Copyright, 1997-2004 1 The Search for Balance: The Past, Present and Future of Privacy Impact Assessments Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor, Unis. of Hong Kong and U.N.S.W. Visiting Fellow, Dept of Computer Science, ANU http://www.anu.edu.au/people/Roger.Clarke/... .../DV/PIAPPF {.html, .ppt} Queens University, Kingston ON – 9 June 2004
29
Embed
Copyright, 1997-2004 1 The Search for Balance: The Past, Present and Future of Privacy Impact Assessments Roger Clarke Xamax Consultancy Pty Ltd, Canberra.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Copyright,1997-2004
1
The Search for Balance:The Past, Present and Future
of Privacy Impact Assessments
Roger ClarkeXamax Consultancy Pty Ltd, Canberra
Visiting Professor, Unis. of Hong Kong and U.N.S.W. Visiting Fellow, Dept of Computer Science, ANU
1. Where They Came From2. What They Are3. Why PIAs?4. Can They Counter the
PITs?
Copyright,1997-2004
3
Technology Assessment
• European movement• US OTA, 1972-1995
• Technologists and Technocrats are too close
• Social Scientists are too far away:‘Don’t regulate what you don’t
understand’• Cross-over Individuals• Multi-Disciplinary Teams
Copyright,1997-2004
4
Environmental Impact Statements (EIS)
• The ‘green movements’ of the 1960s• For major projects since the 1970s• Costly and slow• One-sided, manipulated, closed, unauditable
• Public cynicism• Public reactions, sometimes fatal to projects
• Limited by jurisdictional boundaries
Copyright,1997-2004
5
Environmental Impact Assessment (EIA)
“the identification of future consequences of a current or proposed
action”
• To address the cynicism• Public consultation, publication,
review• Process as well as product
• Limited by jurisdictional boundaries
Copyright,1997-2004
6
Social Impact Statements
Berkeley Gazette, 31 Oct 1974:
" ... the Council approved a proposed ordinance to require a ‘social impact statement’ prior to implementation of any new or expanded city automated personal data systems"
Motion by Cr Loni Hancockon the suggestion of Lance
Hoffman
Copyright,1997-2004
7
Social Impact Assessment (SIA?)
an outgrowth of EIA which“focuses on the impact of development
proposals on people, ... including
potential changes to population, lifestyle, cultural traditions, community dynamics,
and quality of life and well being”
e.g. U.N. Economics & Trade Program,focussed on developing countries
e.g. literature for the developed world ?
Copyright,1997-2004
8
Privacy Impact Statements – 1 of 2
HEW (1973) " Each time a new personal data system is proposed (or expansion of an existing system is contemplated) those responsible for the activity the system will serve, as well as those specifically charged with designing and implementing the system, should answer such questions as ... "
i.e. the concept, but not the term ...
Copyright,1997-2004
9
Privacy Impact Statements – 2 of 2
Flaherty (1989) "The data protection agency can ... [prepare] its own evaluations of the potential impact on personal privacy of proposed legislation and information systems. ... “It is important that small data protection agencies encourage the main government departments to prepare their own initial reviews of the impact of new technology, preferably in the form of 'privacy impact statements' ..."
Copyright,1997-2004
10
Privacy Policy Statements / Notices
• Privacy Notice mania on the Webcf. ‘safe harbor’, i.e. image not substance
• Remarkable absence of guidelines• Canadian PC’er says:
• Inform customers, clients and employees that you have policies and practices for the management of personal information
• Make these policies and practices understandable and easily available
Copyright,1997-2004
11
Privacy Impact Assessment‘Data Matching Program Protocol’ –
Australia, 1990
The following is to be filed with the Privacy Comm’er and (generally) made available for public inspection:
• identities of agencies• legal basis for the program• program objectives• alternative approaches and why rejected• details of any cost/benefit analysis undertaken• outline of technical controls for data quality, integrity and
security in the conduct of the program• use of identification numbers• the nature of actions resulting from the program
Copyright,1997-2004
12
Privacy Impact Assessment• The term was used in publications in 1993-94
by the Privacy Comm’ers of Ontario and BC (Ann Cavoukian and David Flaherty)
• Discussion session and publications in 1996 by NZ Dep. Privacy Comm’er (Blair Stewart)
• Exemplars of PIA Reports from 1995 onwards• Guidelines published from 1994 onwards
(one obscure guide even from 1991)• Many limitations inherent in many Guidelines
Copyright,1997-2004
13
Privacy Impact Assessment
A processthat surfaces and examines
potential impacts and implications
of privacy-invasive proposals
Copyright,1997-2004
14
Objectives of the PIA Process• Clearly define:
• business needs• stakeholder groups• privacy impacts
and implications• Enable understanding
and assessment of the proposal
• Enable mutual understanding of stakeholder perspectives
• Ensure reflection of stakeholder perspectives in the outcomes
• Enable:• maximisation of positive
impacts• avoidance or amelioration
of negative impacts• Maximise the likelihood of
stakeholder support• Avoid new requirements
emerging late• Earn public confidence• Raise awareness, educate • Anticipate and avoid
misinformation campaigns
Copyright,1997-2004
15
Alternative Assessment Perspectives
• The Sponsor• The Sponsors• Strategic Partners• Service and Technology Providers• Users – and Usees / Clients / Regulatees
• People• Business Enterprises and Associations• Govt agencies at varying levels of govt
• The Society / Economy / Polity
Copyright,1997-2004
16
Methods to Support AssessmentSponsor Perspective OnlyCapital Investment Project EvaluationDiscounted Cash Flows, Payback Period, NPVAssumes that all variables are measured in financial termsDeterministic, but can do Sensitivity AnalysisBusiness Case AnalysisSupports fin’l, quantitative, and qualitative measures
Multi-PerspectiveCost / Benefit Analysis (CBA)Fin’l, quant, qual measuresLess precise, partly qualitativeRecognises Opportunity CostsSensitivity AnalysisCost / Benefit / Risk Analysis (COBRA)CBA +Focuses on key uncertaintiesSearch for countermeasures
Copyright,1997-2004
17
Elements of the PIA Process• Surfacing and Examination of the privacy impacts and
implications of a proposal• Development of a clear understanding of the Business Need
that justifies the proposal and its negative impacts• Gauging of the Acceptability of the proposal and its features
by organisations and people that will be affected by it• Assessment of Compliance of the proposal with existing
privacy-related laws, codes, best practices and guidelines• Constructive Search for, and Evaluation of, better Alternatives• Constructive Search for ways to Avoid Negative Impacts,
and ways to Ameliorate Unavoidable Negative Impacts • Documentation and Publication of the Outcomes
Copyright,1997-2004
18
Who To Consult With?
• Citizens / Consumers / Users / UseesThe people actually affected by the proposal
• RepresentativesUnderstand and can express the concerns of people within a particular population segment
• Public Interest AdvocatesUnderstand the technology, processes and issues
Different approaches are necessary
Copyright,1997-2004
19
Consultations with People
• Most people can’t cope with abstractions, and need concrete experiences
• So prime discussions with mockups, protoypes• Use Focus Group technique:
• diverse group of 6-12 people, preferably without prior knowledge of one another
• typically for 1.5 to 2.5 hours• a Moderator ‘focuses’ discussion on a
topic, but allows it to range across many aspects
Copyright,1997-2004
20
Consultations with Reps and Advocates
• Stakeholder Analysis and Segmentation• Search for Representatives and Advocates• Invitation to Participate• Background Paper• Consultation Workshop• Assimilation of information provided into:
• the Scheme Design• a PIA report
• Feedback
Copyright,1997-2004
21
Contents of a P.I.A. Report
• Description of the Proposal and its Applications
• Analysis of Privacy Concerns• Summary of Laws, Codes, Best
Practices and Guidelines, and Application to the Proposal
• Evaluation, and Justification for the Privacy Impacts
• Analysis of Public Acceptability• Analysis of Measures to Avoid
& Ameliorate Privacy Impacts
• Appendices:• References to Laws,
Codes, Best Practices and Guidelines
• Summary of the Consultative Processes
• Organisations and Individuals Consulted
• The Background Information Provided
Copyright,1997-2004
22
Key Features of a PIA – 1 of 2• More Process Than Product• Not just an audit of compliance with existing laws• Requires active involvement of all relevant parties, and
incorporation of ideas into the emergent design(inclusive and participative, or at least consultative)
• Proxies need to be engaged, in order to:• gauge the acceptability of various features• constructively search for alternatives• constructively search for ways in which negative
impacts can be avoided, or at least ameliorated• gain commitment
Copyright,1997-2004
23
Key Features of a PIA – 2 of 2• Is performed by the proposal’s sponsor
• not by a privacy regulatory agency• not fully delegated to a consultant or contractor
• Commences early, to maximise involvement, avoid suspicion, and minimise re-work costs
• Involves multiple phases, such that shared understanding increases, and with it commitment
• Reduces the likelihood of later public opposition and misinformation campaigns, and, even if they are conducted, reduces their credibility
Copyright,1997-2004
24
Advocate Motivations
• Powerful parties • through ignorance, impose schemes
that unnecessarily compromise privacy• demand that privacy be compromised,
but that the interests of the powerful parties not be compromised
• Advocates want:• informed design which avoids
invasiveness where it’s practicable• compromise among all interests
• Business Needs• Return on Investment• Task Transfer / Cost Transfer / Enhanced Svce• User Adoption / Acceptance• Other-Stakeholder Acceptance
• Business Not-Needs• User Opposition• Other-Stakeholder Opposition• Bad Press, Embarrassed Ministers
Copyright,1997-2004
26
Public Policy Factors
• Service Quality• Service Accessibility• Service Equity• Imposition of Effort and Cost• Imposition of Risks• Freedom of Information• Public Safety, OH&S• Privacy• ...
Copyright,1997-2004
27
Equity – Bases for Discrimination
• Physical Handicapssight, mobility, or capacity to use a keyboard or mouse
• Mental Handicapsinability to remember username/password pair, or carry a token
• Educational Handicapslack of understanding of prompts, or what to do with a token
• Lingual Handicapsinsufficient local language to understand instructions
• Locationin an institution, in a remote area, in a rural or regional area with outdated infrastructure or inadequate bandwidth, ex-country
• It may be a Legal Requirement• Public Policy may dictate that it be done• Stakeholder groups may have
sufficient power to force it• Project Risk may be reduced• Investment Risk may be reduced• Adoption may be enhanced• The proposal’s quality may be enhanced
Copyright,1997-2004
29
Limitations of PIAs
• ‘Pseudo-Imperatives’
• Technology• Marketing• Economic /
Cost-Reduction• Security• ...
• Imbalance of PowerBut Internet-Era Social Activism
• Jurisdictional Limitations in a time of Globalisation