links across several dialogues.

While the granularity is great for people who enjoy having that level of control over their privacy settings, for those who prefer a simpler mechanism, it can be daunting. Choice is often conflated with control or consent, when in fact the three are all very different. The fact that choice is distinct from control and consent warrants a deeper discussion. Control is an actor instance of controlling and also power or authority to guide or manage. In privacy terms, that means users have the ability to manage how data about them is used. Many privacy settings give consumers choice, but not real control.

Users can opt out of behavior advertising but can control the collection of their data. Consent in this context is an agreement from the user for an organization to process her data in a certain fashion. Consent is usually provided by users at the time they are presented with a choice. Most consent from users is implied consent, meaning the user never provides specific consent or says no to a particular data handling practice. Going to a website and browsing around is implicit consent of the website’s privacy Policy or Terms of Use.

Not opting out of behavioral advertising is implicit consent to receive targeted advertisement. Explicit consent is when the user provides a positive verifiable acknowledgment to a specific data handling practice. Agreeing to the collection of location services for a mapping application or agreeing to accept the software update is an example of explicit consent. Let’s talk about collection limitations.

The Privacy Notice or Terms of Use should not be seen as a license to collect as much data as possible. In fact, organizations should work hard to minimize the data they collect. The European Data Protection Supervisor defines a data minimization principle which states the principle of data minimization means that the data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.

Some would argue that the more data an organization collects, the greater the benefits that can be realized from it. Let’s talk about secure transfer. Whenever data is transferred, it should be done in a secure manner that is proportionate with the sensitivity of the data. Using a high level of security, such as encryption for all data transfers can place an unnecessary burden on organizations because it decreases the speed of data transfers and adds complexity to the management of data transfers. For non sensitive data, unencrypted transfer may be fine. For sensitive data being transported between different sites of the same company, encrypting the transmission link may be sufficient.

Several mechanisms exist that permit the protection of data during transmission. When transmitting data over the Internet, Secure Sockets Layer, or SSL and Transport Layer security TLS can be used to encrypt the data during transmission. Encrypted email can also be used to protect data from point to point. Reliable Sources collection from third Parties one of the tenets of privacy is data quality. It is important that data collected by an organization be accurate before it is used. When collecting data from a third party organization, it is crucial that the company be reputable. Even when the company is reputable, steps must be taken to ensure that the data is accurate.

When an organization receives 100 records for 100 different people named John Smith, how it is to know which record belongs to which John Smith to help ensure the accuracy of data received from third parties, you need to validate the company’s data collection and verification practices. Insist that the organization be a member of the Better Business Bureau or some similar organization. Ensure that all necessary fields in a user’s record have been filled. Contact the user periodically and ask for a verification of his or her data and provide access, control and auditing of data to be able to track changes.

2. Use

Hi, guys. In this lesson, we’ll discuss about use. Use is the processing or sharing of information for any purpose beyond simple storage and deletion. Even the processing of data for security or fraud purposes is a use. Any access of data by an individual who reads the data is performing a use, as the person could take an

action on the data based on what is read. While there are hard, fast rules that can come from an organization’s privacy policies, other factors will drive how data is used in an organization as well. For example, according to privacy policies, an organization’s practices must reflect the commitments made in its public privacy policies. In large organizations, it is possible that many employees will not be aware of their own firm’s privacy policies according to regulations. The limitation of data use is called out in Article Six of the EU old data Protection Directive and has been incorporated into laws such as Principle Three of the UK Data Protection Act. It is also included in the new GDPR law. Sector regulation also placed limits on how data may be used.

For example, banking institutions in the European Union are subject to the third Basel Accord Basel three regulatory standard, while medical institutions in the US. Are subject to HIPAA. According to commitments, an organization’s data usage policy should reflect contractual agreements made with the suppliers of the data. Contractual agreements must always be followed. Thus, it is important that groups within the organization are aware of them so they can abide by their usage obligations. Too many Data Elements The data minimization principle described by the European Data Protection Supervisor applies to the use of data as well as collection. An evaluation of the actual data use should be made to ensure that all collected data is indeed used by the organization. Outdated Data Elements data elements should occasionally be eliminated to keep them current and relevant. Over time, data elements can become outdated or unneeded.

A person’s license plate, credit card, and passport are things that expire over time. Interests change as a person progresses through high school, college, marriage, parenthood, and retirement. Internal sharing, even after collection and default, should be made to limit the use of data by organizations internal teams to those elements needed to fulfill a specific business purpose. For example, a consumer may fill out a form to purchase a product online. The contents of the form in its entirety will probably be stored in a database for processing.

When it comes time to ship the product, the shipping department should get only the name and address of the recipient and not the entire database record, which may have additional information that is not needed for shipping. Let’s discuss now about secondary uses. Data is usually collected from individuals to fulfill a primary purpose that is typically expressed in the privacy notice or terms of use. To use data for a purpose other than the primary use generally requires prominent notice and explicit consent be certain that usage data collected by your organization is restricted to the primary purpose. For example, data collected to improve your company’s blog cannot be used to improve the mail service or research unless explicit consent is given by the user.

User Authentication Authentication is the validation that a person has been provided with access to a resource, such as a network, computer, or application. Resources containing sensitive data can be protected by an authentication mechanism that requires an ID and password to access the data. Access Control Access controls are a great way to restrict access to sensitive data. Each organizational privacy policy should have a section on security. That section should reflect the security practices in place to protect sensitive data. While the idea of a browser log may sound innocuous, it can contain embarrassing or private information depending on the site the user has visited. From a Web address, one can infer someone’s medical condition. For example, if the user is visiting a cancer research site, one could infer that the person has cancer. Similarly, if the user visits a payday loan site, one could deduce that the person is having financial difficulties. Audit Trails Audit trails can be applied to resources to monitor accesses to the resource by company.

Personal auditing is a useful tool when there is a concern that employees may be inappropriately accessing sensitive data. Audit logs can be used during privacy reviews and compliance audits to validate that internal policies and compliance controls have been followed. Restricting Use with DRM Digital Rights Management the preceding mechanism can limit access to content, but not necessarily how it is used. DRAM is a technology used to limit the distribution of digital content to those with a legitimate right to it. It can also limit what assigned users can do with the content. For example, a person may be permitted to read a document but not allowed to print it, email it to others, copy content from it, or modify it. Securing Hard Copies Securing hard copies of content can be difficult because of the ease with which they can be copied, photographed, and just carried away.

Proper policies and training are important for steps to encourage proper document use using personally identifiable information. In testing, companies that collect PII generally have applications that process it. Membership applications, product purchases, and room reservations all require that individuals provide PII. The many application used to collect the data in such scenarios need to be tested using realistic data. Many companies will be tempted to run tests using real data. However, that greatly increases the possibility of a data breach or misuse of information. When there is a need to test an application that uses PII, several steps can be taken to minimize risk to the real data.

A program can be developed that takes the raw PII data and minimizes it and creates a test data set from it. That’s the step one. Step Two a program can be created that generates random data similar to the real data. Step three use one of the free data generation programs available on the Internet. While this approach can save time and money over the other ones, these programs are limited in the type of data they can generate. And four, when real data is needed to perform tests, they should be done on a limited basis, the data should be protected during use, and the data should be deleted as soon as possible, including backups.

3. Disclosure

Hi guys. In this lesson, we’ll discuss about disclosure. Disclosure is typically viewed as the sharing of information external to an organization collecting it. This is also known as onward transfer. It’s rare for organizations to collect data and not put it to practical use. The act of putting the data to use has to involve sharing at some level, otherwise the data would remain on the collection servers. Unused disclosure can happen internally across groups, or externally with service providers, clients, partners, law enforcement, or consumers. Let’s talk about internal disclosure. Internal disclosure of data should be documented by a data flow diagram. The metadata associated with the diagram should point to the privacy policies of the groups sharing and receiving the data.

The groups receiving the data should not share it with others unless prior arrangements were made. Instead, requests for data should be passed on to the original collectors of the data. External Disclosure Each act of external disclosure should be covered by a contract that expresses the limits of processing the data and the retention and destruction policy for the data. The terms of the contract should reflect any commitments made around third party or first party sharing in regard to the service providers who are working on behalf of the organization collecting the data. The contract should also comply with any privacy notices. Each external data flow should be documented on a data flow diagram that points to the contract as well as other descriptive information about the data flow, such as data inventory.

According to legal Obligations Organizations should be clear about their obligations to disclose information to law enforcement authorities or government officials. Where possible, any requests for data should be made public. According to notice, any data disclosure by an organization should be described in its privacy notice, even if that data disclosure is only expected to happen between internal groups. An organization should not be disclosing data to entities unless it is stated in its privacy notice. This type of transparency is often overlooked by organizations and is the source of angst for privacy advocates. Where possible and practical, organizations should provide information in their privacy notice about who will have access to their data. Minimization and Anonymization the data minimization principle applies to the disclosure of information and can be more critical for disclosure than for other principles, as once data leaves the control of an organization, there is no way to know with certainty what will happen to it.

For that reason, it is always important to have a contract that covers any disclosure of data to a third party. The size of the data set should not dictate what data is disclosed to a third party. The data disclosed should always be limited to the data legitimately needed by the third party. Vendor Management Programs to Formalize Relationships with Vendors Organizations should create a program that outlines the engagement model for vendors.

The plans for the disclosure of data to vendors must be thoroughly reviewed as this disclosure does not relieve the organization of any responsibility from commitments it made in its privacy notice or in contracts with external providers of data. The organization can still be liable for mistreatment of data by the vendor, no matter what means it’s used to provide the vendor with access to the data.

The vendor and its data protection capabilities should be reviewed before engaging the vendor. The organization must review the vendor’s data access, storage, and handling practices to ensure that they are aligned with its practices. Using Intermediaries for the Processing of Sensitive Information often, an organization will not have the capabilities to perform the necessary processing of data. In those cases, an intermediary can be used.

The arrangement with the intermediary must be covered by a contract. The intermediary must have a clear understanding that it must apply the same usage and security policies as the organization with regard to the treatment of the data. Furthermore, the intermediary must never use the data for its own purposes. The rules that apply to vendors must be applied to intermediaries as well.

• Category: Uncategorized