Overview of frameworks Designing for Privacy Leonardo H

  • Slides: 9
Download presentation
Overview of frameworks Designing for Privacy Leonardo H. Iwaya CC-BY-4. 0

Overview of frameworks Designing for Privacy Leonardo H. Iwaya CC-BY-4. 0

PIA Articulation and Systematisation • PIAs require multiple technical and organizational methods • •

PIA Articulation and Systematisation • PIAs require multiple technical and organizational methods • • New project Project planning System documentation Privacy risk analysis Reporting and action plan • Methods have to be studied, selected and systematized to create methodology, i. e. , a PIA framework Determine if you need a PIA Prepare and plan the PIA Project changes Decribe the project and data flows Prepare and disseminate the PIA Report Identify privacy threats Identify controls and countermeasures 2

PIA Frameworks: A Few Examples • Privacy and Data Protection Impact Assessment Framework for

PIA Frameworks: A Few Examples • Privacy and Data Protection Impact Assessment Framework for RFID Applications (PIA RFID), 2011. • UK – Conducting privacy impact assessments code of practice, Information Commissioner’s Office (ICO), 2014. • FR – Privacy Impact Assessment (PIA), Commision nationale de l’informatique et des libertés (CNIL), 2015. • ISO/IEC 29134 Information technology – Security techniques – Guidelines for privacy impact assessment, 2017. 3

PIA Frameworks: PIA RFID • Privacy and Data Protection Impact Assessment Framework for RFID

PIA Frameworks: PIA RFID • Privacy and Data Protection Impact Assessment Framework for RFID Applications (PIA RFID), 2011. • See also • Oetzel, M. C. and Spiekermann, S. , 2014. A systematic methodology for privacy impact assessments: a design science approach. European Journal of Information Systems, 23(2), pp. 126 -150. Privacy Impact Assessment Guideline for RFID Applications (Langfassung) 4

PIA Frameworks: ICO’s PIA • UK – Conducting privacy impact assessments code of practice,

PIA Frameworks: ICO’s PIA • UK – Conducting privacy impact assessments code of practice, Information Commissioner’s Office (ICO), 2014. Conducting privacy impact assessments code of practice (UK ICO PIA) 5

PIA Frameworks: CNIL’s PIA • FR – Privacy Impact Assessment (PIA), Commision nationale de

PIA Frameworks: CNIL’s PIA • FR – Privacy Impact Assessment (PIA), Commision nationale de l’informatique et des libertés (CNIL), 2015. CNIL Privacy Impact Assessment Manuals 6

PIA Frameworks: ISO 29134 • ISO/IEC 29134 Information technology – Security techniques – Guidelines

PIA Frameworks: ISO 29134 • ISO/IEC 29134 Information technology – Security techniques – Guidelines for privacy impact assessment, 2017. ISO/IEC 29134: 2017 Guidelines for privacy impact assessment 7

Ok, but which one should I use? • They are all relatively similar •

Ok, but which one should I use? • They are all relatively similar • They all aim for Privacy, i. e. , PIA (not merely ‘Data Protection’) • Choose and adapt them to your organisation’s needs • Engage with your DPA • ISO 29134 definitely shows that we’re reaching some level of maturity regarding PIAs 8

References • Oetzel, C. , Spiekermann, S. , Grüning, I. , Kelter, H. and

References • Oetzel, C. , Spiekermann, S. , Grüning, I. , Kelter, H. and Mull, S. , 2011. Privacy Impact Assessment Guideline for RFID Applications. Bundesamt für Sicherheit in der Informationstechnik (BSI). • ICO, 2014. Conducting privacy impact assessments code of practice, Information Commissioner’s Office, 2014. • CNIL, 2015. Privacy Impact Assessment (PIA) – Methodology (how to carry out a PIA), Commision nationale de l’informatique et des libertés, 2015. • ISO/IEC 29134, 2017. Information technology – Security techniques – Guidelines for privacy impact assessment. (https: //www. iso. org/standard/62289. html) 9 Icons and Images Graphiqa Stock (https: //www. iconfinder. com/graphiqa )