Presentation on theme: "So You Want To Protect Privacy: Now What? ARMA Information Management Symposium June 1, 2011 Stuart Bailey."— Presentation transcript:
So You Want To Protect Privacy: Now What? ARMA Information Management Symposium June 1, 2011 Stuart Bailey
2So You Want To Protect Privacy: Now What?
3 Privacy and Social Media “Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops."“ “The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)The Right To Privacy So You Want To Protect Privacy: Now What?
4 Privacy Means… Can be defined in many ways, for example, privacy of: – Assault – Nuisance – Reputation – Defamation (Slander, Libel) – Property rights (Copyright, intellectual property) – Opinions – Body – Communications – Data So You Want To Protect Privacy: Now What?
5 Privacy and Data Protection Data protection legislation is the main lens through which we address privacy interests – Documented information about specific individuals Prosser v. Gavison – Privacy torts; something unique and distinct – As seen recently in Law Times Jones v. Tsige 2011 ONSC 1475 (CanLII)Law Times – html html So You Want To Protect Privacy: Now What?
6 Social Media and Privacy The Right to Be Let Alone – “The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)The Right To Privacy Freedom of Expression Private Communications The Right to Be Forgotten – As seen recently in the European Union Location data – Does it locate a data subject, or is data a location itself (i.e., a site)? Crossing Borders – If skin is a border between people, what forms the border between data subjects? So You Want To Protect Privacy: Now What?
7 Prosser on Privacy i.Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; ii.Public disclosure of embarrassing private facts about the plaintiff; iii.Publicity which places the plaintiff in a false light in the public eye; and iv.Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness. Privacy, 48 Cal.L.Rev. 383 (1960) So You Want To Protect Privacy: Now What?
8 Gavison: “Privacy and the Limits of Law” This Article is an attempt to vindicate the way most of us think and talk about privacy issues: unlike the reductionists, most of us consider privacy to be a useful concept. To be useful, however, the concept must denote something that is distinct and coherent. Only then can it help us in thinking about problems. Moreover, privacy must have coherence in three different contexts. First, we must have a neutral concept of privacy that will enable us to identify when a loss of privacy has occurred so that discussions of privacy and claims of privacy can be intelligible. Second, privacy must have coherence as a value, for claims of legal protection of privacy are compelling only if losses of privacy are sometimes undesirable and if those losses are undesirable for similar reasons. Third, privacy must be a concept useful in legal contexts, a concept that enables us to identify those occasions calling for legal protection, because the law does not interfere to protect against every undesirable event. Gavison, R., 1980, “Privacy and the Limits of Law”, Yale Law Journal 89: Accessed at May 20, May 20 So You Want To Protect Privacy: Now What?
9 Jones v. Tsige, 2011 ONSC 1475 (CanLII)  Without any further reference to Euteneier, the court in Nitsopoulos concludes by agreeing with the decision in Somwar – that it is not settled law in Ontario that there is no tort of invasion of privacy and expressly adopts the reasoning in that case.  Turning back now to the various statutory provisions that govern privacy issues, most Canadian jurisdictions have statutory administrative schemes that govern and regulate privacy issues and disputes. In Ontario, it cannot be said that there is a legal vacuum that permits wrongs to go unrighted - requiring judicial intervention.  More particularly here, there is no doubt that PIPEDA applies to the banking sector and Ms. Jones had the right to initiate a complaint to the Commissioner under that statute with eventual recourse to the Federal Court. For this reason I do not accept the suggestion that Ms. Jones would be without any remedy for a wrong, if I were to determine that there is no tort for the invasion of privacy.  Notwithstanding the careful reasoning in Somwar and its adoption in Nitsopoulos, I conclude that the decision of the Court of Appeal in Euteneier is binding and dispositive of the question as to whether the tort of invasion of privacy exists at common law.  I would also note that this is not an area of law that requires “judge-made” rights and obligations. Statutory schemes that govern privacy issues are, for the most part, carefully nuanced and designed to balance practical concerns and needs in an industry-specific fashion.  I conclude that there is no tort of invasion of privacy in Ontario. Accessed May 20, 2011 (emphasis added) If there is no tort of invasion of privacy, recoveries for privacy harms must be done through other means – but how will those be acted on? So You Want To Protect Privacy: Now What?
10 A Privacy Proposition If there is no tort for invasion of privacy – Privacy harms are appended to other torts And there is still something unique and distinct about privacy that lets us have internal thoughts – Privacy rights are based on a concept that cannot be numerated Therefore, protecting privacy rights is a matter of linking shared principles to everyday actions and finding “privacy” through other established activities – Data protection and the need to manage information So You Want To Protect Privacy: Now What?
11 Data and Privacy Data are everywhere; some personal, some not – some personal information can be derived from seemingly non-personal information. Personal data can be a location as much as a physical address is. Determining and adhering to “consistent use” can prove to be difficult. So You Want To Protect Privacy: Now What?
12 Information Management Information Management is the discipline of managing information like an asset – the same as we do for money, people, or infrastructure. So You Want To Protect Privacy: Now What?
13 What Is Information Management? So You Want To Protect Privacy: Now What?
14 IM and Related Disciplines Information Management connects outcomes of related disciplines at the level of information. IM looks at the information that crosses boundaries: – Technical environment (e.g., > shared drive > collaboration site > report repository) – Subject-matter (e.g., policy > business analysis > customer support > application design) How does this affect or enable re-use by Policy, Records Management, Privacy, etc.? What enterprise-level models help create consistency across specialized subjects? So You Want To Protect Privacy: Now What?
15 IM Process and Context Affects ability to enable and support: Sharing, Collecting, Reporting, Collaborating, Re-Using, Guiding, Managing Knowledge, Corporate Knowledge Repositories; Managing the Public Record Users Content Context e.g., ; Shared Drive; Collab sites; Mobile e.g., Briefing Note; Report; Approval; Procurement; Agreement; Project Records un/pw e-v5.jpg Intersection of Information Management Issues and Activities So You Want To Protect Privacy: Now What?
16 Control Models Privacy Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, and Retention Accuracy Safeguards Openness Individual Access Challenging Compliance Information Management Planning Collection / Creation Use, Disclosure, Maintenance Disposition Evaluation So You Want To Protect Privacy: Now What?
17 Planning Intended Purpose Authorizations to Collect Notice and Consent What information do you want? Why do you want that information? Who will be using that information, and to accomplish what? Does everyone understand what you want to do with the information? Have you got the authority to collect, and use the information? So You Want To Protect Privacy: Now What?
18 Collection / Creation Notifications and Consent Limiting Collection Safeguards Openness Accountability Have you given proper notice for what you want to collect? Is the notice traceable to the collection and management of the information? Can you demonstrate how collection has been limited? Do you know how you will protect the information? Can you demonstrate how this is consistent with your policies? Who is accountable if the information is lost? So You Want To Protect Privacy: Now What?
19 Use, Disclosure, Maintenance Limiting Use, Disclosure, Retention Accuracy Safeguards Challenging Compliance Individual Access How can you demonstrate that you have limited use, disclosure, or retention? How have you applied policies (e.g., retention) against information? Where are the safeguards being applied? By whom? For how long? Against what? What if you use encryption – how will you decrypt if needed? If challenged, can you demonstrate compliance with your own policies? So You Want To Protect Privacy: Now What?
20 Disposition Limiting Use, Disclosure, and Retention Safeguards Accuracy Individual Access When destroying, can you demonstrate that use was limited? When protecting, can you be sure you’re protecting enough – or not too much? How will you ensure that you are working with the most accurate information? If requested, will you know where to find all relevant information? So You Want To Protect Privacy: Now What?
21 Evaluation Challenging Compliance Openness Accountability How can you demonstrate that you have complied with the principles? Once you have made your policies open and accessible, can you show how you are complying with them? How is accountability traceable and demonstrable to outside observers? What is the effect of governance decisions? So You Want To Protect Privacy: Now What?
Sparkle Eyes 22So You Want To Protect Privacy: Now What?
23 Information Management So You Want To Protect Privacy: Now What?
24 Bio on IMDB.com Job Type Year Ratings Votes TV Series Genre Keyword So You Want To Protect Privacy: Now What?
25 Celebrities’ Private Lives Tombstone data Filmography Thoughts and Opinions Movement Communications Intimacy So You Want To Protect Privacy: Now What?
26 Automated Systems For example, in a SharePoint environment, metadata enables features like rights management, document routing, and disposition. So You Want To Protect Privacy: Now What?
27 Retention Schedules So You Want To Protect Privacy: Now What?
28 Demonstrating Compliance To demonstrate compliance with legislation and policies, specific data about specific individuals must be tracked and managed. In the event of a breach, specific actions about specific points in the organization (e.g., database, program area, etc.) need to be taken in order to respond. So You Want To Protect Privacy: Now What?
29 Conclusion Privacy is an abstract concept Respecting and protecting privacy happens through data protection Data protection requires common, consistent management activities in various contexts Data in context is information Therefore, protecting privacy means managing information So You Want To Protect Privacy: Now What?