So You Want to Protect Privacy: Now What?

537 views

Published on

Protecting privacy is more than just stating principles; compliance means being able to demonstrate how everyday practices affect the ability to comply with abstract principles and interests. A short discussion on how managing information helps demonstrate compliance.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
537
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

So You Want to Protect Privacy: Now What?

  1. 1. So You Want To Protect Privacy: Now What?<br />ARMA Information Management Symposium<br />June 1, 2011<br />Stuart Bailey<br />
  2. 2. 2<br />So You Want To Protect Privacy: Now What?<br />
  3. 3. 3<br />Privacy and Social Media<br />“Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops."“<br />“The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)<br />So You Want To Protect Privacy: Now What?<br />
  4. 4. 4<br />Privacy Means…<br />Can be defined in many ways, for example, privacy of:<br />Assault<br />Nuisance<br />Reputation<br />Defamation (Slander, Libel)<br />Property rights (Copyright, intellectual property)<br />Opinions<br />Body<br />Communications<br />Data<br />So You Want To Protect Privacy: Now What?<br />
  5. 5. 5<br />Privacy and Data Protection<br />Data protection legislation is the main lens through which we address privacy interests<br />Documented information about specific individuals<br />Prosser v. Gavison<br />Privacy torts; something unique and distinct<br />As seen recently in Law Times Jones v. Tsige 2011 ONSC 1475 (CanLII)<br />http://www.canlii.org/en/on/onsc/doc/2011/2011onsc1475/2011onsc1475.html<br />So You Want To Protect Privacy: Now What?<br />
  6. 6. 6<br />Social Media and Privacy<br />The Right to Be Let Alone<br />“The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890) <br />Freedom of Expression<br />Private Communications<br />The Right to Be Forgotten<br />As seen recently in the European Union<br />Location data<br />Does it locate a data subject, or is data a location itself (i.e., a site)?<br />Crossing Borders<br />If skin is a border between people, what forms the border between data subjects?<br />So You Want To Protect Privacy: Now What?<br />
  7. 7. 7<br />Prosser on Privacy<br />Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs;<br />Public disclosure of embarrassing private facts about the plaintiff;<br />Publicity which places the plaintiff in a false light in the public eye;  and<br />Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.<br />Privacy, 48 Cal.L.Rev. 383 (1960)<br />So You Want To Protect Privacy: Now What?<br />
  8. 8. 8<br />Gavison: “Privacy and the Limits of Law”<br /><ul><li>This Article is an attempt to vindicate the way most of us think and talk about privacy issues: unlike the reductionists, most of us consider privacy to be a useful concept. To be useful, however, the concept must denote something that is distinct and coherent. Only then can it help us in thinking about problems. Moreover, privacy must have coherence in three different contexts. First, we must have a neutral concept of privacy that will enable us to identify when a loss of privacy has occurred so that discussions of privacy and claims of privacy can be intelligible. Second, privacy must have coherence as a value, for claims of legal protection of privacy are compelling only if losses of privacy are sometimes undesirable and if those losses are undesirable for similar reasons. Third, privacy must be a concept useful in legal contexts, a concept that enables us to identify those occasions calling for legal protection, because the law does not interfere to protect against every undesirable event.</li></ul>Gavison, R., 1980, “Privacy and the Limits of Law”, Yale Law Journal 89: 421-71 Accessed at http://www.gavison.com/a2658-privacy-and-the-limits-of-law May 20, 2011.<br />So You Want To Protect Privacy: Now What?<br />
  9. 9. 9<br />Jones v. Tsige, 2011 ONSC 1475 (CanLII)<br /><ul><li>[52]           Without any further reference to Euteneier, the court in Nitsopoulos concludes by agreeing with the decision in Somwar – that it is not settled law in Ontario that there is no tort of invasion of privacy and expressly adopts the reasoning in that case.
  10. 10. [53]           Turning back now to the various statutory provisions that govern privacy issues, most Canadian jurisdictions have statutory administrative schemes that govern and regulate privacy issues and disputes. In Ontario, it cannot be said that there is a legal vacuum that permits wrongs to go unrighted - requiring judicial intervention. 
  11. 11. [54]           More particularly here, there is no doubt that PIPEDA applies to the banking sector and Ms. Jones had the right to initiate a complaint to the Commissioner under that statute with eventual recourse to the Federal Court. For this reason I do not accept the suggestion that Ms. Jones would be without any remedy for a wrong, if I were to determine that there is no tort for the invasion of privacy.
  12. 12. [55]           Notwithstanding the careful reasoning in Somwar and its adoption in Nitsopoulos, I conclude that the decision of the Court of Appeal in Euteneier is binding and dispositive of the question as to whether the tort of invasion of privacy exists at common law.
  13. 13. [56]           I would also note that this is not an area of law that requires “judge-made” rights and obligations.  Statutory schemes that govern privacy issues are, for the most part, carefully nuanced and designed to balance practical concerns and needs in an industry-specific fashion.
  14. 14. [57]           I conclude that there is no tort of invasion of privacy in Ontario.</li></ul>http://www.canlii.org/en/on/onsc/doc/2011/2011onsc1475/2011onsc1475.html<br />Accessed May 20, 2011<br />(emphasis added)<br />If there is no tort of invasion of privacy, recoveries for privacy harms must be done through other means – but how will those be acted on?<br />So You Want To Protect Privacy: Now What?<br />
  15. 15. 10<br />A Privacy Proposition<br />If there is no tort for invasion of privacy<br />Privacy harms are appended to other torts <br />And there is still something unique and distinct about privacy that lets us have internal thoughts<br />Privacy rights are based on a concept that cannot be numerated<br />Therefore, protecting privacy rights is a matter of linking shared principles to everyday actions and finding “privacy” through other established activities<br />Data protection and the need to manage information<br />So You Want To Protect Privacy: Now What?<br />
  16. 16. 11<br />Data and Privacy<br />Data are everywhere; some personal, some not – some personal information can be derived from seemingly non-personal information.<br />Personal data can be a location as much as a physical address is.<br />Determining and adhering to “consistent use” can prove to be difficult.<br />So You Want To Protect Privacy: Now What?<br />
  17. 17. 12<br />Information Management<br />Information Management is the discipline of managing information like an asset – the same as we do for money, people, or infrastructure.<br />So You Want To Protect Privacy: Now What?<br />
  18. 18. 13<br />What Is Information Management?<br />http://www.aiim.org/What-is-Information-Management<br />So You Want To Protect Privacy: Now What?<br />
  19. 19. 14<br />IM and Related Disciplines<br />How does this affect or enable re-use by Policy, Records Management, Privacy, etc.?<br />What enterprise-level models help create consistency across specialized subjects?<br /><ul><li>Information Management connects outcomes of related disciplines at the level of information.
  20. 20. IM looks at the information that crosses boundaries:
  21. 21. Technical environment (e.g., e-mail > shared drive > collaboration site > report repository)
  22. 22. Subject-matter (e.g., policy > business analysis > customer support > application design)</li></ul>So You Want To Protect Privacy: Now What?<br />
  23. 23. 15<br />IM Process and Context<br />Users<br />Intersection of Information Management Issues and Activities<br />fn.ln@ontario.ca; un/pw<br />e.g., Briefing Note; Report; Approval; Procurement; Agreement; Project Records<br />e.g., E-mail; Shared Drive; Collab sites; Mobile<br />Content<br />Context<br />http://collectionscanada.ca/government/news-events/091/007001-misc06-e-v5.jpg<br />Affects ability to enable and support: <br />Sharing, Collecting, Reporting, Collaborating, Re-Using, Guiding, Managing Knowledge, Corporate Knowledge Repositories; Managing the Public Record<br />So You Want To Protect Privacy: Now What?<br />
  24. 24. 16<br />Control Models<br />Information Management<br /><ul><li>Planning
  25. 25. Collection / Creation
  26. 26. Use, Disclosure, Maintenance
  27. 27. Disposition
  28. 28. Evaluation</li></ul>Privacy<br />Accountability<br />Identifying Purposes<br />Consent<br />Limiting Collection<br />Limiting Use, Disclosure, and Retention<br />Accuracy<br />Safeguards<br />Openness<br />Individual Access<br />Challenging Compliance<br />So You Want To Protect Privacy: Now What?<br />
  29. 29. 17<br />Planning<br />What information do you want?<br />Why do you want that information?<br />Who will be using that information, and to accomplish what?<br />Does everyone understand what you want to do with the information?<br />Have you got the authority to collect, and use the information?<br />Intended Purpose<br />Authorizations to Collect<br />Notice and Consent<br />So You Want To Protect Privacy: Now What?<br />
  30. 30. 18<br />Collection / Creation<br />Have you given proper notice for what you want to collect?<br />Is the notice traceable to the collection and management of the information?<br />Can you demonstrate how collection has been limited?<br />Do you know how you will protect the information?<br />Can you demonstrate how this is consistent with your policies?<br />Who is accountable if the information is lost?<br />Notifications and Consent<br />Limiting Collection<br />Safeguards<br />Openness<br />Accountability<br />So You Want To Protect Privacy: Now What?<br />
  31. 31. 19<br />Use, Disclosure, Maintenance<br />How can you demonstrate that you have limited use, disclosure, or retention?<br />How have you applied policies (e.g., retention) against information?<br />Where are the safeguards being applied? By whom? For how long? Against what?<br />What if you use encryption – how will you decrypt if needed?<br />If challenged, can you demonstrate compliance with your own policies?<br />Limiting Use, Disclosure, Retention<br />Accuracy<br />Safeguards<br />Challenging Compliance<br />Individual Access<br />So You Want To Protect Privacy: Now What?<br />
  32. 32. 20<br />Disposition<br />When destroying, can you demonstrate that use was limited?<br />When protecting, can you be sure you’re protecting enough – or not too much?<br />How will you ensure that you are working with the most accurate information?<br />If requested, will you know where to find all relevant information?<br />Limiting Use, Disclosure, and Retention<br />Safeguards<br />Accuracy<br />Individual Access<br />So You Want To Protect Privacy: Now What?<br />
  33. 33. 21<br />Evaluation<br />How can you demonstrate that you have complied with the principles?<br />Once you have made your policies open and accessible, can you show how you are complying with them?<br />How is accountability traceable and demonstrable to outside observers?<br />What is the effect of governance decisions?<br />Challenging Compliance<br />Openness<br />Accountability<br />So You Want To Protect Privacy: Now What?<br />
  34. 34. Sparkle Eyes<br />22<br />So You Want To Protect Privacy: Now What?<br />
  35. 35. 23<br />Information Management<br />http://www.imdb.com/name/nm0000123/<br />So You Want To Protect Privacy: Now What?<br />
  36. 36. 24<br />Bio on IMDB.com<br />Job Type<br />Year<br />Ratings<br />Votes<br />TV Series<br />Genre<br />Keyword<br />So You Want To Protect Privacy: Now What?<br />
  37. 37. 25<br />Celebrities’ Private Lives<br />Tombstone data<br />Filmography<br />Thoughts and Opinions<br />Movement<br />Communications<br />Intimacy<br />So You Want To Protect Privacy: Now What?<br />
  38. 38. 26<br />Automated Systems<br />For example, in a SharePoint environment, metadata enables features like rights management, document routing, and disposition.<br />So You Want To Protect Privacy: Now What?<br />
  39. 39. 27<br />Retention Schedules<br />So You Want To Protect Privacy: Now What?<br />
  40. 40. 28<br />Demonstrating Compliance<br />To demonstrate compliance with legislation and policies, specific data about specific individuals must be tracked and managed.<br />In the event of a breach, specific actions about specific points in the organization (e.g., database, program area, etc.) need to be taken in order to respond.<br />So You Want To Protect Privacy: Now What?<br />
  41. 41. 29<br />Conclusion<br />Privacy is an abstract concept <br />Respecting and protecting privacy happens through data protection<br />Data protection requires common, consistent management activities in various contexts<br />Data in context is information<br />Therefore, protecting privacy means managing information<br />So You Want To Protect Privacy: Now What?<br />

×