Chapter 1: Foundational Principles Flashcards
What is the defintion of risk
a potential threat or issue, along with the impact the threat or issue could cause, and the likelihood that it will occur
What is it important to identify risk early privacy models and frameworks
assist with the development of specific administrative, operational and technical measures to manage these risks
What is the Legal compliance model in privacy risk models
Statutory and regulatory mandates prescribe aspects of systems that handle personal information
To ensure compliance, both business process and system owners must understand the specific obligations and prohibitions their organizations are subject to and must work with their system design teams to relay those requirements, as well as identify and address any threats and vulnerabilities associated with the technologies that will be used.
What is the Fair Information Practice Principles model in privacy risk models
Fair Information Practice Principles (also referred to as FIPPs) are a set of long-standing privacy values that exist in various forms globally. FIPPs work alongside compliance models to mandate: notice, choice, and consent; access to information; controls on information; and how information is managed.
What is the Nissenbaum’s contextual integrity model in privacy risk models
Helen Nissenbaum’s Contextual Integrity—Privacy can be expressed as norms that should govern information access. Norms are domain specific; for example, the norms governing banking information will differ from the norms governing medical information.
Contextual integrity as maintaining personal information in alignment with the informational norms that apply to a particular context.
What is the concept of integrity
- actors: the senders and receivers of personal information attributes: the types of information being shared
- transmission principles: those that govern the flow of information
Give a example of Nissenbaum’s contextual integrity model
a patient visits a doctor with complaints (actors) and an x-ray is taken to determine the cause of their discomfort (attribute). The doctor shares results with a specialist to determine a course of action ( transmission)
Whats a challenge faced in the Nissenbaum’s contextual integrity model
considering context is that these norms do not generally have a preexisting reference point for privacy risks.
What is the Calo’s harms dimensions model in privacy risk models
Ryan Calo identified two dimensions of privacy harm: objective and subjective.
Objective harm occurs when privacy has been violated and direct harm is known to exist. It involves the forced or unanticipated use of personal information and is generally measurable and observable.
Subjective harm exists when an individual expects or perceives harm, even if the harm is not observable or measurable.
What is the relationship between objective harm and subjective harm in Calo’s model
analogous to the legal relationship between assault and battery.
subjective privacy harms amount to discomfort and other negative feelings, while objective privacy harms involve actual adverse consequences
what is the difference between objective harm and subjective harm in Calo’s model
Objective harms are measurable and observable, wherein a person’s privacy has been violated and a direct harm is known to exist. Subjective harms exist without an observable or measurable harm, but where an expectation of harm exists. Subjective harms may have the same impact on individual privacy because the individual takes similar steps to protect themselves
Subjective harm impacts individuals on a psychological and behavioral level, while objective harms can result in loss of business opportunity, consumer trust or even social detriment to the individual..
What is the The National Institute of Standards and Technology (NIST) model in privacy risk models
The National Institute of Standards and Technology (NIST) provides standards, guidelines and best practices for managing cybersecurity-related risks, including the Risk Management Framework, the Cybersecurity Framework, and the Privacy Framework.
The NIST Privacy Framework is a voluntary risk management tool alongside the NIST Cybersecurity Framework.
What is the The National Initiative for Cybersecurity Education’s Cybersecurity Workforce Framework in privacy risk models
o NICE frameworks:
The National Initiative for Cybersecurity Education’s Cybersecurity Workforce Framework (NICE Framework) is a nationally-focused resource published by NIST, which categorizes and describes cybersecurity work.
applies to all sectors
What is the Factors Analysis in Information Risk (FAIR) model in privacy risk models
The Factors Analysis in Information Risk (FAIR) model breaks down risk by its constituent parts, then further breaks down those parts to find factors that estimate the overall risk.
FAIR constructs a basic framework that breaks risk into the frequency of action and magnitude of the violations.
What does privacy by design based on?
• seven principles based on proactively incorporating privacy into all levels of operations organically, rather than viewing it as a trade off or something to add to a system, product, service or process after it has been built.
what is the Principle 1: Proactive, Not Reactive Preventative, Not Remedial Privacy
protection must be a forethought in any technology system, product, process or service development
Making privacy a consideration in the design phase—instead of reacting to privacy harms as they arise in the future—helps to mitigate potential privacy risks and violations.
Thinking about privacy when designing a system, product, service or process helps practitioners design these things with privacy considerations built in instead of trying to figure out how to address them in a design that may be less flexible when privacy is considered later
what is the Principle 2: Privacy as the Default Setting
-the default of a technology ecosystem should be that of preserving individuals’ privacy. Said another way, privacy is achieved automatically without the individual having to take explicit action.
what is the o Principle 3: Privacy Embedded into Design
Privacy should be embedded into the design and architecture of technology systems and business practices such that a system cannot operate without privacy-preserving functionality.
This principle suggests that privacy is not only included in the design of a program but is integral to the design.
what is the o Principle 4: Full Functionality- Positive Sum, Not Zero
Understanding the organization’s need to use and protect personal information aids privacy technologists in designing systems that still allow for desired performance and functionality while protecting information privacy
what is the Principle 5: End to End security
full life cycle Protection-Consideration of personal information at every stage in the data life cycle—collecting, processing, storing, sharing and destroying—is essential in any system design
what is the Principle 6: Visibility and Transparency
Information that communicates how the organization uses, shares, stores and deletes personal information should not be misleading, confusing or obscured.
Visibility and transparency in privacy notices not only helps reduce privacy risks but also allows individuals to make informed decisions about their own information and gives them choice when considering whether to use a service and when deciding what or how much they wish to disclose
what is the o Principle 7: Respect for User Privacy; Keep it User Centric
privacy technologists and organizations should keep individuals’ needs, and the risks to them, at the forefront when developing data ecosystems.
What is value sensitive design
• Value-sensitive design is a design approach that accounts for moral and ethical values and should be considered when assessing the overall “value” of a design these values might include things such as trust, fairness, informed consent, courtesy or freedom from bias.
• Value-sensitive design methods help to systematically assess the values at play in relation to specific technologies and respective stakeholders.
• The goal of value-sensitive design is that stakeholders should see their values reflected in the final design
o value sensitive design also focuses on the co-evolution of technologies and social structures. o this means considering the interplay of technological solutions, regulatory solutions, and organizational solutions when trying to resolve identified value tensions.
What is the goal of value sensitive design
that stakeholders should see their values reflected in the final design
How does value sensitive design effect users
o Value-sensitive design emphasizes the ethical values of both direct and indirect stakeholders.
o Direct stakeholders are those who directly interact with a system.
o Indirect stakeholders are any others who are affected by the system.
o Value-sensitive design is an iterative process which involves conceptual, empirical and technical investigations.
o Conceptual
identifies the direct and indirect stakeholders, attempts to establish what those stakeholders might value, and determines how those stakeholders may be affected by the design.
o Empirical
focuses on how stakeholders configure, use, or are otherwise affected by the technology.
o Technical
examines how the existing technology supports or hinders human values and how the technology might be designed to support the values identified in the conceptual investigation
What is direct and indirect stakeholder analysis in value sensitive design
direct and indirect stakeholders, as well as any potential benefits, harms or tensions that may affect them, are identified
What is value source analysis in value sensitive design
, wherein project, designer and stakeholder values are assessed and the ways in which each group’s values may be in conflict are considered
What are the 14 targeted design methods
o Direct and indirect stakeholder analysis, during which direct and indirect stakeholders, as well as any potential benefits, harms or tensions that may affect them, are identified
o Value source analysis, wherein project, designer and stakeholder values are assessed and the ways in which each group’s values may be in conflict are considered;
o The co-evolution of technology and social structure, which strives to engage both technology and social structure in the design space with a goal of identifying new solutions that might not be apparent when considering either alone;
o Value scenarios, which are used to generate narratives, or scenarios, to identify, communicate or illustrate the impact of design choices on stakeholders and their values;
o Value sketches, which make use of sketches, collages or other visual aids to elicit values from stakeholders;
o Value-oriented semi-structured interviews, which use interview questions to elicit information about values and value tensions;
o Scalable information dimensions, which is a values-elicitation method that uses questions to determine the scalable dimensions of information such as proximity, pervasiveness or granularity of information;
o Value-oriented coding manuals, which are used to code and then analyze qualitative information gathered through one of the other methods
o Value-oriented mock-ups, prototypes, or field deployments, which can be used to elicit feedback on potential solutions or features of new technologies or systems that are still in development;
o Ethnographically-informed inquiries regarding values and technology, which examine the relationships between values, technology and social structures as they evolve over time;
o Value dams and flows, which are ways of both identifying design options that are unacceptable to most stakeholders (the value “dams”), and removing them from the design space, while also identifying value “flows,” which are those design options that are liked by most stakeholders;
o The value-sensitive action reflection model, which uses prompts to encourage stakeholders to generate or reflect on design ideas; and,
o Envisioning Cards™, that are a set of cards developed by Friedman and her colleagues, which can be used to facilitate many of the other methods.
What are the strategies for the practice of 14 targeted design methods
o Clarify project values. Establish what values a project and the project team will strive to support. What does privacy, informed consent, transparency and other privacy-related values mean for this project and team?
o Identify direct and indirect stakeholders. A value-sensitive approach to stakeholder analysis aims to identify both direct and indirect stakeholders. Privacy needs and expectations may vary based on stakeholders’ characteristics and group identities, and individuals may be part of multiple stakeholder groups.
o Identify benefits and harms for stakeholders. Benefits and harms should be considered on individual, societal and environmental levels. In the course of investigations, a simple but illuminating practice is to ask why when people express positive or negative sentiment toward a system or design in order to more deeply understand their reasoning and motivations or concerns.
o Identify and elicit potential values. Benefits and harms that have already been identified are a starting point for identifying corresponding values. The mapping of benefits and harms to corresponding values can be straightforward (as in an unanticipated data-sharing practice that affects privacy), or indirect (for instance, if the chilling effects due to surveillance practices curtail people’s self-expression).
o Develop working definitions of key values. Define what constitutes a specific value and spell out the components that make up the value. For instance, informed consent is composed of, on one hand, discovery, processing, and comprehension of information; and, on the other hand, voluntariness, comprehension, and agreement.
o Identify potential value tensions. Values do not exist in isolation, and they frequently conflict with each other as well as with other requirements. However, value tensions rarely pose binary trade-offs (such as the mistaken belief that you can have security or privacy, but not both), but rather puts constraints on potential designs (for example, posing the challenge of how security requirements can be satisfied while also respecting privacy requirements).
What is the five phases for the Design Thinking process has five phases
Empathize, Define, Ideate, Prototype and Test, and it also follows an iterative approach. Combining the value-sensitive design methods with a process such as this is important to understanding the integration of values with current system design methodologies
What are the 4 data type collections
first party, surveillance, repurposing and third party;
What is first party data collection
o First party- occurs when individuals provides their personal information directly to the data collectors
What is Surveillance data collection
o -individuals data stream behaviour is overed through their activities, including online searches, or websites they engage with, while the individual activity is not interrupted
What is repurposing data collection
o repurposing -previously collected data may be used for a different purpose other than that for which was intality collected such as mailing address collected for shipping purposes later be used for sending marketing materials
o repurposing is also sometimes referred to as secondary
o The act of repurposing occurs when data is collected for one purpose and then used for an entirely different purpose. This can be a source of privacy harms to the individual and may be illegal under some regulatory frameworks.
What is third party data collection
o -previously collected information is transferred to a third party to enable a new data collection
What are the methods of data collection
o Active collection is when the data subject is aware that collection is taking place and takes an action to enable the collection, such as filling out and submitting an online form.
o Passive collection occurs without requiring any action from the participant and is not always obvious, such as background collection of a user’s web browser version and IP address.
What is consent in data collection
o Various consent mechanisms exist to engage the data subject in the collection activity to make the collection more overt.
o is required when collecting data and it maybe implicit and explicit
o Explicit consent requires the user to take an action, such as selecting an option to allow the collection of information that the application provider wants to use to improve services and functionality
o In an explicit consent, the individual is required to expressly act to communicate consent.
o Implied consent does not require the user to take an action. An example might be presenting the user with terms of service that state the individual’s use of the service means they agree with those terms
What is use in data collection
o A privacy notice is a statement made to data subjects that describes how an organization collects, uses, retains and discloses personal information. Notices should also indicate what information will be collected.
o A privacy notice may also be referred to as a privacy statement, a fair processing statement, or, sometimes, a privacy policy, although the term privacy policy is more commonly used to refer to the internal statement that governs an organization or entity’s handling of personal information.
o Privacy technologists need to ensure that data is being used and disclosed only for the purposes for which it was collected.
o The risk to privacy should be assessed before any information is repurposed or disclosed in a new context, and privacy technologists should remember that it may also be necessary to update notices and request additional consent from individuals
What is retention in data collection
o Data should be retained only as long as it is reasonably necessary and in compliance with legal and regulatory requirements as well as applicable standards.
o if new uses arise, some jurisdiction require data subjects to be notified, issues a new privacy notice and possibly update consent
o Storing data off premises can guard against organizational data loss should a building be destroyed or there is a persistent power outage
What is destruction data collection
o Privacy technologists should work with their organization to determine when and how data will be destroyed, as there are risks with retaining unnecessary data or keeping data longer than permitted, as well as risks in deleting information prematurely.
o A destruction plan should be applied to an organization’s records management plan to ensure the proper removal of data. Simply stating that the data should be destroyed is not always sufficient
o There should be clear guidelines on how to destroy the data based on its type. To aid in the destruction of expired files, a custom attribute such as “Retention Period” can be added to the Properties dialog of the files. Once the custom attribute has been added, it is easier to retrieve the file to determine when it needs to be destroyed. potential issues that impact data destruction.
What are the type of media that impact data
destruction
o digital content - Disks should be appropriately formatted before use to ensure that all data placed on them eventually can be deleted.
o Portable media- Portable media, such as CDs, DVDs and flash drives, have unique challenges precisely because they are portable and therefore harder to regulate, monitor and track.
o Hard copy-the primary challenge with “hard copy” documents, such as paper records, lies in determining what documents need to be destroyed and when.
