Slide 1

Report
IBM Global Services
Privacy Technology and
the Public Sector
CACR Conference
November 6, 2003
IBM Global Services
© 2003 IBM Corporation
IBM Global Services
Public Sector Privacy Issues
- Architecture and Technology Drivers
 Reactive vs. Proactive
 PIA’s well established and useful but essentially a reactive tool
 Privacy architecture helps move to a proactive stance
 Governed by Public Legislation but held to highest standard
 Expectation that PIPEDA is a minimum
 Arguably must also offer the privacy functionality of the private sector
 Contention between e-government initiatives and privacy
52%
 Provide convenience and efficiency without sharing or consolidating data
 The Public expects both – but limited concept of choice 20%
and individual
customization in existing services (act by legislative authority vs. consent)
 Privacy architecture can provide guidance/solutions 13%
 Privacy technology can help manage the complexity11%
and reduce risk
CACR
© 2003 IBM Corporation
IBM Global Services
Business Strategy can change the Privacy Dynamic
Increased growth & profitability
Transaction
OTR
Service
Enterprise+
Customized
Personalized
Trust
Trust, compliance & assurance challenge
 Increased Emphasis on Consent
 Increased secondary use of data means increased focus on purpose and consent
 Individual Comfort Levels
 Privacy is individual, dynamic, context sensitive and culturally influenced
 Implications for Enterprise Processes and IT Infrastructure
 Superior data management, data ownership, educated employees
 Universal opt-in/out, Individual access and update of data
 Mistakes can Damage or Destroy Brand
 The more sensitive the data, the higher the potential damage to the individual
 Mistake by a business partner still affects your brand
CACR
© 2003 IBM Corporation
IBM Global Services
EPA Components
 Management Infrastructure:
Strategy
 Strategy: embedding business rules/best
practices into policy
 Controls: supporting and ensuring general policy
compliance
 Practices: privacy specific enterprise enablers
Controls
Practices
 Business Activities:




Business process analysis (PIA) and optimization
Mapping key players, rules and data
Embedding policy into process and applications
Minimizing risk, leveraging opportunities
Data
Objects
Rules
 Supporting Technology:
 Identifying where technology is appropriate
 Providing the parameters for technical
implementations
CACR
Technical Architecture
IBM Copyright 2001-2003
© 2003 IBM Corporation
IBM Global Services
EPA - Management Infrastructure
External
Communication
Program
Organizational
Roles &
Responsibilities
Education Program
Compliance
Process
Privacy Policy
(and Practices)
Information
Classification &
Control Program
Individual Access
Process
Privacy Statement
Customer
Preference Process
Requirements
Process
Contact & Dispute
Process
Retention
Management
Program
Security Policy
Information Access
Controls
CACR
© 2003 IBM Corporation
IBM Global Services
Management Infrastructure - mapping to PIPEDA
1. Accountability
2. Purpose
3. Consent
4. Collection
5. Use
6.Accuracy
7. Safeguards
8. Openness
9. Access
10. Recourse
Privacy Policy (& Practices)
x
x
x
x
x
x
x
x
x
x
Security Policy
x
Requirements Process
x
Information Classification & Controls Program
x
Compliance Process
x
Organizational Roles & Responsibilities
x
Education Program
x
x
x
Privacy Statement
x
x
x
x
x
Customer Preferences Process
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Individual Access Process
x
Contact & Dispute Process
x
x
x
External Communications Program
x
Information Access Controls
x
x
x
Retention Management Program
x
x
x
CACR
x
x
© 2003 IBM Corporation
IBM Global Services
Process Model
Data
Objects
The Process Model Optimizes PI
Handling Processes for Privacy
 Process Mapping:
Data Collection, Storage
2. Personalized use
Data Types
Law, regulations, privacy
agreements, preferences,
consent
Uses, Disclosures, Retention
 Risk Analysis:
1a. Collection
Data
Subject
Adherence to Policy
 Optimization and Risk Mitigation:
Security controls
Contractual, Audit measures
CACR
4. Anonymized use
release
delete
Rule
s
anonymiz
e
notify
utiliz
e
1b. Control
Data Transformation Opportunities
Limiting collection, use, disclosure
Rule
s
request ... authorizatio
n, obligation
form = data + rules
Threats
Vulnerabilities
Rules
Subject
or Guardian
or Authority
give consent
update
access
withdraw consent
3. De-Identified use
disclos
e
Data User
de-identify
re-identify

Sticky Policy Paradigm

Data Classification

Data Transformation

Dynamic Rules, Obligations

Privacy Relevant Actions
© 2003 IBM Corporation
IBM Global Services
PIA Tool Reports
CACR
© 2003 IBM Corporation
IBM Global Services
Passive vs. Active Privacy Technology
 Passive Privacy Technology



Design and implementation decisions that support privacy objectives
Examples:
 User Interface Design
 PII storage and transmission decisions
EPA Technical Architecture:
 Design and Implementation Guidance
 ==>Design Privacy "in" Now
 Active Privacy Technology



Specialized components or functions that dynamically react to
ensure transactions are compliant with privacy policy
Examples:
 Privacy policy display and interpretation (ex: P3P)
 Audit tools such as privacy-tuned web scanners (ex: Watchfire)
 Privacy enhanced access control (ex: Tivoli Privacy Manager)
EPA Technical Architecture:
 Component Model for Active Privacy
 ==> Prepare for Privacy Enhancing Technology Now
CACR
© 2003 IBM Corporation
IBM Global Services
Passive Privacy Design and Implementation Guidance
 EPA Technical Architecture Provides Guidance on:
 Application Design
 User Interface Design
 Database Design
 Logging, Retention and Audit
 Authentication, Authorization and Identity Management
 Classification Schemes
 Architectural Concepts
 Specific technology issues, ex: Biometrics, Smartcards
 Value
 Can be built into IT development cycle checkpoints
 Can be built into IT procurement/acquisition criteria
 Can be used in audit procedures
CACR
© 2003 IBM Corporation
IBM Global Services
Active Privacy Requirements
 Privacy rules for data access:
 Purpose
 Consent
 Obligations
 "Sticky Policy Paradigm" - policy sticks to data not resources
 Communication, Interpretation, Negotiation of Privacy Policy
 Personal access to information and tracking use, disclosure etc.
 Real-time transformation of data to less identified forms
 Managing fulfillment of obligations
 Pseudonymous and anonymous interactions
 Anonymous assertions
CACR
© 2003 IBM Corporation
IBM Global Services
These
components
map identity,
facilitate
pseudonymous
interaction and
use of
assertions etc.
IBM Enterprise Privacy Architecture (EPA)
Data Subject
These
components
interact with
users to present
policies, gain
consent, accept
requests etc.
Other Enterprises
Data Users
Register/
Issue
Assertion
Present/
negotiate
policy
Exchange PII
Attributes
Notice or consent request
PAE: Privacy-Enabled
Authentication
IP : Identity
Protection
Credential
EPD
Mappings
EPD
Request/Prove
Assertion
AAE: Attribute
Exchange
Engine
Directory
PECS: Privacy
and
Enabled
Security
Credential
Service
Sub-System
Access/update
to stored PII
Enterprise Applications
PII Submit and Access
Requests
PPNS:Policy
Presentation/
Negotiation Service
These support
tools indirectly
support the
active privacy
components
generalized
request
information
PDM: Privacy
Decision
Manager
UPAM : User
Privacy Action
Manager
ask for
additonal data
Privacy Data
Handling Sub-System
PERM : Privacy
Web Data
EPD
Enabling
Resource
Manager
Legacy
Data EPD
Deployment
Engine
data
UPCM: User Privacy
Contact Manager
User Interaction
Sub-System
Vulnerability
Checker
PII
Discovery
Log
Analyzer
Policy
Editor
Request
Consent,
Post Notice
Policy Consent
EPD
EPD
Get
policy
Replicate
policies +
deployment
+ consent
Policy
EPD
decision
Log privacy
decisions
Consent
EPD
PPM : Privacy Policy
Manager
These
components
enforce privacy
policy for PI
access, check
consent and
transform PI.
Store
Identifiers
Get
PII
Obligation
Log privacy Generate
event
obligation
actions
notification
event
PAAM :
Privacy
Action
Audit
Manager
Log
EPD
These
components
manage policy,
audit logs and
obligations
PTE: Privacy
Data Transformation
Engine
POES:
Privacy
Obligation
Event
Service
Results
Transformed
Data
Support Tools Sub-System
CACR
© 2003 IBM Corporation
IBM Global Services
Relationship to Privacy Principles
Data Subject
Other Enterprises
Data Users
Register/
Issue
Assertion
Present/
negotiate
policy
Exchange PII
Attributes
Notice or consent
request
PAE: Privacy-Enabled
Authentication
Request/Prove
Assertion
IP : Identity Protection
Security Safeguards
Mappings
Credential
EPD
CollectionPECS:
Limitation
Privacy
AAE: Attribute
Enabled
Exchange Engine
Credential Service
Directory and
Security SubSystem
Disclosure Limitation
EPD
Access/update
to stored PII
Enterprise Applications
PPNS:Policy Presentation/
Openness
Negotiation
Service
UPAM : User Privacy
Access
Action
Manager
DataUser
Quality
UPCM:
Privacy
Contact Manager
User Interaction
Sub-System
Consent
PDM: Privacy
Decision Manager
Purpose Specification
Request
Consent,
Post Notice
Policy
EPD
Get
policy
Vulnerability
Checker
PII Discovery
Compliance
Log Analyzer
Policy Editor
Support Tools Sub-System
CACR
Consent
EPD
Replicate
policies +
deploymen
t + consent
Policy
EPD
PII Submit and Access
Requests
generalized
Privacy Data
request
Handling Sub-System
information
PERM : Privacy
Store
Enabling
ask for
Web Data
Identifier
Resource
additonal
EPD
s
Manager
PTE: Privacy
data
Use
Limitation
data
Data TransGet
Deployment
Legacy Data
formation
PII
EPD
decision
Engine
Engine
Log privacy
decisions
Obligation
Log privacy Generate
event
obligation
actions
notification
event
PAAM :
Accountability
Consent
EPD
PPM : Privacy Policy Manager
POES:
Privacy
Privacy
Action
Obligation
Log EPD
Audit
Event
Retention LimitationService
Manager
Results
Transformed
Data
Privacy Services Sub-System
© 2003 IBM Corporation
IBM Global Services
Relationship to Tivoli Privacy Manager
Data Subject
Other Enterprises
Data Users
Register/
Issue
Assertion
Present/
negotiate
policy
Exchange PII
Attributes
Notice or consent
request
Request/Prove
Assertion
IP : Identity Protection
PAE: Privacy-Enabled
Authentication
AAE: Attribute
Exchange Engine
Credential
EPD
Mappings
EPD
PECS: Privacy
Enabled Credential
Service
Directory and
Security SubSystem
Access/update
to stored PII
Enterprise Applications
PII Submit and Access
Requests
PPNS:Policy
PublishPresentation/
P3P Policy
Negotiation Service
PDM: Privacy
Decision Manager
UPAM : User Privacy
Action Manager
UPCM: User Privacy
Contact Manager
User Interaction Sub-System
Tivoli Privacy Manager
Policy
EPD
Request
Consent,
Post Notice
Get
policy
Vulnerability
Checker
generalized
request
information
PII Discovery
Consent
EPD
decision
Replicate
policies +
deploymen
t + consent
Policy
EPD
ask for
additonal
data
data
Log privacy
decisions
Consent
EPD
Tivoli Privacy Manager
Log Analyzer
Policy Editor
Policy Wizard
Support Tools Sub-System
CACR
PPM : Privacy Policy Manager
Privacy Data
Handling Sub-System
Web Data
EPD
Legacy Data
EPD
PERM : Privacy
Enabling
Resource
Manager
Deployment
Engine
Monitor
Log privacy Generate
obligation
actions
event
PAAM :
Privacy
TivoliAction
Privacy Manager
Log EPD
Audit
Manager
Store
Identifier
s
PTE: Privacy
Data TransGet
formation
PII
Engine
Obligation
event
notification
POES:
Privacy
Obligation
Event
Service
Result
s
Transformed
Data
Privacy Services Sub-System
© 2003 IBM Corporation
IBM Global Services
Website Privacy Compliance
 Description
 A review of an enterprise's website privacy management practices to create
trust among website users to ensure that appropriate privacy and security
measures are taken and are visible to the user
 Use of best-of-breed automated platform to test for privacy compliance
 Deliverable
 A comprehensive, web-based report identifying:
CACR
© 2003 IBM Corporation
IBM Global Services
Questions???
20%
13%
11%
CACR
.... please
© 2003 IBM Corporation

similar documents