So You Want to Protect Privacy: Now What?

  • 363 views
Uploaded on

Protecting privacy is more than just stating principles; compliance means being able to demonstrate how everyday practices affect the ability to comply with abstract principles and interests. A short …

Protecting privacy is more than just stating principles; compliance means being able to demonstrate how everyday practices affect the ability to comply with abstract principles and interests. A short discussion on how managing information helps demonstrate compliance.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
363
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. So You Want To Protect Privacy: Now What?
    ARMA Information Management Symposium
    June 1, 2011
    Stuart Bailey
  • 2. 2
    So You Want To Protect Privacy: Now What?
  • 3. 3
    Privacy and Social Media
    “Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops."“
    “The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)
    So You Want To Protect Privacy: Now What?
  • 4. 4
    Privacy Means…
    Can be defined in many ways, for example, privacy of:
    Assault
    Nuisance
    Reputation
    Defamation (Slander, Libel)
    Property rights (Copyright, intellectual property)
    Opinions
    Body
    Communications
    Data
    So You Want To Protect Privacy: Now What?
  • 5. 5
    Privacy and Data Protection
    Data protection legislation is the main lens through which we address privacy interests
    Documented information about specific individuals
    Prosser v. Gavison
    Privacy torts; something unique and distinct
    As seen recently in Law Times Jones v. Tsige 2011 ONSC 1475 (CanLII)
    http://www.canlii.org/en/on/onsc/doc/2011/2011onsc1475/2011onsc1475.html
    So You Want To Protect Privacy: Now What?
  • 6. 6
    Social Media and Privacy
    The Right to Be Let Alone
    “The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)
    Freedom of Expression
    Private Communications
    The Right to Be Forgotten
    As seen recently in the European Union
    Location data
    Does it locate a data subject, or is data a location itself (i.e., a site)?
    Crossing Borders
    If skin is a border between people, what forms the border between data subjects?
    So You Want To Protect Privacy: Now What?
  • 7. 7
    Prosser on Privacy
    Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs;
    Public disclosure of embarrassing private facts about the plaintiff;
    Publicity which places the plaintiff in a false light in the public eye;  and
    Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.
    Privacy, 48 Cal.L.Rev. 383 (1960)
    So You Want To Protect Privacy: Now What?
  • 8. 8
    Gavison: “Privacy and the Limits of Law”
    • This Article is an attempt to vindicate the way most of us think and talk about privacy issues: unlike the reductionists, most of us consider privacy to be a useful concept. To be useful, however, the concept must denote something that is distinct and coherent. Only then can it help us in thinking about problems. Moreover, privacy must have coherence in three different contexts. First, we must have a neutral concept of privacy that will enable us to identify when a loss of privacy has occurred so that discussions of privacy and claims of privacy can be intelligible. Second, privacy must have coherence as a value, for claims of legal protection of privacy are compelling only if losses of privacy are sometimes undesirable and if those losses are undesirable for similar reasons. Third, privacy must be a concept useful in legal contexts, a concept that enables us to identify those occasions calling for legal protection, because the law does not interfere to protect against every undesirable event.
    Gavison, R., 1980, “Privacy and the Limits of Law”, Yale Law Journal 89: 421-71 Accessed at http://www.gavison.com/a2658-privacy-and-the-limits-of-law May 20, 2011.
    So You Want To Protect Privacy: Now What?
  • 9. 9
    Jones v. Tsige, 2011 ONSC 1475 (CanLII)
    • [52]           Without any further reference to Euteneier, the court in Nitsopoulos concludes by agreeing with the decision in Somwar – that it is not settled law in Ontario that there is no tort of invasion of privacy and expressly adopts the reasoning in that case.
    • 10. [53]           Turning back now to the various statutory provisions that govern privacy issues, most Canadian jurisdictions have statutory administrative schemes that govern and regulate privacy issues and disputes. In Ontario, it cannot be said that there is a legal vacuum that permits wrongs to go unrighted - requiring judicial intervention. 
    • 11. [54]           More particularly here, there is no doubt that PIPEDA applies to the banking sector and Ms. Jones had the right to initiate a complaint to the Commissioner under that statute with eventual recourse to the Federal Court. For this reason I do not accept the suggestion that Ms. Jones would be without any remedy for a wrong, if I were to determine that there is no tort for the invasion of privacy.
    • 12. [55]           Notwithstanding the careful reasoning in Somwar and its adoption in Nitsopoulos, I conclude that the decision of the Court of Appeal in Euteneier is binding and dispositive of the question as to whether the tort of invasion of privacy exists at common law.
    • 13. [56]           I would also note that this is not an area of law that requires “judge-made” rights and obligations.  Statutory schemes that govern privacy issues are, for the most part, carefully nuanced and designed to balance practical concerns and needs in an industry-specific fashion.
    • 14. [57]           I conclude that there is no tort of invasion of privacy in Ontario.
    http://www.canlii.org/en/on/onsc/doc/2011/2011onsc1475/2011onsc1475.html
    Accessed May 20, 2011
    (emphasis added)
    If there is no tort of invasion of privacy, recoveries for privacy harms must be done through other means – but how will those be acted on?
    So You Want To Protect Privacy: Now What?
  • 15. 10
    A Privacy Proposition
    If there is no tort for invasion of privacy
    Privacy harms are appended to other torts
    And there is still something unique and distinct about privacy that lets us have internal thoughts
    Privacy rights are based on a concept that cannot be numerated
    Therefore, protecting privacy rights is a matter of linking shared principles to everyday actions and finding “privacy” through other established activities
    Data protection and the need to manage information
    So You Want To Protect Privacy: Now What?
  • 16. 11
    Data and Privacy
    Data are everywhere; some personal, some not – some personal information can be derived from seemingly non-personal information.
    Personal data can be a location as much as a physical address is.
    Determining and adhering to “consistent use” can prove to be difficult.
    So You Want To Protect Privacy: Now What?
  • 17. 12
    Information Management
    Information Management is the discipline of managing information like an asset – the same as we do for money, people, or infrastructure.
    So You Want To Protect Privacy: Now What?
  • 18. 13
    What Is Information Management?
    http://www.aiim.org/What-is-Information-Management
    So You Want To Protect Privacy: Now What?
  • 19. 14
    IM and Related Disciplines
    How does this affect or enable re-use by Policy, Records Management, Privacy, etc.?
    What enterprise-level models help create consistency across specialized subjects?
    • Information Management connects outcomes of related disciplines at the level of information.
    • 20. IM looks at the information that crosses boundaries:
    • 21. Technical environment (e.g., e-mail > shared drive > collaboration site > report repository)
    • 22. Subject-matter (e.g., policy > business analysis > customer support > application design)
    So You Want To Protect Privacy: Now What?
  • 23. 15
    IM Process and Context
    Users
    Intersection of Information Management Issues and Activities
    fn.ln@ontario.ca; un/pw
    e.g., Briefing Note; Report; Approval; Procurement; Agreement; Project Records
    e.g., E-mail; Shared Drive; Collab sites; Mobile
    Content
    Context
    http://collectionscanada.ca/government/news-events/091/007001-misc06-e-v5.jpg
    Affects ability to enable and support:
    Sharing, Collecting, Reporting, Collaborating, Re-Using, Guiding, Managing Knowledge, Corporate Knowledge Repositories; Managing the Public Record
    So You Want To Protect Privacy: Now What?
  • 24. 16
    Control Models
    Information Management
    Privacy
    Accountability
    Identifying Purposes
    Consent
    Limiting Collection
    Limiting Use, Disclosure, and Retention
    Accuracy
    Safeguards
    Openness
    Individual Access
    Challenging Compliance
    So You Want To Protect Privacy: Now What?
  • 29. 17
    Planning
    What information do you want?
    Why do you want that information?
    Who will be using that information, and to accomplish what?
    Does everyone understand what you want to do with the information?
    Have you got the authority to collect, and use the information?
    Intended Purpose
    Authorizations to Collect
    Notice and Consent
    So You Want To Protect Privacy: Now What?
  • 30. 18
    Collection / Creation
    Have you given proper notice for what you want to collect?
    Is the notice traceable to the collection and management of the information?
    Can you demonstrate how collection has been limited?
    Do you know how you will protect the information?
    Can you demonstrate how this is consistent with your policies?
    Who is accountable if the information is lost?
    Notifications and Consent
    Limiting Collection
    Safeguards
    Openness
    Accountability
    So You Want To Protect Privacy: Now What?
  • 31. 19
    Use, Disclosure, Maintenance
    How can you demonstrate that you have limited use, disclosure, or retention?
    How have you applied policies (e.g., retention) against information?
    Where are the safeguards being applied? By whom? For how long? Against what?
    What if you use encryption – how will you decrypt if needed?
    If challenged, can you demonstrate compliance with your own policies?
    Limiting Use, Disclosure, Retention
    Accuracy
    Safeguards
    Challenging Compliance
    Individual Access
    So You Want To Protect Privacy: Now What?
  • 32. 20
    Disposition
    When destroying, can you demonstrate that use was limited?
    When protecting, can you be sure you’re protecting enough – or not too much?
    How will you ensure that you are working with the most accurate information?
    If requested, will you know where to find all relevant information?
    Limiting Use, Disclosure, and Retention
    Safeguards
    Accuracy
    Individual Access
    So You Want To Protect Privacy: Now What?
  • 33. 21
    Evaluation
    How can you demonstrate that you have complied with the principles?
    Once you have made your policies open and accessible, can you show how you are complying with them?
    How is accountability traceable and demonstrable to outside observers?
    What is the effect of governance decisions?
    Challenging Compliance
    Openness
    Accountability
    So You Want To Protect Privacy: Now What?
  • 34. Sparkle Eyes
    22
    So You Want To Protect Privacy: Now What?
  • 35. 23
    Information Management
    http://www.imdb.com/name/nm0000123/
    So You Want To Protect Privacy: Now What?
  • 36. 24
    Bio on IMDB.com
    Job Type
    Year
    Ratings
    Votes
    TV Series
    Genre
    Keyword
    So You Want To Protect Privacy: Now What?
  • 37. 25
    Celebrities’ Private Lives
    Tombstone data
    Filmography
    Thoughts and Opinions
    Movement
    Communications
    Intimacy
    So You Want To Protect Privacy: Now What?
  • 38. 26
    Automated Systems
    For example, in a SharePoint environment, metadata enables features like rights management, document routing, and disposition.
    So You Want To Protect Privacy: Now What?
  • 39. 27
    Retention Schedules
    So You Want To Protect Privacy: Now What?
  • 40. 28
    Demonstrating Compliance
    To demonstrate compliance with legislation and policies, specific data about specific individuals must be tracked and managed.
    In the event of a breach, specific actions about specific points in the organization (e.g., database, program area, etc.) need to be taken in order to respond.
    So You Want To Protect Privacy: Now What?
  • 41. 29
    Conclusion
    Privacy is an abstract concept
    Respecting and protecting privacy happens through data protection
    Data protection requires common, consistent management activities in various contexts
    Data in context is information
    Therefore, protecting privacy means managing information
    So You Want To Protect Privacy: Now What?