01_Handout_1.docx

Transcript

Data Privacy
============

- **Personal data** refers to any information, whether recorded in a
material form or not, from which the identity of an individual is
apparent or can be directly ascertained by the entity holding the
information.

- **Privacy** concerns the collection and use of data about
individuals. There are three (3) primary privacy issues:

- **Accuracy** relates to the responsibility of those who collect
data to ensure that the data is correct.

- **Property** relates to who owns the data.

- **Access** relates to the responsibility of those who have data
to control who can use that data.

Data Privacy Versus Data Security
=================================

- Organizations commonly believe that keeping sensitive data secure
from hackers means they're automatically compliant with data privacy
regulations

- Data privacy and data security are often used interchangeably, but
there are distinct differences, although sometimes difficult to
distinguish between. Whereas security controls can be met without
also satisfying privacy considerations, privacy concerns are
impossible to address without first employing effective security
practices. In other words, security protects data, and privacy
protects the identity

- Privacy and security come down to which data is being protected, how
it's being protected, from whom it's being protected, and who is
responsible for that protection. Security is about protecting data
from malicious threats, whereas privacy is about using data
responsibly.

- **Data privacy** is a part of the data protection area that deals
with the proper handling of data, with the focus on compliance with
data protection regulations.

- Data privacy focuses on the rights of individuals, the purpose of
data collection and processing, privacy preferences, and the way
organizations govern the personal data of data subjects. It focuses
on how to collect, process, share, archive, and delete the data
under the law.

- **Data security** includes a set of standards and different
safeguards and measures that an organization is taking to prevent
any third party from unauthorized access to digital data or any
intentional or unintentional alteration, deletion, or data
disclosure. It focuses on the protection of data from malicious
attacks and prevents the exploitation of stolen data such as:

- **Data breach --** an unauthorized or unintentional disclosure
of confidential information.

- **Cyberattack --** the stealing of data or confidential
information by electronic means, including ransomware and
hacking.

- To achieve this, organizations use tools and technology such as
firewalls, user authentication, network limitations, and internal
security practices to prevent such access.

- **CIA Triad** is a model designed to guide an organization's
policies on information security. The elements of the triad are
considered the three most crucial components of security. The
following are the three (3) elements of data security.

- **Confidentiality** ensures that data is accessed only by
authorized individuals.

- **Integrity** ensures that information is reliable as well as
accurate; and

- **Availability** ensures that data is both
available and

Elements of Data Privacy
========================

- Data privacy encompasses three (3) key elements:

- Right of an individual to be left alone and have control over
their data

- Procedures for proper handling, processing, collecting, and
sharing of personal data

- Compliance with data protection laws

- **Data management** -- the process of ingesting, storing,
organizing, and maintaining the data created and collected by an
organization.

- Data management is at the heart of privacy. Data is a vague concept
and can encompass such a wide range of information.

Aspect of Privacy
=================

- Information privacy is considered an important aspect of information
sharing. With the advancement of the digital age, personal
information vulnerabilities have increased

- Information privacy may be applied in numerous ways, including
encryption, authentication, and data masking, each attempting to
ensure that information is available only to those with authorized
access.

- Information privacy includes the regulations required for companies
to protect data. And as more data protection regulation grows
worldwide, global privacy requirements and demands will also expand
and change.

- Protective measures are geared toward preventing data mining and the
unauthorized use of personal information, which are illegal in many
parts of the world.

- Information privacy also relates to different data types, including:

- **Internet privacy**: All personal data shared over the Internet
is subject to privacy issues. Most websites publish a privacy
policy that details the website\'s intended use of collected
online and/or offline collected data.

- **Financial privacy**: Financial information is particularly
sensitive, as it may easily use to commit online and/or offline
fraud.

- **Medical privacy**: All medical records are subject to
stringent laws that address user access privileges. By law,
security and authentication systems are often required for
individuals that process and store medical records.

Information Privacy Concepts
============================

- Information privacy generally pertains to what is known as

personally identifiable information (PII).
==========================================

- **PII** is information that can be used to distinguish or trace an
individual's identity, such as:

- Information about birth, race, religion, weight, activities,
geographic indicators, employment information, medical
information, education information, and financial information;

- Personal characteristics, including photographic images, x-rays,
fingerprints, or biometric image; and

- Asset information, such as Internet Protocol (IP) or media
access control (MAC) address or other host- specific persistent
static identifier that consistently links to a particular person
or a small, well-defined group of people.

Privacy by Design
=================

- In dealing with the privacy of PII, two (2) new concepts have
emerged: privacy by design (PbD) and privacy engineering.

- The goal of privacy by design is to take privacy requirements into
account throughout the system development process, from the
conception of a new IT system through detailed system design,
implementation, and operation.

- **Privacy requirements**: These are system requirements that
have privacy relevance. System privacy requirements define the
protection capabilities provided by the system, the performance
and behavioral characteristics exhibited by the system, and the
evidence used to determine that the system privacy requirements
have been satisfied. Privacy requirements are derived from
various sources, including laws, regulations, standards, and
stakeholder expectations.

- *Figure* 1 provides an overview of the major activities and tasks
involved in integrating information privacy protection into any
information system developed by an organization. The upper part of
the figure encompasses design activities that determine what is
needed and how to satisfy requirements. The lower part of the figure
deals with the implementation and operation of privacy features as
part of the overall system.

Privacy by Design Principles
============================

- A useful guide to developing a PbD approach is the set of
foundational principles for PbD first proposed by Ann Cavoukian, as
shown in *Figure* 2. These principles were later widely adopted as a
resolution by other prominent policymakers at the 32nd Annual
International Conference of Data Protection and Privacy
Commissioners meeting.