Embed Size (px)
DESCRIPTION
Protecting privacy is more than just stating principles; compliance means being able to demonstrate how everyday practices affect the ability to comply with abstract principles and interests. A short discussion on how managing information helps demonstrate compliance.
Citation preview
So You Want To Protect Privacy: Now What?
ARMA Information Management SymposiumJune 1, 2011
Stuart Bailey
So You Want To Protect Privacy: Now What? 2
So You Want To Protect Privacy: Now What? 3
Privacy and Social Media
“Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops."“
“The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)
So You Want To Protect Privacy: Now What? 4
Privacy Means…• Can be defined in many ways, for example, privacy of:
– Assault– Nuisance– Reputation– Defamation (Slander, Libel)– Property rights (Copyright, intellectual property)– Opinions– Body– Communications– Data
So You Want To Protect Privacy: Now What? 5
Privacy and Data Protection
• Data protection legislation is the main lens through which we address privacy interests– Documented information about specific individuals
• Prosser v. Gavison– Privacy torts; something unique and distinct– As seen recently in Law Times Jones v. Tsige 2011 ONSC 1475 (CanLII)– http://www.canlii.org/en/on/onsc/doc/2011/2011onsc1475/2011ons
c1475.html
So You Want To Protect Privacy: Now What? 6
Social Media and Privacy• The Right to Be Let Alone
– “The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)
• Freedom of Expression• Private Communications• The Right to Be Forgotten
– As seen recently in the European Union• Location data
– Does it locate a data subject, or is data a location itself (i.e., a site)?• Crossing Borders
– If skin is a border between people, what forms the border between data subjects?
So You Want To Protect Privacy: Now What? 7
Prosser on Privacy
i. Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs;
ii. Public disclosure of embarrassing private facts about the plaintiff;
iii. Publicity which places the plaintiff in a false light in the public eye; and
iv. Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.
Privacy, 48 Cal.L.Rev. 383 (1960)
So You Want To Protect Privacy: Now What? 8
Gavison: “Privacy and the Limits of Law”
• This Article is an attempt to vindicate the way most of us think and talk about privacy issues: unlike the reductionists, most of us consider privacy to be a useful concept. To be useful, however, the concept must denote something that is distinct and coherent. Only then can it help us in thinking about problems. Moreover, privacy must have coherence in three different contexts. First, we must have a neutral concept of privacy that will enable us to identify when a loss of privacy has occurred so that discussions of privacy and claims of privacy can be intelligible. Second, privacy must have coherence as a value, for claims of legal protection of privacy are compelling only if losses of privacy are sometimes undesirable and if those losses are undesirable for similar reasons. Third, privacy must be a concept useful in legal contexts, a concept that enables us to identify those occasions calling for legal protection, because the law does not interfere to protect against every undesirable event.
Gavison, R., 1980, “Privacy and the Limits of Law”, Yale Law Journal 89: 421-71 Accessed at http://www.gavison.com/a2658-privacy-and-the-limits-of-law May 20 , 2011.
So You Want To Protect Privacy: Now What? 9
Jones v. Tsige, 2011 ONSC 1475 (CanLII)
• [52] Without any further reference to Euteneier, the court in Nitsopoulos concludes by agreeing with the decision in Somwar – that it is not settled law in Ontario that there is no tort of invasion of privacy and expressly adopts the reasoning in that case.
• [53] Turning back now to the various statutory provisions that govern privacy issues, most Canadian jurisdictions have statutory administrative schemes that govern and regulate privacy issues and disputes. In Ontario, it cannot be said that there is a legal vacuum that permits wrongs to go unrighted - requiring judicial intervention.
• [54] More particularly here, there is no doubt that PIPEDA applies to the banking sector and Ms. Jones had the right to initiate a complaint to the Commissioner under that statute with eventual recourse to the Federal Court. For this reason I do not accept the suggestion that Ms. Jones would be without any remedy for a wrong, if I were to determine that there is no tort for the invasion of privacy.
• [55] Notwithstanding the careful reasoning in Somwar and its adoption in Nitsopoulos, I conclude that the decision of the Court of Appeal in Euteneier is binding and dispositive of the question as to whether the tort of invasion of privacy exists at common law.
• [56] I would also note that this is not an area of law that requires “judge-made” rights and obligations. Statutory schemes that govern privacy issues are, for the most part, carefully nuanced and designed to balance practical concerns and needs in an industry-specific fashion.
• [57] I conclude that there is no tort of invasion of privacy in Ontario.
http://www.canlii.org/en/on/onsc/doc/2011/2011onsc1475/2011onsc1475.htmlAccessed May 20, 2011
(emphasis added)
If there is no tort of invasion of privacy, recoveries for privacy harms must be done through other means – but how will those be acted on?
So You Want To Protect Privacy: Now What? 10
A Privacy Proposition
• If there is no tort for invasion of privacy– Privacy harms are appended to other torts
• And there is still something unique and distinct about privacy that lets us have internal thoughts– Privacy rights are based on a concept that cannot be
numerated
• Therefore, protecting privacy rights is a matter of linking shared principles to everyday actions and finding “privacy” through other established activities– Data protection and the need to manage information
So You Want To Protect Privacy: Now What? 11
Data and Privacy
• Data are everywhere; some personal, some not – some personal information can be derived from seemingly non-personal information.
• Personal data can be a location as much as a physical address is.
• Determining and adhering to “consistent use” can prove to be difficult.
So You Want To Protect Privacy: Now What? 12
Information ManagementInformation Management is the discipline of managing information like an asset – the same as we do for money, people, or infrastructure.
So You Want To Protect Privacy: Now What? 13
What Is Information Management?
http://www.aiim.org/What-is-Information-Management
So You Want To Protect Privacy: Now What? 14
IM and Related Disciplines
• Information Management connects outcomes of related disciplines at the level of information.
• IM looks at the information that crosses boundaries:
– Technical environment (e.g., e-mail > shared drive > collaboration site > report repository)
– Subject-matter (e.g., policy > business analysis > customer support > application design)
How does this affect or enable re-use by Policy, Records Management, Privacy, etc.?
What enterprise-level models help create consistency across specialized subjects?
So You Want To Protect Privacy: Now What? 15
IM Process and Context
Affects ability to enable and support: Sharing, Collecting, Reporting, Collaborating, Re-Using, Guiding, Managing Knowledge,
Corporate Knowledge Repositories; Managing the Public Record
Users
Content Context
e.g., E-mail; Shared Drive;
Collab sites; Mobile
e.g., Briefing Note; Report; Approval; Procurement; Agreement; Project Records
[email protected]; un/pw
http://collectionscanada.ca/government/news-events/091/007001-misc06-e-v5.jpg
Intersection of Information Management Issues and Activities
So You Want To Protect Privacy: Now What? 16
Control ModelsPrivacy• Accountability• Identifying Purposes• Consent• Limiting Collection• Limiting Use, Disclosure, and
Retention• Accuracy• Safeguards• Openness• Individual Access• Challenging Compliance
Information Management• Planning• Collection / Creation• Use, Disclosure,
Maintenance• Disposition• Evaluation
So You Want To Protect Privacy: Now What? 17
Planning
• Intended Purpose• Authorizations to Collect• Notice and Consent
What information do you want?
Why do you want that information?
Who will be using that information, and to accomplish what?
Does everyone understand what you want to do with the information?
Have you got the authority to collect, and use the information?
So You Want To Protect Privacy: Now What? 18
Collection / Creation
• Notifications and Consent• Limiting Collection• Safeguards• Openness• Accountability
Have you given proper notice for what you want to collect?
Is the notice traceable to the collection and management of the information?
Can you demonstrate how collection has been limited?
Do you know how you will protect the information?
Can you demonstrate how this is consistent with your policies?
Who is accountable if the information is lost?
So You Want To Protect Privacy: Now What? 19
Use, Disclosure, Maintenance
• Limiting Use, Disclosure, Retention
• Accuracy• Safeguards• Challenging
Compliance• Individual Access
How can you demonstrate that you have limited use, disclosure, or retention?
How have you applied policies (e.g., retention) against information?
Where are the safeguards being applied? By whom? For how long? Against what?
What if you use encryption – how will you decrypt if needed?
If challenged, can you demonstrate compliance with your own policies?
So You Want To Protect Privacy: Now What? 20
Disposition
• Limiting Use, Disclosure, and Retention
• Safeguards• Accuracy• Individual Access
When destroying, can you demonstrate that use was limited?
When protecting, can you be sure you’re protecting enough – or not too much?
How will you ensure that you are working with the most accurate information?
If requested, will you know where to find all relevant information?
So You Want To Protect Privacy: Now What? 21
Evaluation
• Challenging Compliance• Openness• Accountability
How can you demonstrate that you have complied with the principles?
Once you have made your policies open and accessible, can you show how you are complying with them?
How is accountability traceable and demonstrable to outside observers?
What is the effect of governance decisions?
So You Want To Protect Privacy: Now What?
Sparkle Eyes
22
So You Want To Protect Privacy: Now What? 23
Information Managementhttp://www.imdb.com/name/nm0000123/
So You Want To Protect Privacy: Now What? 24
Bio on IMDB.com
• Job Type• Year• Ratings• Votes• TV Series• Genre• Keyword
So You Want To Protect Privacy: Now What? 25
Celebrities’ Private Lives
• Tombstone data• Filmography• Thoughts and
Opinions• Movement• Communications• Intimacy
So You Want To Protect Privacy: Now What? 26
Automated Systems
• For example, in a SharePoint environment, metadata enables features like rights management, document routing, and disposition.
So You Want To Protect Privacy: Now What? 27
Retention Schedules
So You Want To Protect Privacy: Now What? 28
Demonstrating Compliance
• To demonstrate compliance with legislation and policies, specific data about specific individuals must be tracked and managed.
• In the event of a breach, specific actions about specific points in the organization (e.g., database, program area, etc.) need to be taken in order to respond.
So You Want To Protect Privacy: Now What? 29
Conclusion
• Privacy is an abstract concept • Respecting and protecting privacy happens
through data protection• Data protection requires common, consistent
management activities in various contexts• Data in context is information• Therefore, protecting privacy means managing
information
