10 Core Principles of Privacy PDF

10 Core Principles of Privacy 1. Accountability: if information is breached or damaged, the organization or whoever was using the data is responsible for it 2. Consent: make sure the owner has given consent to whoever needs the data 3. Purpose: use only what you need 4. Limitation: Only what is required is given 5. Limitation, breach, and disclosure: after is used for what is required it needs to be disposed or erased 6. Accuracy: make sure the data is fully correct and accurate 7. Safeguards: make sure you are given it to the right people 8. Openness: be open and transparent with your information 9. Individual Access: make sure the individuals who own the information have access to their information 10. Challenge compliance: make sure all questions, complaints are addressed to the owners of the information A C P LBD A S O IA C Accountability Consent Purpose Limitation Limits, Breach, and Disclosure Accuracy Safeguards Openness Individual Access Challenge Compliance **Privacy** 1. **What is privacy?** **Core concept:** privacy is the right to control personal information and decide what, who and to what extent it's shared. - Privacy is a constitutional and human right - Different interpretations across the world 2. **Types of privacy** **Physical privacy:** protects the physical space to avoid intrusion. (home, personal space, DNA use, biometrics) - **Risks:** surveillance, stalking, discrimination, physical harm - **Control Techniques:** facial recognition limits, GPS and data controls, and biometric security measures **Informational privacy (personal):** any type of information, such as personal data (personal data protection) - **Risks:** Targeting, discriminatory clauses, and potential democratic society breakdown - **Control techniques:** data collection restrictions, independent privacy audits, and security protocols **Informational privacy (government/corporate):** any type of sensitive government and corporate information. It focuses on institutional transparency. - **Risks:** political manipulation, leaks of classified or sensitive documents, insider trading - **Control techniques:** privacy commissioners, higher security for corporate and government organizations, proper training of staff, and whistleblower protections **Legal Privacy:** the protection of personal, corporate, commercial, or government information such as national security, private conversations with lawyers, and manipulation of proceedings **Digital Privacy:** keeps increasing due to advancements in technology due to more information collected, larger data storage, and more cyberattacks over the past few years - **Risks:** improper data collection, breach, and leaks - **Control techniques:** newer and stronger cybersecurity measures such as controls, cookies, encryption 3. **PIPEDA Personal Information Protection and Electronic Documents Act** **PIPEDA** is the law in Canada that makes sure to regulate organizations that manage personal information. It can be digital or it can be a physical entity in Canada that collects any type of information. It aligns with the 10 Core principles of privacy: Accountability, Consent, Purpose Limitation, Limitations, Limits, Breach and Disclosure, Accuracy, Safeguards, Openness, Individual Access, and Challenge Compliance. **Compliance with PIPEDA** Organizations that collect, use, and disclose personal information are required to comply with PIPEDA. This means they must obtain consent from individuals before they acquire the information, and they must collect only what is necessary for the purposes identified. Organizations must also ensure that the information is accurate and up to date and must comply and help with any concerns the owner of this information has. They must also ensure information is safe by applying safeguards and these safeguards must be proportionate to the sensitivity of the information, it must be protected against loss, theft, leaks, unauthorized access, and copying. Organizations **MUST** also have policies and procedures in case theft of or breaches, they must **notify individuals and the Privacy Commissioner of Canada** in case a breach occurs **PIPEDA in Cybersecurity** Cybersecurity measures that PIPEDA requires access controls, encryption, and regular security assessments **PIA (Privacy Impact Assessment):** organizations are required by PIPEDA to perform these assessments before implementing any new system or technology that involves the use and collection of privacy 4. **GDPR -- Europe** GDPR is a law in Europe that regulates the power companies have over users information, and also how much power users have over their information. Not only gives customers more power over their information but also makes companies that manage this information justify everything they do with it. General Data Protection Regulation GDPR What is the reason? Every part of our lives can be digitalized tracked and logged such as pictures, transactions, locations, and even heartbeats can be tracked and traded between companies, so GDPR makes organizations justify that they have a lawful reason to hold this data and show that they are keeping it safe. When GDPR started organizations were sending emails to its customers to consent to the use of their data. When companies ask for data, they need to be more transparent about asking for information, you can also always have access to your data, and they must inform in case of a hack in less than 3 days. It not only affects European countries and people, but every organization also that has European citizens' information, can be inside or outside Europe. For example: Facebook Cambridge Analytica and Facebook issue - European protection law gives greater control to users over their personal information and data such as names, addresses, emails, location data, photos (anything that can identify a person's identity) - Companies that fail to comply with GDPR face higher penalties such as fines, such as 4% annual turnover - Some advantages are greater transparency and accountability and increased customer trust - Biggest data protection law in years in Europe 5. **US Privacy Approach** The USA has a decentralized privacy approach, this is means it's different between different sectors and states rather than a single framework. 1. **Federal Privacy Laws** **Health Insurance Portability and Accountability Act (HIPAA)** - This applies to healthcare providers known as "covered entities" - Sets standards about how patients' data can be used, disclosed, and protected, protects the confidentiality of the Protected Health Information (PHI) - Requires entities to implement safeguards such as encryption and secure storage **Children's Online Privacy Protection Act (COPPA)** - Enforced by the Federal Trade Commission (FTC), regulates the collection and handling of data of minors under 13 on online platforms - Requires parental consent for collecting personal information of children and includes penalties for noncompliance **GLBA** - Regulates the collection and disclosure of consumer's financial information from financial entities - Requires institutions to inform customers about their information-sharing practices and allows consumers to opt out of certain sharing **State-level Privacy Laws** **California Consumer Privacy Act (CCPA)** Set of rights relating to privacy includes: **Right to know** users need to access their data and know what it's being used for **Right to delete:** Users can request the deletion of their data, some exceptions **Right to avoid sale:** prevents users' data from being sold **Right to avoid discrimination:** Equal service and pricing for users **California Privacy Rights Act** **CPRA** is an expansion of CCPA and its stricter rules and a designated private enforcement agency **General Characteristics:** - The U.S privacy framework is fragmented which means is not centralized and it's different in different countries - U.S laws often balance privacy rights with business interests, prioritizing commercial activities and innovation - Limited federal oversight: this means that unlike GDPR, in the US there are different entities or officers enforcing privacy laws such as FTC or state attorneys - US privacy laws are less uniform, sometimes prioritizing commercial priorities and having states with stricter regulations such as the CCPA in California 6. **China's Privacy Approach** - Like the US. China's privacy laws are multifaceted. - It prioritizes commercial innovation with individual privacy rights. - Instead of having one law, it has a trio of three primary legal pillars with some regulations to support it **3 Pillars of China's Privacy Laws** 1. **Cybersecurity Law (CSL) 2017 CYBERSECURITY** - First privacy and cybersecurity law in China - Primarily focuses on network security, and its focus is making sure network operators have to implement a tiered system of security that implements technical measures such as encryption, data protection controls to prevent cyber-attacks, data breaches and safeguard critical information - This law covers various sectors - Data Localization and the use of the certified network equipment and products is essential 2. **Data Security Law (DSL) 2021 NATIONAL SECURITY / HIERARCHY** - Expands the focus beyond personal data. Focuses on national security and economic interests by regulating data that could pose risks to China's national security. - Introduces a **hierarchical** classification of data categorizing it based on its importance on **national security, economic development and social welfare** - This law requires strict handling of data and protections tailored on the level of importance of the data, the higher in the hierarchy the more strict its controls are - Introduces the concept of "important data" - Imposes restrictions on data processing and cross border transfer activities that could affect China's National security 3. **Personal Information Protection Law (PIPL) 2021 SIMILAR TO GDPR** - First national level personal information protection law, similar to GDPR because of its approach to personal data protection. - Clear rights to for data owners such as consent, data access, accuracy and deletion. Aligns with the 10 core principles of privacy - Sets rules for data processors such as regular risk assessment and consent for sensitive personal data use and processing. - PIPLs role outside of China makes sure to apply its rule for foreign entities processing Chinese resident's data, they are all subject to this law - Includes principles such as lawfulness, fairness, transparency, purpose limitation, and data minimization, though interpretation favors state interests. It's important that all organizations outside of China understand these laws because they are also subject to them **Cultural and social context of China's Privacy** - **Government surveillance:** China believes in extensive surveillance on its citizens with systems like Social Credit System (SCS) that tracks citizens behavior for rewards or penalties (kinda fucked ngl) - **Social control:** Privacy from the government is ot a priority because they think it is important that the government sees citizen data as essential for security, governance and social stability - **Limited Protection Against the Government:** Chinese privacy laws focus mostly on protecting citizens data from commercial entities, not government bodies **Privacy Principles in China** **Dignity and Reputation:** Privacy in China focuses more on protection against defamation and loss of dignity rather than limiting government surveillance **Commercial vs Personal Privacy:** clear distinction between personal privacy which is not as protected from the state This can create risks of corruption and in many countries China's surveillance methods might be seen as a breach of personal privacy **Challenges** - **Compliance Complexity** - **Corruption** - **Data Localization and Cross -- border transfers** **Non-Western Privacy Approaches** - Significant variations across cultures - Examples: - China: Privacy viewed as anti-patriotic - Russia: Focus on protecting from foreign entities - India: Mandatory citizen biometrics **International Privacy Framework** **Global Privacy Landscape** - No universally recognized privacy framework - United Nations Universal Declaration of Human Rights references privacy - Jurisdictional differences complicate universal standards **International Privacy Approaches** **Key Economic Blocks:** - APEC (Asia-Pacific Economic Cooperation) - OECD - GDPR (European Union) **International Privacy Standards** - Generally Accepted Privacy Principles - NIST Privacy Framework - ISO Privacy Management Standards - ISACA Privacy Principles **Ontario\'s Privacy Ecosystem** **Key Privacy Legislation** 1. **PIPEDA** - Applies to private organizations conducting commercial transactions - Covers federal works and undertakings 2. **Health Information Exceptions** - Personal Health Information Protection Act (2004) exempts health information custodians 3. **Freedom of Information and Protection of Privacy Act (FIPPA)** - Applies to governmental organizations in Ontario **Specialized Privacy Regulations** - **Municipalities**: Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) - **Health Care**: Personal Health Information Privacy Act (PHIPA) - **Youth Services**: Child Youth Family Services Act (CYFSA) **1. Composable Risk** - **Definition**: Composable risk is the risk that non-personally identifiable information (non-PII) can be combined with other data to become personally identifiable information (PII). - **Example**: Aggregating anonymized purchase data with location or timestamp data can reveal individual identities. - **Importance**: Highlights privacy risks in big data and analytics where combining different data sets can inadvertently expose identities. **2. What is Privacy?** - **Definition**: Privacy is the right of individuals to control their personal information, including deciding how, when, and to what extent it is shared with others. - **Types of Privacy**: - **Physical Privacy**: Protection from intrusion into personal spaces. - **Informational Privacy**: Protection of personal data, such as financial and health information. - **Communicational Privacy**: Ensuring the confidentiality of personal communications. - **Territorial Privacy**: Preventing surveillance within one\'s own environment. **3. Classes of Privacy** - **Physical Privacy**: Relates to freedom from physical intrusion. - **Informational Privacy**: Concerns the handling of data and personal information. - **Communicational Privacy**: Protects the privacy of individuals\' communications. - **Territorial Privacy**: Protection against intrusions in physical spaces such as homes or workplaces. **4. EU & US Privacy Laws** - **European Union (GDPR)**: The General Data Protection Regulation applies to any entity handling EU residents\' data. Core principles include consent, transparency, data minimization, and user rights (access, rectification, erasure, etc.). - **United States**: Lacks a unified federal privacy law but has sector-specific laws: - **HIPAA**: Protects health information. - **COPPA**: Regulates children's online privacy. - **CCPA**: California's law gives consumers rights to access, delete, and opt-out of the sale of personal data. **5. Why We Need Privacy** - **Protects Individual Rights**: Ensures that individuals have control over their own data. - **Prevents Data Misuse**: Reduces risks like identity theft, fraud, and unauthorized access. - **Maintains Trust**: Builds public trust in organizations handling personal information. **6. Privacy Principles (Canada's 10 Core Privacy Principles)** - **Accountability**: Organizations are responsible for protecting personal information, even if transferred to third parties. - **Identifying Purposes**: The purpose of data collection must be clear and communicated to individuals. - **Consent**: Individuals must consent to the collection, use, or disclosure of their information. - **Limiting Collection**: Only necessary information for the identified purpose should be collected. - **Limiting Use, Disclosure, and Retention**: Information should only be used for its original purpose and not retained longer than necessary. - **Accuracy**: Information must be accurate, complete, and up-to-date. - **Safeguards**: Security measures must protect personal information based on its sensitivity. - **Openness**: Policies and practices regarding information handling should be transparent. - **Individual Access**: Individuals can access and challenge the accuracy of their personal information. - **Challenging Compliance**: Mechanisms should allow individuals to challenge and verify compliance. **7. Canadian Constitution and Charter of Rights** - **Section 8** of the Charter: Provides protection against unreasonable search and seizure, forming a basis for privacy from government intrusion. - **Fundamental Rights**: Privacy is recognized as part of fundamental rights and freedoms under Canadian law. **8. Reading Privacy Law and Privacy Cases Directly** - Understanding case law and legal precedents is essential for interpreting how privacy principles are applied in practice. - Review cases under **PIPEDA**, **GDPR**, and U.S. laws like **HIPAA** and **CCPA**. **9. Reading and Understanding Privacy Complaints** - Review complaints made to privacy commissions (like Canada's Privacy Commissioner) to see how privacy issues are managed and resolved. - Example cases highlight enforcement actions, privacy breaches, and responses to non-compliance. **10. Relationship between Security and Privacy** - **Interdependent**: Security measures (e.g., encryption, access control) are essential for protecting privacy. - **Distinct Goals**: While security focuses on protecting data from unauthorized access, privacy dictates how data should be collected, used, and shared. **11. Resources at the Privacy Commission Office** - **Canadian Privacy Commissioner**: Offers guidelines, tools, and resources for organizations to comply with privacy laws. - **International Resources**: Supervisory authorities under GDPR, FTC resources for U.S. laws, and APEC guidelines for the Asia-Pacific. **12. Relationship between Governance and Risk** - **Governance**: Establishes policies and frameworks to ensure responsible data management. - **Risk Management**: Identifies, assesses, and mitigates privacy and data protection risks to prevent breaches and ensure compliance. **13. Risk Management Process** - Steps include identifying, assessing, controlling, and monitoring risks. - Tools like **Privacy Impact Assessments (PIAs)** and **Data Protection Impact Assessments (DPIAs)** help evaluate and manage privacy risks. **14. Types of Security Controls** - **Administrative**: Policies, procedures, training. - **Technical**: Encryption, firewalls, access control. - **Physical**: Secure facilities, access restrictions, surveillance. **15. Provincial and Health Privacy Laws** - **PIPEDA**: National privacy law for private sector data, with some provincial exemptions. - **Health Privacy**: **PHIPA** in Ontario and similar laws in other provinces protect health information. **16. Canadian Federal Privacy Law** - **PIPEDA**: Applies to private-sector organizations, requiring them to follow the 10 privacy principles for data handling. **17. Characteristics of the IT Environment** - **Data Security Risks**: Includes network vulnerabilities, cloud storage risks, and data sharing issues. - **Compliance Requirements**: IT systems must meet privacy laws\' technical requirements, like GDPR\'s security standards. **18. Organizational Structure of Governance** - **Privacy Officer**: Oversees data protection and compliance. - **Governance Framework**: Defines roles and responsibilities in data privacy, often involving IT, legal, and compliance teams. **19. Security Frameworks** - **NIST Cybersecurity Framework**: Focuses on identifying, protecting, detecting, responding, and recovering from security incidents. - **ISO/IEC 27001**: International standard for information security management. **20. Methods and Standards** - **Generally Accepted Privacy Principles (GAPP)**: Structured approach to privacy used primarily in North America. - **NIST Privacy Framework**: Complements cybersecurity frameworks by addressing privacy-specific risks. **21. Failing Encryption** - **Consequences**: Weak or failing encryption can lead to data breaches. - **Best Practices**: Use strong encryption standards, update encryption keys, and apply encryption consistently across data storage and transmission. **22. Privacy Research** - Essential for understanding new threats and emerging issues like AI, big data, and IoT. - Look into **Privacy-Enhancing Technologies (PETs)** and whitepapers on topics such as differential privacy and secure multi-party computation. **23. Privacy by Design (PbD)** - **Concept**: Privacy is integrated into the design and development process of systems and products from the start. - **Principles**: - Proactive, not reactive. - Privacy as a default setting. - End-to-end security. - Full functionality -- positive-sum, not zero-sum. - Visibility and transparency. - User-centric approach. **24. International Privacy** - **APEC Privacy Framework**: Promotes data privacy while allowing cross-border data flow in the Asia-Pacific. - **OECD Guidelines**: Internationally influential guidelines emphasizing data collection limitation, data quality, and accountability principles.

10 Core Principles of Privacy PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue