Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

13
29e Confrence internation ale des commissaires à la protection de la vie pri ve 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

description

RFID Privacy Guidelines: Enhancing Consumer Trust. Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario. 29 th International Conference of Data Protection and Privacy Commissioners September 26, 2007. Privacy-Enhancing Technologies (PETs). - PowerPoint PPT Presentation

Transcript of Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

Page 1: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Page 2: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.

Information and Privacy Commissioner

Ontario

RFID Privacy Guidelines:

Enhancing Consumer Trust

29th International Conference of Data Protection and Privacy Commissioners

September 26, 2007

Page 3: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Privacy-Enhancing Technologies(PETs)

• The IPC developed the concept, now commonly recognized around the world, as privacy-enhancing technologies (PETs);

• In 1995, the IPC and the Dutch Data Protection Authority published their landmark study, Privacy-Enhancing Technologies: The Path to Anonymity (Vols. I & II);

• Privacy by Design – build in privacy up front, into the design specifications, into the architecture; if possible, embed privacy right into the technology itself – bake it in.

Page 4: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Supply-Chain vs. Item-LevelThe Difference

• Every RFID tag contains unique-identifying data, such as a serial number;

• Privacy issues can arise when the RFID tag is associated with a specific item (rather than several items grouped together), and an identifiable individual (consumer);

• Supply-chain management: involves tagging bulk goods, cases, pallets. Also some products for business uses in manufacturing, wholesale distribution, and for back-end retail inventory management purposes;

• Item-level consumer product tagging: involves tagging commercial products in the retail space that are owned, carried and used by individual consumers, such as apparel or electronics.

Page 5: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

IPC Position on the Commercial Uses of RFIDs

• The IPC does not oppose the use of RFID technologies throughout the supply chain management process – track products, not people;

• Caution is advised when linking item-level RFID data to individuals: therein lie the privacy concerns;

• Consistent with our approach to PETs, we support technological solutions to protecting privacy in RFIDs, embedding “privacy by design” protections within RFID systems.

Page 6: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Collaboration with EPCglobal Canada

• June 2006, the IPC collaborated with EPCglobal Canada;

• The IPC issued, Privacy Guidelines for RFID Information Systems (RFID Privacy Guidelines), accompanied by a companion piece titled, Practical Tips for Implementing RFID Privacy Guidelines;

We undertook this task to:• encourage the development of new technologies that

allow for de-activation, followed by re-activation;• encourage the concept of privacy by design;

“Embed privacy protective measures into the actual design and infrastructure of any new technology, including RFIDs.”

Page 7: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

IPC RFID Privacy Guidelines

• Developed with leading industry standards-setting organization (GS1/EPCglobal Canada);

• Promotes compliance with Canadian federal and provincial privacy laws;

• Strongest, most complete set of RFID guidelines developed to date – promotes compliance and consumer trust around the world.

www.ipc.on.ca/docs/rfidgdlines.pdf

Page 8: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Features of IPC RFID Guidelines

• The Guidelines address key privacy issues regarding use of item-level RFID technology in the retail/commercial sector;

• Goal: to promote RFID technology by addressing concerns about the potential threat to privacy and to build-in the necessary protections for the item-level use of RFID tags;

The Guidelines are based on three principles:

1. Focus on RFID information systems, not technologies;

2. Build in privacy and security from the outset, at the design stage – making it a positive-sum paradigm;

3. Maximize individual participation and consent.

Page 9: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

IPC RFID Privacy GuidelinesScope of The Guidelines

• Based upon the 10 Fair Information Practices of the general-purpose CSA Privacy Code, which applies to all organizations and forms the basis for Canada’s private sector privacy law – the Personal Information Protection and Electronic Documents Act (PIPEDA).

• Focus on item-level tagged consumer goods;

• Focus on RFID-linked PII: data linkages considered to constitute personal information;

• Guidelines a reference for all RFID industry stakeholders, e.g. product manufacturers, hardware and software vendors, consumers – everyone must be part of privacy solutions.

Page 10: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Canada’s Fair Information Practices*

• Accountability• Identifying

Purposes• Consent• Limiting Collection• Limiting Use,

Disclosure, Retention

• Accuracy• Safeguards• Openness• Individual Access• Challenging

Compliance

* CSA Model Code for the Protection of Personal Information (Privacy Code) CAN-CSA Q830 1996 - www.csa.ca/standards/privacy/code/

Page 11: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Canada’s Fair Information Practices

• CSA Model Privacy Code was incorporated into Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) – appended as a schedule;

www.privcom.gc.ca/legislation/02_06_01_01_e.asp• Organizations that comply with the Privacy Code can be

confident that they meet the federal requirements;

• In 2001, the European Commission recognized PIPEDA as providing adequate protection for personal data transferred from the EU to Canada.

Page 12: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Conclusion

• Our focus should remain on real privacy issues, involving the protection of personally identifiable information (PII);

• If there is no PII, there is no privacy issue;

• If PII is involved, apply strong privacy protections as reflected in the IPC’s RFID Privacy Guidelines, consistent with Canadian privacy laws.

Page 13: Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario

29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

How to Contact Us

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.

Information and Privacy Commissioner of Ontario

2 Bloor Street East, Suite 1400

Toronto, Ontario, Canada, M4W 1A8

Phone: (416) 326-3333 / 1-800-387-0073

Web: www.ipc.on.ca

E-mail: [email protected]


1 PHIPA Impact on Health Care Practitioners Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario University of St. Michaels College Barbara.

1 PHIPA Impact on Health Care Practitioners Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario University of St. Michaels College Barbara.

Www.ipc.on.ca Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario.

Www.ipc.on.ca Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario.

Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario Privacy by Design: A Call to Action Center for Advancing Business through Information.

Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario Privacy by Design: A Call to Action Center for Advancing Business through Information.

Www.ipc.on.ca Homing in on Privacy: The Challenge for Item Level RFID Deployment Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario MAKING.

Www.ipc.on.ca Homing in on Privacy: The Challenge for Item Level RFID Deployment Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario MAKING.

Commissioner Janez Potočnik, EU Commissioner for ... · Commissioner John Dalli, EU Commissioner for Health and Consumer Policy Commissioner Janez Potočnik, EU Commissioner for

Commissioner Janez Potočnik, EU Commissioner for ... · Commissioner John Dalli, EU Commissioner for Health and Consumer Policy Commissioner Janez Potočnik, EU Commissioner for

Information and Privacy Commissioner/Ontario, © 2005 Health and Business Privacy Law Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Ontario.

Information and Privacy Commissioner/Ontario, © 2005 Health and Business Privacy Law Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Ontario.

1 Privacy by Design: Don’t Make Privacy An Afterthought – Build It In Convergence Expo 2005 Calgary, Alberta May 17, 2005 Ann Cavoukian, Ph.D. Information.

1 Privacy by Design: Don’t Make Privacy An Afterthought – Build It In Convergence Expo 2005 Calgary, Alberta May 17, 2005 Ann Cavoukian, Ph.D. Information.

APPENDICES - Michigan · 2016-02-25 · 705 N Zeeb Rd Ann Arbor, MI 48103 Mr. Yousef Rabhi, Chair Washtenaw County Commissioner 220 North Main St. Ann Arbor, MI 48104 Ms. Sarah Taylor

APPENDICES - Michigan · 2016-02-25 · 705 N Zeeb Rd Ann Arbor, MI 48103 Mr. Yousef Rabhi, Chair Washtenaw County Commissioner 220 North Main St. Ann Arbor, MI 48104 Ms. Sarah Taylor

A Theory of Privacy for Cyber-Physical Systems with ...Oct 13, 2015  · thing has to be protected like Fort Knox,” says Ontario’s privacy commissioner Ann Cavoukian. j êz ên

A Theory of Privacy for Cyber-Physical Systems with ...Oct 13, 2015  · thing has to be protected like Fort Knox,” says Ontario’s privacy commissioner Ann Cavoukian. j êz ên

Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing.

Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing.

Affidavif of Ann Cavoukian - June 4 2014

Affidavif of Ann Cavoukian - June 4 2014

County Engineer County draft Auditor’s Itemsco.pennington.mn.us/commissioner/docs/2020/February... · Julie Stennes Kevin Erickson Ann Ulrich Linda Brown BE IT FURTHER RESOLVED,

County Engineer County draft Auditor’s Itemsco.pennington.mn.us/commissioner/docs/2020/February... · Julie Stennes Kevin Erickson Ann Ulrich Linda Brown BE IT FURTHER RESOLVED,

Www.ipc.on.ca Ontario’s New Health Information Protection Act: The Wait is Over Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Emergis.

Www.ipc.on.ca Ontario’s New Health Information Protection Act: The Wait is Over Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Emergis.

A Guide to Implementing Strong Privacy Practices · A Guide to Implementing Strong Privacy Practices Ann Cavoukian, ... risk managers, ... developed an approach to video surveillance

A Guide to Implementing Strong Privacy Practices · A Guide to Implementing Strong Privacy Practices Ann Cavoukian, ... risk managers, ... developed an approach to video surveillance

The Game Changer: Privacy by Design - Echoworx PAPER Dr. Ann Cavoukian, ... PRIVACY BY DESIGN, A GAME CHANGER Proactive not reactive Lead with privacy as the default setting Embed

The Game Changer: Privacy by Design - Echoworx PAPER Dr. Ann Cavoukian, ... PRIVACY BY DESIGN, A GAME CHANGER Proactive not reactive Lead with privacy as the default setting Embed

Www.ipc.on.ca Health Information Protection Act An Overview Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Ontario Health Records Association.

Www.ipc.on.ca Health Information Protection Act An Overview Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Ontario Health Records Association.

Securing North America’s Power Grid Dr. Ann Cavoukian, Ontario information and privacy commissioner Mark Fabro CISSP, CISM, President and Chief Security.

Securing North America’s Power Grid Dr. Ann Cavoukian, Ontario information and privacy commissioner Mark Fabro CISSP, CISM, President and Chief Security.

Information and Privacy Commissioner/Ontario, © 2005 PHIPA Personal Health Information Protection Act Privacy Issues Ann Cavoukian, Ph.D. Information &

Information and Privacy Commissioner/Ontario, © 2005 PHIPA Personal Health Information Protection Act Privacy Issues Ann Cavoukian, Ph.D. Information &

Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario Harvard Executive Privacy Symposium Harvard University August 20, 2008 The Future of.

Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario Harvard Executive Privacy Symposium Harvard University August 20, 2008 The Future of.

Www.ipc.on.ca Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology.

Www.ipc.on.ca Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology.