Log in / Register
Home arrow Computer Science arrow The Privacy Engineer’s Manifesto
< Prev   CONTENTS   Next >

Security Safeguards Principle

From the OECD Guidelines: “Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.” Any entity controlling PI must protect it from unauthorized access or processing.

This principle clearly invokes the wide and complicated discipline of security for all types of data but focuses the requirement to specifically protect personal data. This is one of the overlaps between privacy and security that will be discussed later in this chapter.

Openness Principle

From the OECD Guidelines: “There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.”

Publication of privacy policies and statements is one means to achieve a level of openness in and about an organization.

Individual Participation Principle

From the OECD Guidelines: “An individual should have the right:

a) to obtain from a data controller,[1]or otherwise, confirmation of whether or not the data controller has data relating to him;

b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive;

in a reasonable manner; and in a form that is readily intelligible to him;

c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and

d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.”

This principle describes an individual's right to update, correct, and know which data has been collected about them from a given entity. It is closely related to the accuracy principle. Much innovation is required for this principle, in particular in a world of vastly dispersed and complex data sharing and processing even to achieve relatively simple goals.

An example of some of this complexity may be the fulfillment of an online contact lens service where an individual may be described by a common carrier, an ophthalmologist, a fulfillment center, a manufacturer, and more. For any one individual to possibly glean where and when his data changes hands among all of these specialized and related steps is a daunting task indeed.

Here is a two-tiered process to determine if data is needed.

The first tier is to ask the question. is this data needed? not wanted, needed.

if they answer is yes and all other design and architectural reviews and options (such as not collecting at all, truncating or de-identifying the data) have been exhausted, then run each data element through the following set of formulas:

i need X to do Y without X i cannot do Y.

if the answer to the first two equations is true, proceed to the third:

Y is a subset of uses for the data for which Z has given permission (Y < ?).

if the answer to this equation is true, then ask, does it pass the smell test (fit the spirit of the permission, as well as the letter). if the answer to this is yes, then proceed.

if the answer is no, then based on the data and the use (i.e., the risk), explore what level and type of notice and consent are required and consider who best to expand the existing permission to cover the contemplated use.

if there is reluctance to go back to an individual for permission, then someone has to ask what is the locus of that discomfort. it usually is because the benefit is not so much for the person but for the organization or because there is a lack of proportionality between the risk to the privacy of the individual vs. the benefit to him or her. knowledge of this will help the real goals and purpose of the processing to surface, which will then lead to a more productive discussion of how to address and manage the risks.

Accountability Principle

From the OECD Guidelines: “A data controller should be accountable for complying with measures which give effect to the principles stated above.”

This principle means whomever is controlling the data, that is, in charge of determining how they are going to be used and processed, is the party who will be held responsible for ensuring the data is processed in an authorized and fair and legitimate manner and will bear the consequences if they are not.

Telemetry is the collection of information about machines and systems. it is often collected remotely to monitor how a system is functioning so that issues can be detected and resolved in advance or in order to provide services. sometimes it contains unique identifiers. The most obvious of these were iP address, but there were also things like machine name, media access control (mAC) address, and so on.

Although collection of telemetry was not considered in the past the same as collecting personal information now, there have always been privacy concerns with it. These concerns were mainly whether the collection of it was authorized or not and thus whether it was a form of spyware or not (think industrial espionage).

However, with the widespread adoption of smartphones, PdAs, and other devices, the quantum leap in the ability to collect, parse, and understand patterns (i.e., Big data or data science) and the ability to act on those patterns and push communications to devices (or take other actions) based on what was once just considered machine data has all changed.

now unique identifiers such as those collected as part of collecting telemetry need to be examined and considered. The important thing to remember in evaluating whether a unique identifier falls under the definition of Pi is that not all unique identifiers are equal. Below is a list of characteristics to consider when evaluating unique identifiers to see if any one of them is something that can reasonably be linked to a person or a person's device (vs. a system that front ends a network):


Reidentification (correlating an identifier with other data that leads to the ability to identify the user)

using as an “anchor” to aggregate and analyze information from one or more sources

Permanence Frequency of change Ease of change

Reachability (can it be used to contact or track)

  • [1] Author note: A data controller is the entity that is responsible for determining how data is processed. The data controller gives direction to the data processor. Sometimes the data controller and data processor are one in the same; sometimes not, such as in outsourcing. In such as situation, the service provider is the data processor.
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science