KI Design Privacy Impact Assessment Approach

Posted on by Dr. Wael HassanLeave a comment on KI Design Privacy Impact Assessment Approach

Privacy Impact Assessments (PIAs) are a key tool for demonstrating compliance with privacy laws. We outline our approach to basic institutional PIAs, as well as PIAs for multi-institutional or multi-jurisdictional data initiatives.

The KI Design approach to a single institutional privacy impact assessment falls in line with the provincial and federal requirements in Ontario and Alberta. The basic purpose of a PIA is to assess the impact of the collection, use, and disclosure of personal information on privacy and to justify this impact. Our approach begins with an analysis guided by the four-part test for necessity and proportionality established in R. v. Oakes (based on the Office of the Privacy Commissioner of Canada guideline):

  1. Is the measure demonstrably necessary to meet a specific need?
  2. Is it likely to be effective in meeting that need?
  3. Is the loss of privacy proportional to the need?
  4. Is there a less privacy-invasive way of achieving the same end?

In addition to answering the above questions, we help to collect documentation to demonstrate compliance with the ten principles that form the core of PIPEDA:

Accountability – Governance structure, PIA protocols, auditing, training, legal consultation

Identifying Purposes – Purposes of data collection, legislative authority for collection, description of data collected

Consent – Notification process or exceptions to consent

Limiting Collection – Justification for each data element collected, and indication that data taken from other departments are purged of all but essential data elements

Limiting Use, Disclosure, and Retention – Use cases, proposed disclosures, data sharing agreements, retention and disposition policies

Accuracy – Processes for correcting data and monitoring changes to records

Safeguards – Physical and electronic safeguards, Threat Risk Analysis, encryption practices, access policies

Openness – Public communications regarding privacy practices

Individual Access – Processes for individual access to or correction of personal information

Challenging Compliance – Privacy complaint procedures, compliance audits

Once privacy risks have been identified and mitigating measures proposed, we help to develop an Action Plan that provides a timeline and assigns responsibilities for the implementation of these measures. We will also help to set up processes for ongoing updates of assessments, auditing and monitoring compliance with privacy policies, and retention and disposition of data.

Multi-Jurisdictional Privacy Impact Assessments

An increase in information sharing initiatives, such as Electronic Health Records (EHR), has led to a growing need for multi-institutional and multi-jurisdictional PIAs. Guidelines from the Office of the Privacy Commissioner recommend that such PIAs include a clear business case for information sharing, a common communications strategy to inform the public of information sharing, and a set of expected privacy practices shared by all institutions participating in the data sharing initiative.

Our unique approach builds on these basic requirements to define a clear, seven-step process that we use both to guide our clients as they develop privacy policy prior to EHR adoption, and to conduct PIAs in an EHR context.

  1. Purpose: We begin by defining the reasons for which health information custodians collect, use, retain and disclose personal health information.
  2. Custodianship: A key next step to ensuring privacy protective information sharing is the definition of a custodianship model. In the context of an EHR initiative, a steward will be designated to review and revise policies, processes, and procedures and to ensure the proper operation of shared records.
  3. Liability: In order to establish liability, we help to define the roles, responsibilities, and accountabilities of EHR participants. We define different EHR participants’ right and ability to manage (collect, retain, disclose, and correct) personal health information.
  4. Data Management: We define policies for management of data quality, records management, assurance of accuracy, retention and archiving, and secondary use of data.
  5. Controls: We define policies for the application of legislative requirements, including management of information safeguards, compliance auditing, identity validation and management, implementation of consent rules, breach management, and proactive and reactive monitoring of technology assets. Controls also include frameworks such as provider agreements, patient disclaimers, and mandatory and discretionary requirements that define the roles of EHR participants.
  6. Process: We apply privacy policy to workflows and interactions throughout care delivery processes, including service model, delivery model, management of consent, reporting procedures, circle of care management, and incident management.
  7. Adoption: In this final step we develop instruments for the implementation of privacy policy during the adoption and ongoing development of EHR, such as provider agreements, patient disclaimers, mandatory and discretionary requirements, and system feedback.

Does big data mean the end of access control?

Posted on by Dr. Wael Hassan

Access control is a keystone in conventional approaches to protecting personal information. Lately, however, there is a great deal of uncertainty about whether big data repositories such as “data lakes” do in fact contain personal information, and whether access control is possible in these unstructured environments. Does access control still have any relevance in the world of big data?

Is big data personal information?

Privacy laws are written to protect “personal information” held by organizations – that is, any information that could potentially identify specific individuals. Yet as larger and larger volumes of data are collected and aggregated through “big data” initiatives, the definition of personal information is getting fuzzy. Many corporations are creating “data lakes”: massive repositories of relatively unstructured data collected from one or several sources. These often contain a mix of metadata (user activity data, such as web search terms, IP addresses, or GPS data) and personal content (such as personal messages and social media posts) which, in combination, can very frequently identify individuals. For example, publicly available, searchable databases of Twitter activity map tweets by location – locations so specific that they can show which house a supposedly anonymous person was in when they posted a message. In the commercial realm, some retailers and entertainment venues have begun tracking customers’ movements through their buildings using smart phone MAC addresses, which can be considered personal information.

As these examples show, data lakes can contain extremely sensitive personal information. This data is not intended to be viewed by anyone – it is usually processed by computer algorithms – but too often, any employee involved in data analysis can access personal information about specific individuals. Privacy principles have traditionally emphasized access control: providing users with access only to the information that they need to do their work. But does access control have any meaning in unstructured big data environments?

Eroding informed consent

Access control is based on the privacy principle of limiting the use and disclosure of individuals’ personal information to those purposes for which it was collected. In other words, it is about informed consent: individuals have a right to know what their personal information will be used for before they share it with an organization. The reality is that companies that use big data often have legally dubious consent practices. Lengthy, impenetrable Terms of Use agreements violate the spirit of informed consent. Many users of social media, in particular, do not know who has access to their personal information.

For social media companies, “privacy” usually means privacy from other users, not from corporations.

For example, the vast majority of Facebook users are unaware that advertisers can buy all posts or personal messages containing certain keywords: for example, a cosmetics company could buy posts and messages that include the words, “beautiful,” “skin,” or “makeup.” The company can then display an ad to both the senders and recipients of these messages. When anyone clicks on the ad, the company receives the full contents of their profile. In the end, a “private message” is stored in data banks or data lakes belonging to Facebook and to the advertiser, to be used for various consumer research and marketing purposes.

Is access control compatible with data lakes?

Data lakes are not set up to protect identity. They usually contain a mix of different types of personal data that in combination can often identify individuals. Privacy regulations demand that personal information be protected by access controls, yet data lakes are not structured for access control: usually, anyone with access has access to all of the data. Though the data may be intended for aggregate level analysis and not viewing of individual-level data, an employee intent on selling data to identity thieves or stalking an ex-spouse could do a great deal of damage.

Companies have taken different approaches to protecting privacy in the context of big data initiatives. Some will create several separate data lakes, often based on business function (operations, marketing, security and risk, etc.). This approach can help to ensure that data use aligns with the purposes for which data was collected. Companies also vary in their decisions on who will have access to data. Will it be a tier model?  Will there be a super administrator with access to everything? How will departments share the data? How can access be separated?

Shifting from access control to use control

As we’ve stated before, the ground rules for privacy have not changed with the introduction of big data. Personal information needs to be protected by privacy safeguards including access control. We know that unstructured and semi-structured big data models do not lend themselves to access control. Fortunately, most of the purposes for which big data is used do not require access to individual-level personal information. Rather than access control, the concept of “use control” may be more appropriate to big data contexts: focusing not so much on limiting which data can be accessed, but in what form it can be accessed. Rather than locking up personal information, it is possible to blur it – to make sure that personal data is not viewable as information about an individual, but only as a pixel in a much larger picture.

Privacy Ground Rules for Big Data

Posted on by Dr. Wael Hassan

Corporate big data initiatives are collecting massive volumes of personal data, largely for marketing purposes. There is a great deal of confusion about how these practices fit with privacy regulations. Are there any clear ground rules for big data privacy?

The metadata problem

We live our daily lives around a set of passwords: passwords for our phones, bank accounts, computers, and emails, for work and school. Passwords are one of the most common means of protecting privacy. They are keys securing our personal information and property.

There is one type of personal data we cannot protect with passwords: the traces we leave every time we use the internet and phone networks.  In effect, we can keep our personal information private, but not our metadata: data including network connections, internet searches, website navigation paths, and personal contacts. For example, we can erase browser cookies, but somewhere, there is a log of our browsing patterns or search engine keywords. Facebook tracks the sites that you visit, even if you don’t have a Facebook account. The web simply isn’t designed or configured to give users control over their metadata.

This doesn’t mean that companies are free to use metadata however they like. The public expects that their privacy will be respected. Think of a small town where no one locks their doors: people still expect that their neighbours won’t just walk into their house and look through their things, and trespassing is still a crime. At this point in time, most physical and data assets have been designed to offer security through passwords, locks, and security systems. It can be too easy to forget that privacy and property laws apply equally to personal property that is not secured.

Big data “ground rules”

We have said previously that big data is really consumer data: records of our interactions with websites, stores, companies, public institutions, social media platforms and so on. The definition of big data is still loose. “Big data” is used to describe both unstructured and structured data collected through various channels: online, through wifi and phone networks, and in the physical world through sensors or cameras. Most often, the data collected combines personal content and metadata. Companies are effectively gathering massive amounts of personal data while the ground rules for respecting privacy are still undefined. “Data lakes” – massive repositories of relatively unstructured data collected from one or several sources, often without a specific purpose in mind – are seen as an asset by companies that want a wide variety of data for potential future analysis, or for sale to other companies.

The ground rules for personal data, despite general confusion about how they apply in new contexts, have not actually changed. Fair information principles, the basis of most privacy legislation, state that organizations should only collect, store, use, and retain personal information for specific purposes to which individuals have consented. Any information, or combination of information, that is detailed enough to potentially identify a person is personal information and these rules apply.

What does this mean for big data? For many organizations, the main incentive for adopting big data is to have large volumes of information that can be analyzed for multiple purposes, shared or sold to third parties, and retained indefinitely. Privacy principles prohibit using personal information in this way. However, in most big data contexts there is no reason for anyone to access individual level records: people need statistics, not individual profiles. De-identification and anonymization methods offer ways of converting personal information holdings into aggregated, non-identifiable data that does not need the protections outlined in privacy principles. For big data to respect privacy it needs to stay “big” – in most circumstances, it should not be possible for anyone handling data to uncover personal information about specific individuals.

Why Invest in Privacy?

Posted on by Dr. Wael Hassan

For companies and public organizations running on limited budgets, it can be difficult to see the benefits of investing in privacy. In our experience, executives and boards do not usually ask how privacy could help them; they ask what similar organizations are doing, and what the potential penalties of privacy violations might be. When these are the criteria for decision making, there is very little incentive to do more than the minimum standard. Once basic privacy policies and procedures are in place, it is easy for organizations to slip into complacency.

Yet privacy, information technology, and information protection experts are emphasizing that managing privacy risk is more important than ever. Organizations hold more digitized information than ever before, and the increased use of portable devices, shared systems, and online portals creates new opportunities for information theft and hacking. Recent business and world news illustrate how data risks have materialized in the form of major breaches of citizens’ personal data. Affected organizations, particularly in the public sector, are under pressure to make changes.

Contrary to the typical narrative in management, we would suggest understanding risk management as an investment rather than an overhead cost. We suggest three ways of understanding privacy risk management beyond the usual focus on the harms of data breaches.

  • Risk management is business process improvement. Many privacy or security risks can be solved through business process improvements. In our experience, many of the recommendations in risk assessments have to do with processes.  For example, a common issue with online portals is that the handoff between registration and billing for account holders is unidirectional: there is no process to confirm that registered users have paid their fees, or to suspend their accounts when their registration has expired. Filling this gap addresses the privacy issue of unauthorized portal access, and also generates revenue.
  • Risk management is automation. Similarly, if privacy or security risks are a result of manual processes that can be automated, risk mitigation can be sold as increased efficiency. For example, if two departments host their own data sets pertaining to user profiles, investing in an automated validation tool will eliminate redundant efforts and reduce errors requiring staff attention.
  • Risk management is a selling point for funding or investment business cases. Risk and compliance managers can show how risk mitigation is a differentiating factor in the eyes of external funders, clients, and business partners. Business cases for external funding or investment and responses to requests for proposals can cite risk management as a differentiating factor with regard to external competition.

These three principles can work for private or public sector, major or small organizations.  Risk management provides both product and service companies with a competitive advantage by differentiating them from others. Government organizations facing funding cuts can leverage process improvements to improve employee utilization and limit outsourcing.

Privacy is best understood as an investment factor that improves bottom lines and provides a competitive advantage. Such an approach changes the question from, “What is the minimum I have to pay to manage this risk?” to “What is my return on investment?”