Privacy Engineering – Tools and Professional Practice
John Sabo, Chair OASIS IDTrust Member Section and Chair, PMRM Technical Committee [email protected] Privacy, the Global Ba�lefield and Privacy Engineering
• It is time to take the next steps towards privacy engineering standards and automated tools • Privacy practitioners have been using stone age tools - there is no formal Privacy Engineering discipline! • The privacy professional/engineer must be able to understand, analyze, visualize, document and implement technical solutions for data protection requirements o principles and regulations and organizational policies o In the context of a rigorous privacy management analysis o translated into privacy controls o defined in required services and functions o implemented in technical and procedural mechanisms and o reported using tools that allow a privacy engineer to demonstrate compliance • While this is no easy task, it is essential
OASIS Privacy Engineering Workshop 2 EIC 2017 -John Sabo Building a Privacy Engineering Discipline: Managing the Complexity of Data Protection
• A system is a combination of interacting elements organized to achieve one or more stated purposes. The interacting elements that compose a system include hardware, software, data, humans, processes, procedures, facilities, materials, and naturally occurring entities [ISO/IEC/IEEE 15288]
• To deliver privacy in IT systems - which include security - privacy control requirements must be functionally built into the “interacting elements that compose a system.”
• Analogy? - NIST’s SP 800-160 (November 2016), “Systems Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf
OASIS Privacy Engineering Workshop 3 EIC 2017 -John Sabo NIST’s Systems Security Engineering Project – • SSE Project Mission Statement... o To provide a basis to formalize a discipline for systems security engineering in terms of its principles, concepts, and activities. o To foster a common mindset to deliver security for any system, regardless of its scope, size, complexity, or stage of the system life cycle. o To provide considerations and to demonstrate how systems security engineering principles, concepts, and activities can be effectively applied to systems engineering activities. o To advance the field of systems security engineering by promulgating it as a discipline that can be applied and studied. o To serve as a basis for the development of educational and training programs, including the development of individual certifications and other professional assessment criteria. • A similar approach is needed to develop a data privacy engineering discipline to support the GDPR and other data protection mandates
OASIS Privacy Engineering Workshop 4 EIC 2017 -John Sabo Insights on Privacy Engineering • Requires o a disciplined approach from beginning to end o rigorous oversight over the level of detail to ensure all tasks are performed o an automated tool that retains detail/linkages to minimize manual work o use of subject matter experts and their disciplines and tools o interfaces with other automated tools (e.g. DPIAs/PIAs) for efficiency and accuracy
• Is most effective when o a privacy engineer can integrate all of the tasks (end to end), resulting in a comprehensive engineered design o As each task is executed to capture the detail, group the detail into higher level categories and annotate key issues, et. al. for later use o Moving from task to task being able to update previous tasks with new categories, detail and annotations - reusability o Being able to demonstrate how a given mechanism meets its control requirement and is able to demonstrate accountability. • Note this can only be achieved by maintaining the linkages end to end and having the accountability reporting as well o Standards assist in reducing risks!
OASIS Privacy Engineering Workshop 5 EIC 2017 -John Sabo Industry, Standards and Academic Work Today An Overview • Official Standards • Privacy Engineering Publications • Risk Management Privacy Engineering Methodologies • Privacy Engineering Automated Tools • Privacy Controls Design Strategies, Patterns Libraries • Privacy Engineering Education • Privacy Engineering Conferences and Workshops • Privacy Engineering Models/Methodologies
Source Privacy Engineering…Its Time to Take the Next Steps towards Standards and Automated Tools by Gail Magnuson, LLC - https://www.oasis-open.org/committees/documents.php? wg_abbrev=pmrm&show_descriptions=yes OASIS Privacy Engineering Workshop 6 EIC 2017 -John Sabo Privacy Engineering Standards in Progress
• OASIS PMRM – a Committee Specification - http:// docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0- cs02.html • OASIS PbD-SE - a Committee Specification and Annex- http://docs.oasis-open.org/pbd-se/pbd-se/v1.0/ csd01/pbd-se-v1.0-csd01.html • http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/ cnd01/pbd-se-annex-v1.0-cnd01.html • ISO 27550 Privacy Engineering - https://www.iso.org/ standard/72024.html
OASIS Privacy Engineering Workshop 7 EIC 2017 -John Sabo Privacy Engineering Publications
• The Privacy Engineer’s Manifesto Getting from Policy to Code to QA to Value (Dennedy, Fox, Finneran) - https:// www.amazon.com/Privacy-Engineers-Manifesto-Getting-Policy/dp/ 1430263555/ref=sr_1_1? ie=UTF8&qid=1485540649&sr=8-1&keywords=privacy+engineering+manife sto
• Achieving Digital Trust The New Rules for Business at the Speed of Light (Ritter) - https://www.amazon.com/ Achieving-Digital-Trust-Rules-Business/dp/0996599002
• Jeffrey Ritter’s public patent US 7240213 B1 System trustworthiness tool and methodology - https:// www.google.com/patents/US7240213
OASIS Privacy Engineering Workshop 8 EIC 2017 -John Sabo Risk Management Privacy Engineering Methodologies
• Linddun: A privacy threat analysis threat analysis framework - https://linddun.org/
• NISTIR 8062 Introduction to Privacy Engineering and Risk Management - http://nvlpubs.nist.gov/nistpubs/ir/ 2017/NIST.IR.8062.pdf
• MITRE Privacy Engineering Framework - https:// www.mitre.org/publications/technical-papers/privacy- engineering-framework
OASIS Privacy Engineering Workshop 9 EIC 2017 -John Sabo Privacy Engineering Automated Tools and Solutions • OASIS PMRM-based Open Source Privacy Management Analysis Tool – under development
• Nymity Smart PIA (e.g., tools facilitating DPIA’s and data inventory)- https://www.nymity.com/products/ smartpia.aspx
• OneTrust (e.g., tools such as Record Keeping Compliance Article 30, GDPR) - https://onetrust.com/
• Prifender – (e.g., tools such as automated discovery and mapping of PI) http://www.prifender.com/
OASIS Privacy Engineering Workshop 10 EIC 2017 -John Sabo Other Major Contributions to Privacy Engineering • Privacy Controls Design Strategies, Patterns Libraries o NIST SP 800-53 - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-53r4.pdf o PRIPARE Annex B - http://pripareproject.eu/wp-content/uploads/ 2013/11/PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf o AICPA/CICA - http://www.aicpa.org/Pages/default.aspx o UC Berkeley School of Information – http:// privacypatterns.org • Privacy Engineering Education o Carnegie Mellon’s Master of Science in Information Technology – Privacy Engineering - http://privacy.cs.cmu.edu/ o Johns Hopkins University Privacy Engineering Course - https:// apps.ep.jhu.edu/course-homepages/3505-635.472-privacy- engineering-ritter • Privacy Engineering Conferences and Workshops o IAPP workshops on privacy engineering - https://iapp.org o IEEE’s International Workshops on Privacy Engineering IWPE’15 - IWPE’17) - http://www.ieee-security.org/TC/SP2016/index.html
OASIS Privacy Engineering Workshop 11 EIC 2017 -John Sabo Privacy Engineering Models/Methodologies
• The OASIS Privacy Management Reference Model and Methodology (PMRM) v1.0 CS02 provides a comprehensive approach to privacy engineering - http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/ PMRM-v1.0-cs02.html
• The PRIPARE (Preparing Industry to Privacy-by-Design by supporting its Application Research) integrates the PMRM and other techniques into IT development processes - http://pripareproject.eu/wp-content/uploads/2013/11/ PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf
OASIS Privacy Engineering Workshop 12 EIC 2017 -John Sabo What is the PMRM and How Can it Support a Privacy Engineering Discipline?
The PMRM V1.0 CS02 - A methodology and analytic tool developed to: ! enable the structured analysis of “use cases” in which personal information (PI) and PII are used, generated, communicated, processed and stored and erased ! Support for applications, IoT, Cloud, complex hyper-connected systems, as well as smaller components of a system ! show the linkages among data, data flows, PI, privacy [including security] policies, privacy controls, privacy-enabling Services/ functionality, and risk ! Integrate with and support existing privacy standards ! achieve data protection by design requirements and compliance across policy and system boundaries ! support multiple stakeholders http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
OASIS Privacy Engineering Workshop 13 EIC 2017 -John Sabo The PMRM Model Reflects the Complexity of Data Protection/Privacy
OASIS Privacy Engineering Workshop 14 EIC 2017 -John Sabo The PMRM Privacy Management Analysis Methodology is the Analytic Tool Supporting Privacy Engineering
OASIS Privacy Engineering Workshop 15 EIC 2017 -John Sabo
Regulator GDPR Principles Privacy Officer
Iterative Use Case Business Owner Analysis
Privacy Privacy Management Analysis Engineer- is complicated
Generalist - Multiple Stakeholders - Iterative Roles Implementing - Policy High Level Privacy Mechanisms/ - Procedural Analysis Engineer Code - Technical Specialist - Risk Management - SDLC Issues Software - Iterative analysis Engineer Services and Detailed Functionality Analysis Risk Officer Control Requirements OASIS Privacy Engineering Workshop 16 EIC 2017 -John Sabo PMRM – Privacy Engineering Methodology
High Level Privacy Use Case Analysis
Privacy Impact/Other Services/Applications Requirements Assessments
Privacy Engineering Detailed Privacy Use Case Analysis Domains Data Flows Generalists Risks - Systems and Responsibilities and Touch and Actors Owners Points Subsystems ]
PI in Use Case Systems
System 1 System …n • Incoming/Internally Generated/ Incoming/Internally Generated/ Outgoing Outgoing OASIS Privacy Engineering Workshop 17 EIC 2017 -John Sabo Operational Privacy Control Requirements
Inherited Internal Exported
Services Required for Operationalized Controls
Agreement Usage Validation Certification Enforcement Security Interaction Access Privacy Engineering Specialists Technical and Process Functionality and Mechanisms
Risk Assessment
Iterative
OASIS Privacy Engineering Workshop Process 18 EIC 2017 -John Sabo
PMRM Services
OASIS Privacy Engineering Workshop 19 EIC 2017 -John Sabo From “Principles” to Technical Solutions
GDPR Principles Require that Personal Data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those … ('purpose limitation');
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').
OASIS Privacy Engineering Workshop 20 EIC 2017 -John Sabo GDPR Requires Consent - Article 7
1. The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
3. The data subject shall have the right to withdraw his or her consent at any time. Prior to giving consent, the data subject shall be informed thereof.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. OASIS Privacy Engineering Workshop 21 EIC 2017 -John Sabo ICO’s Draft Guidance On Consent • Unbundled: consent requests must be separate from other terms and conditions.
• Active opt-in: pre-ticked opt-in boxes are invalid
• Granular: give granular options to consent separately to different types of processing wherever appropriate.
• Named: name your organisation and any third parties who will be relying on consent
• Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented
• Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
• No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent- guidance-for-consultation-201703.pdf
From a Privacy Engineering point of view – at what levels in a system or application is consent implemented – and what functionality/technical mechanisms make it happen?
OASIS Privacy Engineering Workshop 22 EIC 2017 -John Sabo PMRM INFORMAL SERVICE SERVICE FUNCTIONALITY DEFINITION
AGREEMENT Defines and documents permissions and rules for the handling of PI based on applicable policies, data subject preferences, and other relevant factors; provides relevant Actors with a mechanism to Manage and negotiate negotiate, change or establish new permissions and rules; expresses the agreements such that they permissions and rules can be used by other Services USAGE Ensures that the use of PI complies with the terms of permissions, policies, laws, and regulations, including PI subjected to information minimization, linking, integration, inference, transfer, derivation, Control PI use aggregation, anonymization and disposal over the lifecycle of the PI VALIDATION Evaluates and ensures the information quality of PI in terms of accuracy, completeness, relevance, timeliness, provenance, appropriateness for use and other relevant qualitative factors Ensure PI Quality
CERTIFICATION Ensures that the credentials of any Actor, Domain, System, or system component are compatible with Ensure appropriate their assigned roles in processing PI and verifies their capability to support required Privacy Controls privacy management in compliance with defined policies and assigned roles. credentials ENFORCEMENT Initiates monitoring capabilities to ensure the effective operation of all Services. Initiates response Monitor proper actions, policy execution, and recourse when audit controls and monitoring indicate operational faults operation, respond to and failures. Records and reports evidence of compliance to Stakeholders and/or regulators. Provides exception conditions evidence necessary for Accountability. and report evidence of compliance where required for accountability SECURITY Provides the procedural and technical mechanisms necessary to ensure the confidentiality, integrity, Safeguard privacy and availability of PI; makes possible the trustworthy processing, communication, storage and information and disposition of PI; safeguards privacy operations operations INTERACTION Provides generalized interfaces necessary for presentation, communication, and interaction of PI and information relevant information associated with PI, encompassing functionality such as user interfaces, system- presentation and to-system information exchanges, and agents communication Enables Data Subjects, as required and/or allowed by permission, policy, or regulation, to review their ACCESS View and propose OASIS PrivacyPI Engineering that is held within Workshop a Domain and propose changes, corrections or deletion for their PI changes to PI 23 EIC 2017 -John Sabo So…Privacy Engineers will Ensure that Consent Requirements are Built into Specific Applications and Systems
OASIS Privacy Engineering Workshop 24 EIC 2017 -John Sabo The GDPR and Privacy Engineering: Article 25
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
OASIS Privacy Engineering Workshop 25 EIC 2017 -John Sabo A Software Solution for Privacy Engineering - the OASIS Open Source Privacy Management Analysis Tool Project
• Objective: Design and develop an Open Source Privacy Management Analysis (PMRM-PMA) tool for the OASIS-Open Repository using the PMRM methodology to help engineer the delivery of data protection/privacy in systems and application -https://www.oasis-open.org/ resources/open-repositories
• OASIS Open Repository contents are created through public contributions under a designated open source license, and community participants establish development priorities for assets maintained in the repository.
• The OASIS PMRM TC will initiate the creation of an Open Repository to enable community development of additional material and technical tools. Open Repositories are set up as GitHub projects under the GitHub organization "oasis-open" at https://github.com/oasis- open/.
• OASIS Open Repositories use the familiar fork-and-pull collaboration model which allows anyone, whether an OASIS/TC member or not, to submit a pull request. All contributions to an Open Repository are governed by a written purpose statement for the project, a designated open source license, a policy document, and by Contributor License Agreements submitted by contributors. To Participate - Please contact [email protected]
OASIS Privacy Engineering Workshop 26 EIC 2017 -John Sabo Thank You
www.oasis-open.org
OASIS Privacy Engineering Workshop 27 EIC 2017 -John Sabo