8. Privacy Governance Flashcards
Reasonable Assurance
Reasonable assurance means that requirements and objectives are not absolute, but rather based upon some criteria that is deemed practical to implement and manage. This concept is absolutely key when safeguarding privacy in IT. It affords flexibility and is greatly valuable for managing the potential overengineering of solutions. It also grounds solutions in common sense.
Internal controls and compliance program
With reasonable assurance as a backdrop, compliance programs aim to develop internal controls. Internal controls are objectives tied to practical measurements and designed to evaluate components governed by the privacy program. Internal controls come in two primary flavors. One kind is preventive: designed to stop an activity, a priori, from occurring.8 The second is detective: identifying problematic activity posteriori—after the event has occurred.
In mature compliance programs, internal controls are continuously monitored, ideally through IT capabilities. This enables faster identification of issues and remediation thereof. Alongside, internal controls are often designed to be overlapping. Overlapping safeguards are key, as they improve the resiliency of a compliance program and assure that objectives can continue to be measured and issues identified amid failures of other controls. Overlapping safeguards and reasonable assurance strongly reinforce one another and importantly, justify the application of reasonable assurance rather than absolute assurance.
The compliance program provides the foundational structure on which to organize the core elements of the program. Across the privacy controls and security controls (which may in part overlap), compliance is the structure on which internal controls are reasonably defined and managed.
Security vs privacy
Principally, security is about protecting against unauthorized access and malicious actions.10 Security risk is often framed in terms of confidentiality, integrity and availability (CIA triad).
Privacy, comparatively, is about enforcing appropriate use within a secure environment.11 In other words, security can reasonably assure that two parties exchange personal data securely, but it is privacy that reasonably assures that the authorized parties are in fact using the personal data appropriately.
As different sides of the same coin, security and privacy often rely on similar controls and, ultimately, the same IT capabilities. “Security thus provides privacy an avenue through which meaningful IT solutions can be developed to safeguard privacy. In addition, as security and compliance are as intertwined as privacy and compliance, reasonably assured internal controls can be repurposed, or extended, as necessary in order to maturate the privacy governance program and inculcate privacy safeguards intoIT.
ISO 19944
ISO 19944, Cloud Services and Devices: Data Flow, Data Categories, and Data Use, is an ISO standard designed to support transparent description of cloud ecosystems, focusing on taxonomic categories of data, use and dataflow within cloud services.
ISO 270XX Series
The ISO 270XX series covers an array of information security controls. ISO 27001 predominates as the primary security standard. ISO 27018 provides privacy-centric controls for personally identifiable information.
Privacy Information Management System (PIMS) – ISO 2755217
PIMS is a newly developed ISO standard designed specifically to enhance privacy safeguards for ISO 27001. This standard, approved in 2019, accounts for controls identified in GDPR and provides a more fulsome description of privacy controls for data controllers and data processors. PIMS further provides mapping to other standards and laws to facilitate portability.
NIST Privacy Framework
The NIST Privacy Framework is a voluntary enterprise risk management tool alongside the NIST Cybersecurity Framework. Currently in draft, the framework is intended to assist organizations in communicating and organizing privacy risk, rationalizing privacy in order to build or evaluate a privacy governance program.
NISTIR 8062
NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems, is a U.S. standard that introduces basic privacy engineering and risk management concepts. Notably, it calls out the concepts of protectability, manageability, and disassociability, the privacy parallels to security’s CIA triad concepts.
SOC 2 Type 2
SOC, Systems and Organization Controls, focuses on security, availability, processing integrity, confidentiality, and privacy. SOC has differing levels of standardization, with SOC 2 Type 2 being the more in-depth standard to assess assurance of the controls of a service organization.
NIST Special Publication 800-53
NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is the primary standard for U.S. government agencies. The standard is also broadly used by private sector entities and has mappings to ISO 270XX controls. Privacy controls are identified in Appendix J and aligned with the Fair Information Practice Principles (FIPPs).
Standards
Standards provide a mechanism both to fact-check if the security and privacy controls meet minimum expectations as defined by outside parties as well as to translate the governance program to auditors, customers and the general public.
Privacy Governance Program
The overall privacy governance program should aim to be (a) structured and (b) enduring. Designed controls should focus on structuring objectives and activities in measurable and discrete ways that connect, but do not embed, higher-order legal requirements or lower-level technological solutions. This intentional design enables flexibility: If laws change, the governance program can absorb and adjust with little perturbation. Likewise, the governance program can also persist through technological change. The key, again, is the structure, which enables a robust, enduring model. Moreover, this also aids continual maturation and evolution of the governance program. As technology advances, the program can adapt and controls previously undertaken in manual capacity can be automated. This latter point is perhaps the most powerful, as it enables an enduring framework that can scale with the IT infrastructure of an organisation, whether it’s a small-scale system or hyper-scale cloud.
Core activities of a privacy governance program
Privacy and Data Protection Impact Assessments
Assessments evaluating privacy harms and issues for major activities undertaken by an organization.
Privacy Reviews
or activities to evaluate sufficiency of privacy safeguards employed. Privacy reviews present an illustrative example to connect the activities of a privacy program with the abstract model of privacy governance. Privacy reviews are fundamentally intended to assess and verify the design of a given service. Privacy reviews will evaluate, among other things, the data and uses of a given service and will further evaluate dataflows (across systems as well as geographic boundaries), consent/notice in keeping with organizational requirements, access control and other aspects as defined by an organization’s privacy program.
Training and Awareness
Educational and awareness activities for personnel supporting privacy functions within the organization. (Awareness may also include external engagement and transparency activities.)
Privacy Incident Management
Management and response for privacy-related incidents within the organization.
Third-Party Relationships
Requirements and privacy safeguards when interacting and sharing personal data with external organizations.
Consent and Notice
Practices and requirements to provide notice and appropriate consent for users of organizational services.
Data governance
“The modeling and tagging of data and use is core to data governance and is a necessary precondition for measuring and understanding how privacy harms may arise within IT. Fundamentally, the aim is to discretize these two key aspects of privacy: data and use.”
Excerpt From
IAPP_T_TB_Introduction-to-Privacy-for-Technology_1.1
This material may be protected by copyright.
