privacy and data protection by design cross over of
play

Privacy and data protection by design cross-over of multiple - PDF document

Apr 17, 2023 •248 likes •551 views

Privacy and data protection by design cross-over of multiple disciplines Marit Hansen Privacy and Information Commissioner Schleswig-Holstein, Germany marit.hansen@datenschutzzentrum.de Annual Privacy Forum 2015 Luxembourg, 7 October,

  1. Privacy and data protection by design – cross-over of multiple disciplines Marit Hansen Privacy and Information Commissioner Schleswig-Holstein, Germany marit.hansen@datenschutzzentrum.de Annual Privacy Forum 2015 Luxembourg, 7 October, 2015 www.datenschutzzentrum.de Setting of ULD • Data Protection Authority (DPA) for both the public and private sector • Also responsible for freedom of information Source: en.wikipedia.org/ wiki/Schleswig-Holstein Privacy & data protection by design – cross-over of disciplines Source: www.maps-for-free.com

  2. www.datenschutzzentrum.de Overview 1. Privacy and Data Protection by Design 2. A motivated approach of all relevant disciplines 3. Beware of obstacles 4. Conclusion Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de 1. Privacy and Data Protection by Design Source: Colin Kinner Privacy & data protection by design – cross-over of disciplines

  3. www.datenschutzzentrum.de Cavoukian’s Privacy by Design http://privacybydesign.ca/ Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de General Data Protection Regulation (GDPR) Art. 23 (1) – Discussion In short: • “… by design” = built-in • “Data protection” = reqs from the GDPR, esp. rights of the data subject • Differences: who, when, how, how much? Privacy & data protection by design – cross-over of disciplines

  4. www.datenschutzzentrum.de General Data Protection Regulation (GDPR) Art. 23 (2) – Discussion European 1st reading position General Approach EDPS Commission of the European Parliament of the Council recommendations In short: • “… by default” = configuration should be privacy-friendly • Related to necessity for purpose Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de Six protection goals for privacy engineering Confidentiality Unlinkability classical IT security protection goals*) I ntegrity I ntervenability *) From the data subject’s perspective Transparency Availability Privacy & data protection by design – cross-over of disciplines

  5. www.datenschutzzentrum.de Protection goal “unlinkability” The protection goal of Unlinkability is defined as the property that privacy-relevant data cannot be linked across domains that are constituted by a common purpose and context. Reference: Hansen/Jensen/Rost: Protection Goals for Privacy Engineering, Proc. 1st International Workshop on Privacy Engineering, IEEE, 2015 Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de Protection goal “transparency” The protection goal of Transparency is defined as the property that all privacy-relevant data processing − including the legal, technical, and organisational setting − can be understood and reconstructed at any time. Reference: Hansen/Jensen/Rost: Protection Goals for Privacy Engineering, Proc. 1st International Workshop on Privacy Engineering, IEEE, 2015 Privacy & data protection by design – cross-over of disciplines

  6. www.datenschutzzentrum.de Protection goal “intervenability” The protection goal of I ntervenability is defined as the property that intervention is possible concerning all ongoing or planned privacy-relevant data processing. Reference: Hansen/Jensen/Rost: Protection Goals for Privacy Engineering, Proc. 1st International Workshop on Privacy Engineering, IEEE, 2015 Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de Protection goals need multiple disciplines – in particular intervenability • Intervenability is not prominent in privacy engineering literature • Reasons for that: � Hard to formalise and to measure � Compared with data minimisation research far less proposed techniques and technologies � Can often not be solved within the IT system alone � Needs a running system with clear responsibilities (operator, users) – not on prototype level � Not one fixed solution, but process-oriented, taking into account the full lifecycle of system evolution The Art of Intervenability for Privacy Engineering

  7. www.datenschutzzentrum.de 2. A motivated approach of all relevant disciplines – the ideal scenario Source: Olga Berrios Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de Puzzle metaphor Privacy by Design • Means involvement of all relevant stakeholders for putting together the puzzle • Including representatives from � The application context � Technology / computer science / soft-/hardware engineering � (Data protection) law � Business studies � Psychology Source: rama_miguel � Social sciences � Ethics … Privacy & data protection by design – cross-over of disciplines

  8. www.datenschutzzentrum.de Puzzle metaphor • Think of a puzzle • The colours represent various disciplines • The pieces are the methods/tools/ instruments for Privacy by Design Source: Olga Berrios Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de Multiple disciplines necessary • Law: lawfulness • Technology: engineering • Economy: � Organisational processes � Business models • Psychology++: user interaction, organisational culture Source: Ken Teegardin • Ethics & social / political sciences … Privacy & data protection by design – cross-over of disciplines

  9. www.datenschutzzentrum.de Effects for data subjects? How it could work Effects for society? Lawfulness? • Starting point: task to implement • � Purpose Source: Kevin Dooley • Which information is necessary? • How to gather & process the necessary data? • Protection level “normal” / “high” / “very high”? Risks? • Consider the protection goals; perspective: data subject • Choice of measures from “PbD repository” • Evaluate � Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de Nice idea: “PbD repository” But not that easy: • Dependencies and interrelations • Side effects • Usually no naïve plug & play possible Current status: • Some attempts • Not well sorted Source: Olga Berrios Especially lack of cross- • Not well understood disciplinary understanding! Privacy & data protection by design – cross-over of disciplines

  10. www.datenschutzzentrum.de How to integrate privacy modules the same idea of Legacy systems that are not designed with privacy in mind • Technology, e.g. architectures, infrastructures • Business processes • Law … Building in privacy may be difficult / impossible! Source: Horia Varlan Whose task? Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de I f everything works out However, the puzzle comparison is flawed: • Several solutions, several pictures • Not using all pieces • You may not notice quickly if something Source: Olga Berrios goes wrong Privacy & data protection by design – cross-over of disciplines

  11. www.datenschutzzentrum.de “Understanding is an illusion” Data minimisation: Obstacles: “… necessary for • Different vocabulary legitimate business purposes …“ � Even hijacked vocab • Inherent logic of each discipline � Binary or fuzzy? � Solution-oriented? • Still learning from non-understanding is possible Source: Horia Varlan Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de Data Protection by Design is about data human beings with their rights Source: Ashtyn Renee Privacy & data protection by design – cross-over of disciplines

  12. www.datenschutzzentrum.de careless dark? 3. Beware of obstacles – the careless scenario real-life Source: The U.S. Army Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de Challenge 1: Storage by default • Statements often heard: � “For functionality tests or debugging, we need data, much data.” � “You never know when you are going to need it.” • Problem: if erasure, often no real erasure • Problem: logfiles+temporary files are often not taken into account – even in privacy assessment Privacy & data protection by design – cross-over of disciplines

  13. www.datenschutzzentrum.de Challenge 2a: Linkability by default • Principle in I T: � Keep accurate data � Avoidance of redundancies in databases � Naïve approach: central world-wide database of all subjects/objects + access control / different views • Problem: difficult for desired separation of powers (and separation of purposes) ⇒ risk • Problem: real life Privacy & data protection by design – cross-over of disciplines www.datenschutzzentrum.de pseudonymised Example: 2006: AOL publishes anonymised -------------- search engine requests of 3 months Quelle: http://www.lunchoverip.com/2006/08/being_user_4417.html Privacy & data protection by design – cross-over of disciplines

Recommend

EU Art.29 Data Protection Users care about privacy Working Party From: Special Eurobarometer

EU Art.29 Data Protection Users care about privacy Working Party From: Special Eurobarometer

28/05/15 Outline Data privacy and the evolving regulation Privacy threats from LBS to geoSN EveryWare Lab Main (location) privacy protection techniques Data Management for Mobile Protecting geo-tagged resource publication

411 views • 7 slides
#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy

#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy

#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy across hybrid IT Farshad Ghazi - Moderator Mat Spitz Lacy Gruen #MicroFocusCyberSummit Reiner Kappenberger Cloud-based Data Privacy and Protection:

455 views • 10 slides
Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government

Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government

Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government Act of 2002 and OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 Resolution on Privacy by Design, Data Protection

556 views • 41 slides
Big Data, Key Challenges: Privacy Protection & Cooperation Observations on international

Big Data, Key Challenges: Privacy Protection & Cooperation Observations on international

Big Data, Key Challenges: Privacy Protection & Cooperation Observations on international efforts to develop frameworks to enhance privacy while realising big datas benefits Seminar arranged by the Office for Personal Data Protection, Macao,

305 views • 8 slides
Privacy and Data Protection Designing for Privacy Tobias Pulls CC-BY-4.0 Privacy is a Human

Privacy and Data Protection Designing for Privacy Tobias Pulls CC-BY-4.0 Privacy is a Human

Privacy and Data Protection Designing for Privacy Tobias Pulls CC-BY-4.0 Privacy is a Human Right (1/2) From the United Nations Universal Declaration of Human Rights: Article 12 No one shall be subjected to arbitrary interference with his

338 views • 7 slides
From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer

From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer

From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer Interactions Andrew S. Patrick Steve Kenny Independent Consultant National Research Council of Canada stephen_mh_kenny@yahoo.com

407 views • 22 slides
Web and privacy Privacy and protection of personal data specific purpose (to collect and

Web and privacy Privacy and protection of personal data specific purpose (to collect and

Web and privacy Industrial perspectives on Cryptography A. Esterle - ENISA Antwerp 29 May 2008 www.enisa.europa.eu Web and privacy Privacy and protection of personal data specific purpose (to collect and process it) subject

732 views • 7 slides
Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR

Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR

Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Privacy Legislation - History 1950 Art. 8 ECHR: Everyone has the right to respect for his private and family

413 views • 4 slides
Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019

Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019

CONSUMER AWARENESS WORKSHOP on Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019 Kolkata OBJECTIVE Engage with the consumer and civil society organisations (CSOs) in tier II locations to

623 views • 50 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides
Privacy, Data Protection Law and Privacy, Data Protection Law and Flow Data Anonymisation

Privacy, Data Protection Law and Privacy, Data Protection Law and Flow Data Anonymisation

Privacy, Data Protection Law and Privacy, Data Protection Law and Flow Data Anonymisation Anonymisation: : Flow Data requirements, issues, and challenges requirements, issues, and challenges Elisa Boschi , Elisa Boschi , Hitachi Europe

507 views • 15 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Data Privacy/Cybersecurity 2019-2020 How do we ensure protection of f student and staff data?

Data Privacy/Cybersecurity 2019-2020 How do we ensure protection of f student and staff data?

Data Privacy/Cybersecurity 2019-2020 How do we ensure protection of f student and staff data? What is Cybersecurity? The protection of Internet-connected systems and data from accidental damage, intentional attacks, or unauthorized access.

463 views • 19 slides
Cross-border Flow of Health Information: is Privacy by Design sufficient to obtain complete

Cross-border Flow of Health Information: is Privacy by Design sufficient to obtain complete

EUropean Best Information through Regional Outcomes in Diabetes Cross-border Flow of Health Information: is Privacy by Design sufficient to obtain complete and accurate data for Public Health in Europe? The case of BIRO/EUBIROD Diabetes

325 views • 20 slides
Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU

Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU

Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU Delft/ KU Leuven 18. June 2019 GDPR requires data protection by design and by default (Article 25) A complex law with many requirements. More

950 views • 58 slides
Frederik Borgesius 21 Nov 2014, W3C Workshop Defending Privacy Empowerment Protection

Frederik Borgesius 21 Nov 2014, W3C Workshop Defending Privacy Empowerment Protection

Frederik Borgesius 21 Nov 2014, W3C Workshop Defending Privacy Empowerment Protection Defending Privacy Empowerment Protection Transparency Firms must always Informed consent secure personal data Consumer law Empowerment Protection

543 views • 10 slides
Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy

Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy

PR eparing I ndustry to P rivacy-by-design by supporting its A pplication in RE search Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy scenario Protect personal data from third parties Data

359 views • 9 slides
Data Privacy Compliance in Global Transactions: Navigating Complex Data Protection Laws in U.S.,

Data Privacy Compliance in Global Transactions: Navigating Complex Data Protection Laws in U.S.,

Presenting a live 90-minute webinar with interactive Q&A Data Privacy Compliance in Global Transactions: Navigating Complex Data Protection Laws in U.S., Europe and Asia WEDNESDAY, MARCH 5, 2014 1pm Eastern | 12pm Central | 11am

524 views • 41 slides
Top Mistakes in System Design from a Privacy Perspective Marit Hansen January 29, 2013

Top Mistakes in System Design from a Privacy Perspective Marit Hansen January 29, 2013

Top Mistakes in System Design from a Privacy Perspective Marit Hansen January 29, 2013 privtech12, Gteborg www.datenschutzzentrum.de Overview The legal perspective of privacy and data protection Top mistakes in system design from a

881 views • 65 slides
Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The

Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The

Brian Beamish Information and Privacy Commissioner of Ontario January 26, 2017 Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The Freedom of Information and Protection of Privacy Act (FIPPA) o

356 views • 17 slides
AI in Healthcare: Privacy & Ethics considerations Ivana Bartoletti Head of Privacy, Data

AI in Healthcare: Privacy & Ethics considerations Ivana Bartoletti Head of Privacy, Data

AI in Healthcare: Privacy & Ethics considerations Ivana Bartoletti Head of Privacy, Data Protection and Ethics Contents Privacy in the Digital age: main issues Ethics: definitions and background Privacy challenges in Health

713 views • 23 slides
PRIVACY POLICY IN INDONESIA AND MALAYSIA: FROM DIGITAL ECONOMY TO PERSONAL DATA PROTECTION LAWS

PRIVACY POLICY IN INDONESIA AND MALAYSIA: FROM DIGITAL ECONOMY TO PERSONAL DATA PROTECTION LAWS

PRIVACY POLICY IN INDONESIA AND MALAYSIA: FROM DIGITAL ECONOMY TO PERSONAL DATA PROTECTION LAWS The 3 rd Asia Privacy Bridge Forum @Seoul 27-06-2017 Dr. Sonny Zulhuda Civil Law Department Ahmad Ibrahim Kulliyyah of Laws International Islamic

188 views • 15 slides
PIA is a Process Designing for Privacy Leonardo H. Iwaya CC-BY-4.0 What is Data Protection

PIA is a Process Designing for Privacy Leonardo H. Iwaya CC-BY-4.0 What is Data Protection

PIA is a Process Designing for Privacy Leonardo H. Iwaya CC-BY-4.0 What is Data Protection Impact Assesment? Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and

103 views • 8 slides
1 A Critical Analysis of Privacy Design Strategies Michael Colesky Our Goals 1: Translate data

1 A Critical Analysis of Privacy Design Strategies Michael Colesky Our Goals 1: Translate data

1 A Critical Analysis of Privacy Design Strategies Michael Colesky Our Goals 1: Translate data protection legislation into architectural goals which system engineers can understand 2: Make these goals achievable to help them actually happen

466 views • 14 slides

More recommend