You Don’t Know What you Don’t Know: Creating Privacy Impact Assessments

Large Scale Data Breaches – A Need for Urgent Action

Last spring, Facebook exposed data on 87 million of its users to a researcher at Cambridge Analytica. That researcher, Aleksandr Kogan, built a Facebook app that asked a variety of questions using a quiz-like format, thereby collecting data from people who took the quiz. However a loophole in the Facebook API (Application Programming Interface) allowed the app to also collect data from individuals who were friends with the quiz respondents without their consent.[1] As a result, Facebook is facing increased scrutiny and a loss of confidence in its ability to protect its users’ personal information.  In addition, this controversy surrounding Facebook’s inability to protect user privacy is a wake-up call for other organizations to take data security more seriously.

A Comprehensive Privacy Strategy is Required

Every organization must understand how they collect, retain, disclose, use, and manage personal data. Much of the confusion about privacy risks stems from the complex mix of information systems and their connections to one another.

Gartner Inc., a research and advisory company, estimates that 90 per cent of organizations lack a modern application integration strategy, which can lead to integration disorder, added complexity, and greater costs.[2] Organizations typically use prepackaged systems connected together by software referred to as “middleware”. The result is a system integrated between varying products, with no unifying framework for how data is obtained utilized, and stored. In addition, many applications are hosted off-site by third parties, creating issues with determining where and how data is shared and stored.

This form of integration can create blind spots in an information security framework. For example, a report published by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner after an investigation into the Ashley Madison data breach revealed that Ashley Madison did have a range of personal information security protections in place; however, it did not have an acceptable overarching information security framework, and some of its security safeguards were insufficient or absent at the time of the breach.[3] This highlights the need for legal departments to be vigilant in assessing privacy risks and incorporating a technical mindset in order to assess risks effectively.

Privacy by Design

Organizations should strive to create new processes or re-engineer existing processes with privacy in mind. The concept of “Privacy by Design” advocates that privacy cannot be assured solely by complying with existing regulatory frameworks; rather, privacy assurance must become an organization’s default mode of operation.[4] Notably, data security requires the input of individuals knowledgeable in IT architecture, network design, organizational risk, and legal compliance. This is an area where a multidisciplinary mindset is invaluable.

Important lessons can be learned from established systems analysis, design methodologies, and approaches. These lessons should be taken into consideration when assessing risk based on the Project Management Body of Knowledge (PMPOK) to create Privacy Impact Assessments (PIAs).

Dataflow diagrams (DFD) – a graphical system model that shows the main requirements for an information system in one diagram, including inputs and outputs of processes, and data storage – are another helpful tool to use when conducting PIAs. The advantage of a DFD is that it allows everyone on a project to see all of the aspects of a system working together at once.[5] DFD’s offer a systematic method for determining potential privacy issues affecting a given system or process.[6] There are several ways a traditional DFD can be modified to reveal privacy risks in the legal context. One method is the PA-DFD, a conceptual model based on privacy concepts set out in the European General Data Protection Regulation (GDPR) and the ISO 29100 standard.[7]

With the information gleaned from a PIA, an organization can restructure its processes to be more secure by minimizing unintended disclosures of personal information. To ascertain potential privacy risks for a given process or project, a PIA is an invaluable tool.

Summary of Approach for Conducting a PIA:

There are five steps in conducting a PIA:

1. A preliminary analysis: Create a chart that outlines the following elements of the process or project in question:

  1. How data will be collected;
  2. How data will be utilized;
  3. How data will be retained;
  4. How data will be disclosed;
  5. How data will be securely disposed;

2. After conducting the preliminary analysis, determine if a project involves the use of personal information. If the project involves the use of personal information, then you should proceed through the PIA process.

3. A project analysis: It is at this stage where DFD would be invaluable for amalgamating information about the project including the type and manner in which personal information will be collected, used, retained, disclosed, and disposed.

4. Using information gathered in the project analysis, identify any potential privacy risks associated with the relevant privacy legislation, such as the federal Privacy Act, or the provincial Freedom of Information and Protection of Privacy Act (FIPPA) / Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), or the Personal Information Protection and the Electronic Documents Act (PIPEDA).[8] Then consider ways to reduce or eliminate identified risks. It is prudent to utilize a weighted model for risk assessment regarding whether a particular risk is likely to occur similar to those utilized by project managers trained in PMBOK, mentioned above. This allows for a more accurate analysis of the impact of a particular privacy risk.

5. Based on the information gleaned from the previous four steps, prepare a Privacy Impact Assessment Report and recommend possible solutions to the identified privacy risks, incorporating legal and non-legal perspectives.[9]

Conclusion

Recent large-scale privacy breaches have highlighted the need for organizations to take data security more seriously. In assisting clients to achieve this goal, it is incumbent on the legal profession to evolve their traditional practices. To meet the challenges of an increasingly complex world, legal professionals must incorporate a multi-disciplinary approach to privacy protection.

– Shan Alavi, Technology Lawyer

Originally published by the Ontario Bar Association

[1] Andrew Prokop, “Cambridge Analytica and its many scandals, explained”, Online: https://www.vox.com/policy-and-politics/2018/3/21/17141428/cambridge-analytica-trump-russia-mueller.

[2] Gartner Says Through 2018, 90 Percent of Organizations Will Lack a Postmodern Application Integration Strategy, Online: https://www.gartner.com/newsroom/id/3233217.

[3] Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner, PIPEDA Report of Findings #2016-005, Online: The Privacy Commissioner of Canada https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2016/pipeda-2016-005/.

[4] Ann Cavoukian, Privacy by Design: The 7 Foundational Principles Online: Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf.

[5] John W. Satzinger, Robert B. Jackson, Stephen D. Burd, Systems Analysis and Design in a Changing World, 2d ed, (Boston: Thomson Learning, 2002), at 195.

[6] Thibaud Antignac, Riccardo Scandariato, and Gerardo Schneider, “A Privacy-Aware Conceptual Model for Handling Personal Data?” (2016), Published in 7th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation – ISoLA’16 (1); Track: Privacy and Security Issues in Information Systems, volume 9952 of LNCS, pages 942-957. Springer, Oct 2016. DOI: http://10.1007/978-3-319-47166-2 65.

[7] Ibid.

[8] If information will be stored, processed, distributed, or retained by a third-party located in a foreign jurisdiction, it will be necessary to refer to the appropriate privacy laws of that jurisdiction.

[9] “Planning for Success: Privacy Impact Assessment Guide”, Information and Privacy Commissioner of Ontario, https://www.ipc.on.ca/wp-content/uploads/2015/05/Planning-for-Success-PIA-Guide.pdf

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s