Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com

Using Information Technologies to Empower and Transform

This presentation supported by Gail Magnuson, President, Gail Magnuson LLC

Peter F BrownIndependent Consultant

The Privacy Management Reference Model and Methodology from OASIS:

Using the Privacy Management Reference Model and Methodology to Explore Do Not Track Design

Introduction to PMRMIAPP Cleveland KnowledgeNet Presentation

Gail A Magnuson, CIPP US President, Gail Magnuson LLCGail.Magnuson@gmail.comSeptember 2012

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

A Model and a Methodology

2

The model provides a common conceptual framework and vocabulary to help people cooperate across disciplines and organizational boundaries…

…and the methodology provides a common set of tasks to achieve a privacy architecture and privacy management analysis

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

The PMRM Model

3

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

The PMRM Methodology

4

Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com

Using Information Technologies to Empower and Transform

This presentation supported by Gail Magnuson, President, Gail Magnuson LLC

Peter F BrownIndependent Consultant

The Methodology in Detail

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

Detailed Privacy Analysis

1.High-Level Privacy Analysis and Use Case

6

Scop

e General Description of Services & Applications En

viro

nmen

t

Business Use Case Inventory

App

licab

le R

equi

rem

ents Privacy

Conformance Criteria

Impa

ct A

sses

smen

ts Privacy Assessment PreparationPrivacy Impact AssessmentsPrivacy Maturity AssessmentsCompliance ReviewsAccountability Model Assessments

Application and Business Process Descriptions Applicable Privacy Policies, Practices, Laws & Regulations

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

Domains

2.Detailed Privacy Use Case Analysis

7

Scope:High-Level Privacy AnalysisHigh-Level Use Case Description

Systems

Roles & Responsibilities Actors

Touch Points

Owners

Identify all the following:

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

1st Party WebsiteBrower(s) or DNT

2.US DNT & EU Cookie Touch Points & Data Flows

8

System aTo

uch

Poin

t

Touch Point

Touc

h Po

int

System b

System c

3rd Party Websites

System d

Big Data Vendor(s)

System e

Browser(s) or DNT

System a

Touch Point

Touch Point

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

3.Identify PI and Privacy Controls

9

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

4.Services Supporting Privacy Controls

10

Privacy Controls are usually stated in the form of a policy declaration or requirement and not in a way that is immediately actionable or implementable.

Services provide the ‘bridge’ between requirement and implementation by providing privacy constraints on system-level actions governing the flow of PI between touch points

8 key PMRM Services identified in the initial work:

Agreement

Usage

Validation

Security

Certification

Enforcement

Interaction

Access

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

4.Map Privacy Controls to Services

11

Ag E

I

Ac

Ac

U V E

U V S C I

Incoming PI

Internally Generated PI

Inherited Privacy Controls

Internal Privacy Controls

PMRM Services Required

Outgoing PI Exported Privacy Controls

AcU V S C I

IU V E

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

4.Map Services to Systems

12

Ag E Ac

IU V E

AcU V S C I

PMRM Services Used

AcU V S C I

Business Processes and Technical Mechanisms Required by System

A B C D E

B C E F

A C D G H

C E G H

Risk Assessment

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

A Model and a Methodology

13

The model provides a common conceptual framework and vocabulary to help people cooperate across disciplines and organizational boundaries…

…and the methodology provides a common set of tasks to achieve a privacy architecture and privacy management analysis

Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com

The OASIS Privacy Management Reference Model and Methodology

Introduction to PMRM

► peter@peterfbrown.com► www.peterfbrown.com► PensivePeter.wordpress.com► @PensivePeter

PMRM Draft Specification:http://docs.oasis-open.org/pmrm/PMRM/v1.0/csd01/PMRM-v1.0-csd01.docPMRM Committee Home Page:http://www.oasis-open.org/committees/pmrmUSAToday EU Cookie Law Overview with Chris Wolf Interview:http://content.usatoday.com/communities/technologylive/post/2011/09/europe-taking-much-stricter-stance-on-do-not-track-rules/1#.UFiEBrJlR5U