Private Lives in a Database World

tansysoapweedNetworking and Communications

Feb 16, 2014 (3 years and 5 months ago)

59 views


Private Lives in a Database


World

Richard Thomas CBE

Adviser
-

Centre for Information Policy
Leadership @ Hunton & Williams


ICAEW
-

IT Faculty Annual Lecture

6 December 2010

2

Surveillance Society 2010 >

Devices
-

smaller, cheaper, more powerful, more connected, more
storage

New tools for aggregating, analyzing, and distributing data

Surveillance equipment with biometric capabilities

Ubiquitous computing; Internet of Things; Sensor networks

Smart buildings, Smart transport, Smart healthcare

Total amount of data connected to the Internet



2001: One petabyte (10
15
)



2006: One exabyte (10
18
)



2010: One zetabyte (10
21
)

By 2020: Billion+ computers, 10 Billion+ communications appliances,
100s of Billions of sensors embedded in other machines

3

2010 Political Developments



Election Manifestos

ID Cards

ContactPoint

Independent Safeguarding Authority

Intercept Modernisation Programme




4

Harms and Risks




Threats to fundamental rights and freedoms



Harm to individuals


economic, social,

autonomy/dignity


Harm to organisations


reputational, financial,

operational


Harm to society


relationships, trust



Risks


how likely, how serious?


5

Benefits of Technology



For Individuals


access, information, choice, lower
prices, personalisation, safety, quality of life,
“remembering”

For Society


public protection, law enforcement, public
services, research

For Prosperity
-

innovation, efficiency


Popularity of technology: virtual world = real world


Dangers of legislators and regulators imposing their views


6

Regulatory approaches to
avoid







Ineffective at delivering objectives


Unduly burdensome


Unintended consequences


Vague or unintelligible


Excessively prescriptive


Discredited or widely ignored


7

For example……





Notification



Excessive reliance on Notice and Consent



Uncertainties over definition of “personal

data”



Convoluted and prescriptive conditions for

processing



Controller / Processor distinction




Unrealistic approach to international transfers

8


2020 Vision

-

Criteria for modernised
and globalised regulatory framework








Based on clear objectives
-

Outcome based


Reflecting
-

and “gently” leading
-

social norms


Ensure balance between benefits and harms


Cast in relevant / accessible language


Technologically neutral and forward
-
looking


Imposing minimum standards; encouraging good

practice


Internationally compatible or inter
-
operable

9

2020 Vision


Components







More focus on use than collection


Tough line on non
-
compliance with privacy claims


Priority for public sector


Not beyond “reasonable and legitimate

expectations”


Emphasis on Information Governance


Accountability

10

Legitimate and reasonable
expectations







Security


Accuracy


Confidentiality / non
-
sharing where that is the

norm


Time
-
limited retention


Common sense / proportionality / balance


Transparency, but not overload


No mis
-
information


Trust

11

Information Governance

Governance and Accountability

Policies

Procedures

Contracts

Compliance

People


Technology

Privacy by
Design

12

Accountability


A Global Trend



OECD Principles



APEC Privacy Framework



Binding Corporate Rules (BCRs)



CIPL Galway and Paris Initiatives



Article 29 WP Opinions



Future of Privacy (Dec 2009)



Accountability (July 2010)



EC Communication (Nov 2010)



13

Essential Elements of
Accountability


Organizational commitment to
tailor
-
made

internal policies which elaborate general
Principles


Mechanisms to develop and put policies into
effect, including procedures, technologies, training
and education


Systems for ongoing internal oversight,
assurance reviews and external verification


Focus on risks and outcomes


Transparency



Ready to
demonstrate

chosen approach to
compliance


14

Article 29 WP’s July 2010 Opinion




“Data protection must move from theory to practice.

Legal requirements must be translated into real data

protection measures.”



Accountability seen as key reform alongside

Privacy by Design and more effective powers and

sanctions





“One size does not fit all”



Internal / external audits / certification



2nd “voluntary” tier


going above and beyond

minimum legal requirements


15

Regulatory Implications





Focus on implementing


not replacing


existing

Principles



Shift from
ex ante

towards
ex post

regulation



Substitutes for Notifications and Prior Approvals



Enables prioritisation and better use of resources



Brings subtlety to sanctions



Brings sanity to international transfers




16

Accountability in Practice



Answerable for decisions,

behaviours and results in

practice, not box
-
ticking



Policies, Procedures, IT, People



Policies and procedures:




Binding written data protection policies and


procedures




Bespoke
-

Right for organisation, reflecting


actual risks




Reflecting applicable laws, regulations and


industry standards.

17

Accountability in Practice


Executive Commitment


CEO, COO or General Counsel


Risk or Audit Committee


Statements of Internal Control

Responsibility and delegation


Chief Privacy Officer (CPO) with real influence


Staff / advisers who know the business

Education and awareness programmes

18

Accountability in Practice

Risk assessment and mitigation


Understand and mitigate the privacy risks raised by on
-
going and new
products, services, technologies and business models


Privacy Impact Assessments and Privacy by Design

Event management and complaint handling


Procedures for responding to inquiries, complaints and security breaches.

Consumer Care

Plain English Privacy Notices (see ICO Code)

Websites; Customer help
-
lines

Redress


Remedies for those whose privacy has been infringed

Internal enforcement


Internal enforcement and discipline for non
-
compliance.


19

Validation and certification




Intent and implementation



Internal validation / assurance essential



External validation or certification:




Regulator?




“Trusted 3
rd

Party”?




Self
-
certification?




Traffic Lights?


20

From BCRs to Binding Global Codes

63,000 multinational corporations, with 821,000
subsidiaries

Countless more SMEs involved daily in international
transfers of personal data

BGC Framework built on an explicit foundation of
Accountability

Organisation accepts responsibility for fulfilment of its
BGC

BGC tailored to business model, but must meet
minimum requirements, e.g. International DP
Standards

Approved? Certified? Self
-
certified?

Domestic application


21

Commission’s Communication

Clear Objectives / Promoting Accountability

XXX

Registration to replace Notification

✓✓✓

Standard
-
form Privacy Information Notices

XX

Breach notification


?


Right to be forgotten

?

Privacy Impact Assessments / Privacy by Design

✓✓✓

Certification schemes



“Clarify Adequacy Procedure”

XX

Improve and streamline BCRs

✓✓
?

Police and Criminal co
-
operation


✓✓