Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright, 1997-2004 1 Why PIAs ? Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor, Unis. of Hong Kong and U.N.S.W. Visiting Fellow,

Similar presentations

Presentation on theme: "Copyright, 1997-2004 1 Why PIAs ? Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor, Unis. of Hong Kong and U.N.S.W. Visiting Fellow,"— Presentation transcript:

1 Copyright, 1997-2004 1 Why PIAs ? Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor, Unis. of Hong Kong and U.N.S.W. Visiting Fellow, Dept of Computer Science, ANU{.html,.ppt} rev. 16 May 2004

2 Copyright, 1997-2004 2 Why PIAs ? Agenda 1.Privacy and Privacy Protection 2.Advocate Motivations 3.Sponsor Motivations Social Responsibility Business Needs 4.Methods to Support Assessment 5.Key Features of Effective PIAs

3 Copyright, 1997-2004 3 Privacy The interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations Dimensions of Privacy Privacy of the Person Privacy of Personal Behaviour Privacy of Personal Communications Privacy of Personal Data

4 Copyright, 1997-2004 4 Privacy Protection Privacy can conflict with other interests: personal conflict of interests interests of another person interests of a group or community interests of an organisation interests of society as a whole Privacy Protection is a process of finding appropriate balances between privacy and multiple competing interests

5 Copyright, 1997-2004 5 Advocate Motivations Powerful parties through ignorance, impose schemes that unnecessarily compromise privacy demand that privacy be compromised, but that the interests of the powerful parties not be compromised Advocates want: informed design which avoids invasiveness where its practicable compromise among all interests

6 Copyright, 1997-2004 6 Sponsor Motivations (1)Social Responsibility On balance, wed prefer to be nice We do appreciate how powerful we are, and how powerful the technologies are Us decision-makers are people to, and to some extent its our own and our childrens privacy that were invading

7 Copyright, 1997-2004 7 Social Responsibility and For-Profit Corporations Generally required by law to work for the good of the company, and thence shareholders Responsibility is only to the above Precluded by law from having social responsibility among its objectives Must regard it only as a constraint

8 Copyright, 1997-2004 8 Social Responsibility, and Not-For-Profits, Associations, NGOs Generally not precluded by law from considering social responsibility Many have value-systems and objectives that lean towards social responsibility For some, social responsibility is central to their value-system and their objectives

9 Copyright, 1997-2004 9 Social Responsibility and Government Agencies Theory X: Monarchy, Top-Down Society Social Control, Authority Mass Society before Individual Person Theory Y: Government is of the people, but also by the people, and for the people Social Responsibility is fundamental

10 Copyright, 1997-2004 10 Diversity Between Governments Eastern Europe, Asia cf. Longstanding Democracies Entry Pointsnow Business Gateway eDemocracyConsulting Canadians PIA Rules, CodesMBS ON, TBS Ottawa,... Diversity Within Government National Security & Law Enforcement cf. policy-formation cf. service-delivery

11 Copyright, 1997-2004 11 Strategic Management Theory for For-Profit Corporations Five Forces Shape Industry: the bargaining power of Suppliers the bargaining power of Buyers the threat of New Entrants the threat of Substitute Products Rivalry among existing firms (but Porter missed Regulatory Aspects!)

12 Copyright, 1997-2004 12 Towards a Strategic Management Theory for Government Forces Shaping the Public Sector The Executive The Parliament International Factors Business Business Advocates and Representatives The Public The Media Representatives of and Advocates for: The Public Population Segments

13 Copyright, 1997-2004 13 Public Policy Factors Service Quality Service Accessibility Service Equity Imposition of Effort and Cost Imposition of Risks Freedom of Information Public Safety, OH&S Privacy...

14 Copyright, 1997-2004 14 Equity – Bases for Discrimination Physical Handicaps sight, mobility, or capacity to use a keyboard or mouse Mental Handicaps inability to remember username/password pair, or carry a token Educational Handicaps lack of understanding of prompts, or what to do with a token Lingual Handicaps insufficient local language to understand instructions Location in an institution, in a remote area, in a rural or regional area with outdated infrastructure or inadequate bandwidth, ex-country Lifestyle – traditional, seasonal worker, itinerant, street kid

15 Copyright, 1997-2004 15 Persons-at-Risk People under the Direct Threat of Violence people concealing themselves from previous criminal associates victims of domestic violence protected witnesses people under fatwa Celebrities, Notorieties and VIPs politicians entertainers and sportspeople people 'in the public eye', such as lottery-winners People in Security-Sensitive Roles national security operatives, undercover police, prison warders, and staff in psychiatric institutions

16 Copyright, 1997-2004 16 Sponsor Motivations (2)Business Needs Return on Investment Task Tfer / Cost Tfer / Enhanced Svce User Adoption / Acceptance Other-Stakeholder Acceptance (3)Business Not-Needs User Opposition Other-Stakeholder Opposition Bad Press, Embarrassed Ministers

17 Copyright, 1997-2004 17 Antidotes Analysis of Stakeholders Information for Stakeholders Consultation with Stakeholders Participation of Stakeholders

18 Copyright, 1997-2004 18 Stakeholder Analysis and Segmentation Sponsors Service and Technology Providers Users People Business Enterprises and Associations Govt agencies at varying levels of govt Usees / Clients / Regulatees People Business Enterprises and Associations The General Public

19 Copyright, 1997-2004 19 Who To Consult With? Citizens / Consumers / Users / Usees The people actually affected by the proposal Representatives Understand and can express the concerns of people within a particular population segment Public Interest Advocates Understand the technology, processes and issues Different approaches are necessary

20 Copyright, 1997-2004 20 Consultations with People Most people cant cope with abstractions, and need concrete experiences So prime discussions with mockups, protoypes Use Focus Group technique: diverse group of 6-12 people, preferably without prior knowledge of one another typically for 1.5 to 2.5 hours a Moderator focuses discussion on a topic, but allows it to range across many aspects

21 Copyright, 1997-2004 21 Consultations with Reps and Advocates Stakeholder Analysis and Segmentation Search for Representatives and Advocates Invitation to Participate Background Paper Consultation Workshop Assimilation of information provided into: the Scheme Design a PIA report Feedback

22 Copyright, 1997-2004 22 The Role of Confidentiality in Consultative Processes The focus is on mutual confidence Confidentiality is a spin-off All parties may want some protection All parties may want to fly kites, test the water, or use po

23 Copyright, 1997-2004 23 PRIVACY as a Strategic Factor Privacy is much more than mere Data Protection, and Fair Information Practices Elements of a Privacy Strategy A Proactive Stance An Express Strategy An Articulated Plan Resourcing Monitoring of Performance against the Plan

24 Copyright, 1997-2004 24 Phases of an Organisational Privacy Strategy Preparatory Study, Consultation, Formulation, Internal Commitment, Articulation incl. Participation, Public Commitment Establishment Planning, Embedment, Acculturation, Internal Implementation, Partner Implementation, Post-Implementation Review Maintenance Re-training, Reinforcement, Internal Audit, External Audit, Strategic Review

25 Copyright, 1997-2004 25 Elements of a Privacy Strategy and Plan Corporate Privacy Strategy Assignment of Organisational Responsibility Compliance with Laws, Codes, Guidelines, etc. Embedment in Technical Infrastructure Embedment in Corporate Procedures proposals for project initiation conduct of development projects privacy impact assessment post-implementation review audit, both periodic, and on-demand Stakeholder Consultative Arrangements

26 Copyright, 1997-2004 26 Privacy Impact Assessment A process that surfaces and examines potential impacts and implications of privacy-invasive proposals

27 Copyright, 1997-2004 27 Objectives of the PIA Process Clearly define: business needs stakeholder groups privacy impacts and implications Enable understanding and assessment of the proposal Enable mutual understanding of stakeholder perspectives Ensure reflection of stakeholder perspectives in the outcomes Enable: maximisation of positive impacts avoidance or amelioration of negative impacts Maximise the likelihood of stakeholder support Avoid new requirements emerging late Earn public confidence Raise awareness, educate Anticipate and avoid misinformation campaigns

28 Copyright, 1997-2004 28 Alternative Assessment Perspectives The Sponsor The Sponsors Strategic Partners Service and Technology Providers Users – and Usees / Clients / Regulatees People Business Enterprises and Associations Govt agencies at varying levels of govt The Society / Economy / Polity

29 Copyright, 1997-2004 29 Methods to Support Assessment Sponsor Perspective Only Capital Investment Project Evaluation Discounted Cash Flows, Payback Period, NPV Assumes that all variables are measured in financial terms Deterministic, but can do Sensitivity Analysis Business Case Analysis Supports finl, quantitative, and qualitative measures Multi-Perspective Cost / Benefit Analysis (CBA) Finl, quant, qual measures Less precise, partly qualitative Recognises Opportunity Costs Sensitivity Analysis Cost / Benefit / Risk Analysis (COBRA) CBA + Focuses on key uncertainties Search for countermeasures

30 Copyright, 1997-2004 30 Elements of the PIA Process Surfacing and Examination of the privacy impacts and implications of a proposal Development of a clear understanding of the Business Need that justifies the proposal and its negative impacts Gauging of the Acceptability of the proposal and its features by organisations and people that will be affected by it Assessment of Compliance of the proposal with existing privacy-related laws, codes, best practices and guidelines Constructive Search for, and Evaluation of, better Alternatives Constructive Search for ways to Avoid Negative Impacts, and ways to Ameliorate Unavoidable Negative Impacts Documentation and Publication of the Outcomes

31 Copyright, 1997-2004 31 Public Participation in PIAs Public Representation on the Steering Committee Focus Groups; and a PIA Consultative Group Sufficient Diversity of Participants to ensure all perspectives are represented Multiple Rounds of: information provision by the sponsor to the public consultation between advocates and stakeholder groups, and the primary sponsor Assimilation of the information provided by all parties into subsequent rounds of activities and consultation Participation by stakeholder groups in the design and implementation activities

32 Copyright, 1997-2004 32 Contents of a P.I.A. Report Description of the Proposal and its Applications Analysis of Privacy Concerns Summary of Laws, Codes, Best Practices and Guidelines, and Application to the Proposal Evaluation, and Justification for the Privacy Impacts Analysis of Public Acceptability Analysis of Measures to Avoid & Ameliorate Privacy Impacts Appendices: References to Laws, Codes, Best Practices and Guidelines Summary of the Consultative Processes Organisations and Individuals Consulted The Background Information Provided

33 Copyright, 1997-2004 33 Benefits of a P.I.A. Early appreciation of the citizen perspective Constructive suggestions to avoid negative impacts to improve the design Early warning of future problems Avoidance of re-work and retro-fit Pre-countering of public criticism

34 Copyright, 1997-2004 34 Key Features of a PIA – 1 of 2 More Process Than Product Not just an audit of compliance with existing laws Requires active involvement of all relevant parties, and incorporation of ideas into the emergent design (inclusive and participative, or at least consultative) Proxies need to be engaged, in order to: gauge the acceptability of various features constructively search for alternatives constructively search for ways in which negative impacts can be avoided, or at least ameliorated gain commitment

35 Copyright, 1997-2004 35 Key Features of a PIA – 2 of 2 Is performed by the proposals sponsor not by a privacy regulatory agency not fully delegated to a consultant or contractor Commences early, to maximise involvement, avoid suspicion, and minimise re-work costs Involves multiple phases, such that shared understanding increases, and with it commitment Reduces the likelihood of later public opposition and misinformation campaigns, and, even if they are conducted, reduces their credibility

36 Copyright, 1997-2004 36 Why PIAs ? It may be a Legal Requirement Public Policy may dictate that it be done Stakeholder groups may have sufficient power to force it Project Risk may be reduced Investment Risk may be reduced Adoption may be enhanced The proposals quality may be enhanced

Download ppt "Copyright, 1997-2004 1 Why PIAs ? Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor, Unis. of Hong Kong and U.N.S.W. Visiting Fellow,"

Similar presentations

Ads by Google