Ms Christine Page-Hanify Speaker Presentation
-
Upload
aamir97 -
Category
Technology
-
view
555 -
download
0
description
Transcript of Ms Christine Page-Hanify Speaker Presentation
| September 10, 2003 | © 2003 IBM Corporation
Harriet PearsonV.P. Workforce and Chief Privacy OfficerIBM
Technology: Supporting a Culture of Privacy in Your Organisation
2
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
The Information Explosion Continues…
Technology TrendsCOMPUTING
Chips/$ 10x in 5 years Computing power/$ 10x in 4 years
STORAGE
Storage/$ 10x in 6 years
COMMUNICATIONS
Backbone 100x in 5 years Local loop 100x in next 5 years
3
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
Total Amount of Data Connected to The Internet
2001 1 petabyte (1015 bytes)2006 1 exabyte (1018 bytes)2010 1 zettabyte (1021 bytes)
The result of:
More people spending
More time using
More data-rich applications
More replication and caching of data
4
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
The Future Is Here…
5
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
The BIG Question
How to balance individuals’ interest in privacy with the benefits of faster, easier, more insightful sharing of information?
A culture of privacy—supported by technology--is required!
6
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
Enterprise Privacy Management
Enterprises want to meet privacy expectations – but need support
Privacy practices implementing the promises must be enforced & controlled from access control to privacy authorization
enforcement on enterprise data systems
reporting back to data subjects
audit by independent third parties
Compatibility with laws, regulations, and public promises easy to understand and maintain by non-technical people
easy to derive new policies from existing ones (laws, corporate, sector, …)
well-defined relation to P3P and similar standards as they are developed
10
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
Some Examples: Privacy-Enhancing Applications and a Standard
Statistical data mining (Hippocratic Database) Novel randomization tricks let enterprises make statistics w/o
putting individual records at risk.
Surveillance technologies (PeopleVision) Novel image processing technologies will hide all personally
identifiable info, until needed (if ever)
EPAL (Enterprise Privacy Authorization Language) Is the first XML based mark up language designed to enable
organizations to translate their privacy policies into IT control statements and enforce policies
11
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
EPAL Summary
EPAL is designed to make it easier for enterprises to translate their privacy policies into machine-readable descriptions of data handling procedures
EPAL provides enterprises with a way to automate the enforcement of privacy policies across IT applications and systems
enables organizations to enforce P3P policies behind the Web, among applications and databases
EPAL’s evolution has been influenced by feedback from diverse enterprises
can be the core of a coherent privacy mgmt framework
12
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
Privacy Policy Example
Privacy Statement"Email can be used for the book-of-the-month club if consent has been given and age is more than 13"
User Category
Operation
Condition
Purpose
Obligation
DataData
CategoryCategory
EPAL Rule<ALLOW user-category = "borderless-booksdata-category = "email“purpose = "book-of-the-month-club“operation = "read“condition = "/CustomerRecord/Consent/Book Club=True&& /CustomerRecord/age>13">
14
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
Government of Alberta – Privacy Architecture
Requirement: a “Privacy/Technology Roadmap” to help apply the Government of Alberta Enterprise Architecture (GAEA) Privacy Principles and guide related technology decisions
Solution: a phased architecture with specific practical near-term guidance and a long range blueprint based on leading-edge thinking such as IBM’s EPA and EPAL
15
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
Phase 1 Terminology – a common language for discussing privacy requirements, issues and solutions Identification Keys - how will data subjects be uniquely identified? Data Classification - how should personal information or its uses be classified? Data Sharing, Re-Use and Placement – to what extent can personal information be shared
between departments and where should it be stored?
Phase 2 User Interface - what privacy related features are required and what should they look like? Data Transformation - guidance for rendering data anonymous Data Subject Access to Data – how should Data Subjects be provided with access to their own data? Software Acquisition Criteria – privacy criteria for both privacy-enhancing and general software
Consent and Choice - rules for what consents and choices are to be offered
Access Control – expression of “need to know” in a privacy context
Phase 3 Use of Technology to Monitor Privacy Compliance - where should technology be used vs.
processes and procedures Use of Technology to Enforce Privacy Rules - where should technology be used vs. processes
and procedures
GoA Privacy Architecture Requirements
16
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
Phase 1: Terminology Privacy Glossary Identification Keys Identification Key Scheme/Privacy Protection Component Data Classification Privacy Taxonomy – P3P and EPAL based Data Sharing, Re-Use and Placement Data Band Placement Process
Phase 2: Data Transformation Privacy Transformation Techniques Software Acquisition, User Interface, Consent and Choice Privacy Design
Guidance Access Control EPAL-based access rules Data Subject Access Process leveraging Privacy Taxonomy etc.
Phase 3: Technology to Enforce/Monitor Privacy EPA/ISTPA based component/services
based conceptual model
GoA Privacy Architecture Solutions
17
25th International Conference of Data Protection and Privacy Commissioners
© 2003 IBM Corporation
Concluding Thoughts
Foundational work underway by various vendors and early-adopting leaders to refine privacy-enabling technologies and business processes
Pace of adoption: led by “early adopters,” needs support by all stakeholders; e.g. data protection commissioners, advocates, other leaders