Privacy policy

716
-1

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
716
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • One of the earliest definitions of privacy, as defined by Warren and Brandeis, has been the right of an individual to be left alone and to be able to control the flow of information about him or herself. Concern about privacy is not a recent development as businesses have collected customer information for years.
  • Privacy can be defined in multiple ways. Privacy is the ability of a person to control the availability of information about her as well as its exposure to malicious entities. It relates to being able to function in society anonymously. However, a more complete definition could be stated as - An individual's or organization's right to determine whether, when and to whom personal or organizational information is to be released. An alternative characterization defines privacy as the claim of individuals to determine for themselves, when, how and to what extent information about them is communicated to others.
  • The fast progress in networking and storage technologies has led to an enormous amount of digital information getting stored in a centralized manner. This process has been accompanied by an increase in specialized tools that are able to collect this data, efficiently store it in databases, and efficiently retrieve information that could not otherwise have been located in an obvious way. This explosive growth in digital data storage has brought about an increased concern about the privacy of personal information.
  • Security and privacy have often been used interchangeably in literature due to their apparently similar characteristics. However, security and privacy are two completely different requirements. Privacy is concerned about an individual’s Personal Identifiable Information (PII) whereas security pertains to the organization information access and focuses on organizations’ systems. Security deals with the prevention and detection of unauthorized actions by users.
  • Security and privacy have often been used interchangeably in literature due to their apparently similar characteristics. However, security and privacy are two completely different requirements. Privacy is concerned about an individual’s Personal Identifiable Information (PII) whereas security pertains to the organization information access and focuses on organizations’ systems. Security deals with the prevention and detection of unauthorized actions by users.
  • Privacy policy

    1. 1. WELCOME TO “THE WORLD STATISTICS DAY” @ “CONVERGENCE 2010”
    2. 2. Privacy Policy Prof. S. K. Gupta IIT Delhi
    3. 3. 01/29/153 What’s Privacy? The right “to be let alone” ---- Samuel Warren and Louis Brandeis Harvard Law Review 1890
    4. 4. 01/29/154 Informational Privacy "The claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others". – Normally only applied to “individuals” – Implemented through "fair information practices" Allan Westin in Privacy And Freedom (1967)
    5. 5. 01/29/155 Who invades privacy?  The government (Central, state, local)  Companies you do business with – Online, catalogs, retail stores, airlines, NFL (Super bowl)  Companies you don’t do business with  Employers  Anyone else who wants to – know about you
    6. 6. 01/29/156 Why is privacy important? – Legal liability if not protected - examples – Competitive advantage  Trade secrets  Customer lists and preferences  Databases – Embarrassment – Protects job, insurance, safety, and identity – Some things are just private
    7. 7. 01/29/157 Types of privacy invasions  Medical (hospitals, doctors, insurance, drug companies)  Financial (banks, credit cards)  Political (law enforcement, profiling)  Online (Web sites, spammers, software companies)  Children’s privacy (Web sites, entertainment media, game makers, candy companies)
    8. 8. 01/29/158 Web link- http://www.indianairlines.in/index.asp
    9. 9. 01/29/159 Web link- http://www.indianairlines.in/scripts/privacy.aspx
    10. 10. 01/29/1510 Comparison of privacy policies Site1 Site2 Site3 Site4 Detail description about how user data will be used X Y Y Y Data Retention X X Y Y Showing explicitly whether it is following Safe Harbor Program X X Y Y Provide users choice X X Y Y Third Party Data sharing X X Y Y How much data is secured X X Y Y
    11. 11. 01/29/1511 Privacy Policy of Amazon Web link- http://www.amazon.com/gp/help/customer/display.html/105-3430781602013? ie=UTF8&nodeId=468496
    12. 12. 01/29/1512 Privacy Policy of Amazon Web link- http://www.amazon.com/gp/help/customer/display.html/105-3430781602013? ie=UTF8&nodeId=468496
    13. 13. 01/29/1513 Privacy Policy of Amazon Web link- http://www.amazon.com/gp/help/customer/display.html/105-3430781602013? ie=UTF8&nodeId=468496
    14. 14. 01/29/1514 Privacy Policy of Amazon Web link- http://www.amazon.com/gp/help/customer/display.html/105-3430781602013? ie=UTF8&nodeId=468496
    15. 15. 01/29/1515 Privacy Policy of Amazon Web link- http://www.amazon.com/gp/help/customer/display.html/105-3430781602013? ie=UTF8&nodeId=468496
    16. 16. 01/29/1516 Privacy Policy of Amazon Web link- http://www.amazon.com/gp/help/customer/display.html/105-3430781602013? ie=UTF8&nodeId=468496
    17. 17. 01/29/1517 Web link- http://www.google.co.in/intl/en/privacypolicy.html
    18. 18. 01/29/1518 I.T. Understanding of Privacy Is Privacy = Confidentiality = Security ? Not so.
    19. 19. 01/29/1519 Privacy Maintaining ownership of data. ( Contain risk and may lead to violate IT/non IT security issue) Security Degradation of Service or Functionality Security vs. Privacy in IT
    20. 20. 01/29/1520 SP Authentication information like password S P Reading marks of other student Tempering User data To know the Name of Social Institution S- Security, P- Privacy Security vs. Privacy in IT
    21. 21. 01/29/1521 Privacy Act of 1974  Applies to federal agencies  “No agency shall disclose any record … to any person, or to another agency, except … with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be -- – … used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable” (not a defined term)  Restriction on “matching programs” – any computerized comparison of -- (i) two or more automated systems of records … [certain exceptions]
    22. 22. 01/29/1522 Gramm-Leach-Bliley  Except as … authorized …, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless: (i) You have provided to the consumer an initial notice as required; (ii) You have provided to the consumer an opt out notice (iii) You have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and (iv) The consumer does not opt out.  Applies to “financial institutions,” a very broad category
    23. 23. 01/29/1523 What Gramm-Leach-Bliley Protects  “Nonpublic personal information” means: (i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.  “Personally identifiable financial information” means any information: (i) A consumer provides to you to obtain a financial product or service; (ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
    24. 24. 01/29/1524 What HIPAA Provides  A covered entity may not use or disclose protected health information, except as permitted or required … – pursuant to … a consent … to carry out treatment, payment, or health care operations – pursuant to … an authorization – pursuant to … an agreement (opt-in) – [other provisions]  Health information that meets … specifications for de- identification … is considered not to be individually identifiable health information
    25. 25. 01/29/1525 What HIPAA Protects  “Individually identifiable health information” is information that is a subset of health information, including demographic information collected from an individual, and: … – relates to … physical or mental health or condition of an individual; … provision of health care to an individual; or … payment for … health care to an individual; and – identifies the individual; or – with respect to which there is a reasonable basis to believe the information can be used to identify the individual
    26. 26. 01/29/1526 Hippocratic Database  a database that includes privacy as a central concern  inspired by Hippocratic Oath that serves as basis of doctor-patient relationship
    27. 27. 01/29/1527 Key Concept : Purpose  data is collected for a specific purpose  the purpose should be stored with the data  the purpose limits how the data can be used
    28. 28. 01/29/1528 Online Bookseller Example Collects and stores personal information:  To complete transaction and track order  To make book recommendations based on purchase history  To maintain profiles for frequent users  To publish book sales by region of the  country
    29. 29. 01/29/1529 Purpose Specification The purpose for which the personal information was collected shall be stored with that information. Example: online bookseller needs personal information for purchases, book recommendations, etc.
    30. 30. 01/29/1530 Consent The purpose for which the personal information was collected shall have the consent of the donor. Example: individual must consent for purchase, but can opt-in or opt-out of recommendations
    31. 31. 01/29/1531 Limited Collection The personal information collected shall be limited to the minimum necessary to accomplish the specified purpose. Example: don’t need credit card number if purpose is registration
    32. 32. 01/29/1532 Limited Use The database shall allow only those queries that are consistent with the specified purpose. Example: a query for book recommendations cannot reference shipping address
    33. 33. 01/29/1533 Limited Closure The personal information shall not be distributed for purposes other than those for which there is donor consent. Example: the delivery company does not need to know the credit card number
    34. 34. 01/29/1534 Accuracy The personal information stored in the database should be accurate and up-to-date. Example: need to verify that shipping address is valid and current prior to commit
    35. 35. 01/29/1535 Limited Retention The personal information shall be retained only as long as necessary to fulfill the purpose for which it was collected. Example once the purchase is complete/confirmed, credit card numbers are no longer needed
    36. 36. 01/29/1536 Safety The personal information shall be protected by security safeguards against theft and other misappropriations. Example: individuals will be authenticated; sensitive information will be encrypted
    37. 37. 01/29/1537 Openness The donor shall be able to access all information about him/her stored in the database. Example: individual can look at their purchase history and/or user profile
    38. 38. 01/29/1538 Compliance The donor shall be able to verify compliance with the stated policy and the database shall be able to address any challenges. Example: log all accesses to show who had access to what and when
    39. 39. Strawman Design map privacy policy to privacy- policies table map access control policy to privacy-authorizations table compare privacy policy to user’s privacy preferences users can opt-in or opt-out of each purpose keep audit trail as proof of user’s consent check data for accuracy before or after insertion Before Query: check to make sure that attributes in query are listed for that purpose During Query: access to individual tuples of table is restricted by purpose queries have purpose and tuples have purpose do not return tuples where query purpose ≠ tuple purpose After Query: look for unusual patterns of access that are not typical for that purpose and that user add query to audit trail in order to show who had access to what and when delete data that has outlived it’s purpose if same data collected for more than one purpose use maximum retention period
    40. 40. 01/29/1540 Questions? ?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×