Your SlideShare is downloading. ×
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Balancing Security Privacy Concerns Juvenile Justice
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Balancing Security Privacy Concerns Juvenile Justice

540

Published on

Balancing Security Privacy Concerns Juvenile Justice

Balancing Security Privacy Concerns Juvenile Justice

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
540
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Balancing Security & Privacy Concerns in Juvenile Justice: Confidentiality vs. Need to Know 2007 Symposium on Juvenile Information Sharing August 14, 2007 Susan Laniewski
  • 2. The Balancing Act • Justice Integration requires that data security is added as a factor to privacy and confidentiality concerns when planning a JJIS • Initial JJIS efforts have produced Policies and Procedures that work – and some that do not work • How can Data Security Tools help us protect JJIS Privacy?
  • 3. “Information Technology pervades all aspects of our daily lives, of our national lives. Its presence is felt almost every moment of every day, by every American. It pervades everything from a shipment of goods, to communications, to emergency services, and the delivery of water and electricity to our homes. All of these aspects of our life depend on a complex network of critical infrastructure information systems. Protecting this infrastructure is critically important. Disrupt it, destroy it or shut it down these information networks, and you shut down America as we know it and as we live it and as we experience it every day. We need to prevent disruptions; and when they occur, we need to make sure they are infrequent, short and manageable. This is an enormously difficult challenge. It is a technical challenge, because we must always remain one step ahead of the hackers.” Tom Ridge, Director of Homeland Security (October 21, 2001)
  • 4. Why Examine Privacy/Security in JJIS? • Cost-effectiveness • Transparency • Public Trust Bottom Line: The success of your information collection program can hinge on your handling of privacy protection .. i.e. data security policies, and practices
  • 5. The Balancing Act with Juvenile XML • The goal is to think about privacy of information needs BEFORE AND DURING the development of information technology systems or changes to an existing system (XML)… not AFTER INSTALLATION! – The system must collect information in identifiable form about individuals – The system must understand rights and confidentiality of Juveniles when this data is shared – The system must offer protections to ensure security once in operation
  • 6. Keys to Balancing Privacy & Security • What information is collected? – Describe in detail the type of data being collected – Identify who collects the data and the source – Validate the source of the data as well as refresh rate and audit process • Why is the information being collected? – Provide the authorities (statutory or otherwise) authorizing collection – Review the currency of the authority • What is the intended use of the information? – Clearly define how the information collected will be used by various agencies (investigation, reporting, prediction) – Justify residency of the data in the JJIS based upon type and use (statistical, anecdotal, case files)
  • 7. Keys to Balancing Privacy & Security (continued...) • Who will have access to the system? – Describe all the public and private sector, including public access to the JJIS – What other systems are operating on the same infrastructure or network? – Intranet vs. Internet Accessible? • How is the information regulated? – Do individuals have the opportunity to decline to provide information or to consent to particular uses of their information? – Describe the mechanisms, if any, used to provide notice to individuals of the inclusion or availability of their data – Is the originating data source updated by JJIS? – What is the role of FOIA? – Are penalties and sanctions in existence and enforceable?
  • 8. Keys to Balancing Privacy & Security (continued...) • How will the information be secured? – What Audit Trails and Back Up processes will be put in place? – Where is the original record/transaction stored? (Physical security and paper records access) – How often are audit logs reviewed? – What virus, hacker proof, technical firewalls are in place? • Does the JJIS integrate the data and create a “Repository/ Data Warehouse or Data Mart of Information? – What are the Transaction Based vs. Repository Based procedures? • Costs and Time Requirements
  • 9. Privacy Rules by State Multiple guidelines exist at state and agency level to control and regulate data access and data security. Interagency memoranda and policies on data sharing does not always result in complementary confidentiality in the technical infrastructure
  • 10. Pre-existing “Restrictions” on Records We “Need” to Share • Vital records have specific rules • Juvenile data for healthcare and social services is segmental addressed in specific applications, that differ based on the record system data as “case based” vs. “client based” • Most privacy rules by state look at redaction of data or sealing records as security controls • Privacy and sharing rules seldom address “automated data “links” and “joins” necessary for juvenile data
  • 11. Policies must result in Procedures with Achievable Parameters Collection Limitation: “The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual.” Use Limitation: “Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority.” Data Quality: “Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose. Disclosure Policy: “The purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes.” Public Access: “The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information.” Security Safeguards: “Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification or disclosure”
  • 12. Openness Changes in technology have usually provided the impetus for the evolution of the American concept of information privacy and privacy law.” FOIA vs. Juvenile, Victim, Witness Rights to Privacy • Risk of Disclosure vs. Criminal Closure • Routine Sharing – Ad Hoc Need to Know • Personal Safety vs. Rights of Others • HIPPA, FERPA, FOIA, PIA,SORN, FIP • What you don’t know can hurt you – but – I cant tell you what you need to know
  • 13. Control Includes Accountability “Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles.” Avoid the Case of “Legal Beagle vs. Technical Eagle” • Web Designers tend to control web page content • Technical Programmers/Coders understand system data linkages • Privacy Officers know legalities of data privacy/security • Non technical Executives may expect that only data viewable on the main page or intended links is viewable by the general public
  • 14. User Access Rights “Individuals should have the following rights: – to know about the collection of personal information – to access that information – to request correction – to challenge the denial of these rights.” Beware the “Google Factor” •Personnel Details WORD 1 WORD 2 WORD 3 •Account information •Address/location information •Password files •Detailed police reports/Registries •Photos
  • 15. Web Site “It is uncertain whether the increased access to information and the ability to relate disparate pieces of a person’s information result in a distorted and inaccurate picture of that person” Informative not Invasive” • Remember the Web is non sectarian, non denominational, and WORLD WIDE Site • Public has a higher degree of Digg er w Free ww.f web savvy then in the past Soft ound ware ston hear ..No • Data mining using the web is e.co t t for m the f a moneymaker. Info for Sale aint of • Identity Theft • Never discount the power of the e- Press”!
  • 16. Include Data Security in Action Plan Delivery of projects in a systematic, structured method. Project assessment, planning and execution. Project (Include in all Facets of Assessment and Planning) Life Cycle PMO serves as central point for tracking, reporting and management on all formal projects Project (Assign Security Monitoring Function) Management Office Lists current projects with description, sponsor, status, milestone and delivery dates Critical Path Matrix Include Data Security Validation Milestones Outlines Annual Projects and ensures Annual Business Plan alignment with Strategic Plan (Include Periodic Security Audit & Review) Outlines Vision, Mission and Strategic Strategic Plan Goals (Define Privacy Protection Goals) Provides Strategic Vision, Policy, Governance and Budget Oversight (Include Policies and Costs)
  • 17. Measure, Monitor, Update and Revise • Don’t let your policies get stale – Ongoing Observation, Regular Measurements and Feedback on Breaches are essential – Observe the activities in terms of progress toward preferred results (Check that policy change) – Comparing progress to the preferred standards – Expect and prepare for “breaches”, data leaks, spammers, hackers by having a damage control process in place – Provide ongoing feedback to all concerned agencies and personnel (useful and timely information will ameliorate breaks, improper releases) – Publicize your processes and your successes • Don’t stop thinking about Tomorrow…
  • 18. Data Security Resources and Tools for JJIS • State & Federal Statutes, Rules, Policies • Individual State JJIS Efforts • OJJDP Guidelines for Sharing • Global • Others (NASCIO, NGA, Center(s) for Domestic Violence, Safe Schools, NCSC) • Private Foundations
  • 19. Federal Statutes & Regulations Generally, there are no blanket prohibitions on federal government access to publicly available information contained in Automated Systems • Justice information • Information contained public service information systems • Financial information • Motor vehicle information • Education information • Telecommunications information • Health information At Federal Level the primary measurement tool is the Privacy Impact Assessment (PIA)
  • 20. State Resources • Criminal Information Sharing Alliance Network (CISAnet) • Regional Information Sharing Systems Network (RISSNET) • Justice Network (JNET) • DHS Homeland Security Information Network (HSIN)/ Joint Regional Information Exchange System (JRIES) • Automated Regional Justice Information System (ARJIS) • California Department of Justice • Wisconsin Department of Justice • Georgia - GCATS • Illinois, Illinois Criminal Justice Information Authority (ICJIA): – Exec. Order No. 16 (2003), available at http://www.illinois.gov/Gov/pdfdocs/execorder2003-16.pdf. – http://www.icjia.state.il.us • List available on Web Site
  • 21. Top Resources/WebPublications • JIS: Privacy & Security Impact Assessment • Global Justice Information Sharing Initiative – http://www.it.ojp.gov/global – Privacy & Security Templates (www.iir.com/global/GPIQWG.htm • Applying Security Practices to Justice Information Sharing: A field compendium of current best practices and successful models for justice-related information technology (IT) security. The publication covers key IT security topics from detection and recovery to prevention and support. • Alan Harbitter & Jeff Langford, IJIS Industry Working Group, Information Security in Integrated Justice Applications, 1 (2002), available at http://it.ojp.gov/global/security/infosec4ijis3-19-02.pdf • Privacy and Information Quality Working Group (GPIQWG) – A privacy and information quality policy development guide and resource materials – http://it.ojp.gov/documents/200411_global_privacy_document.pdf – http://it.ojp.gov/documents/Privacy_Guide_Final.pdf • National Center for State Courts – www.ncsconline.org • NIEM Public Website: http://www.NIEM.gov • Library of Congress on line access: http://thomas.loc.gov/home/thomas.html • NASCIO: www.nascio.org

×