Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Published byKristin Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data."— Presentation transcript:

1 Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data

2 PbD Use Case Privacy Controls Based on PMRM v1.0 Makes possible: o Identification of abstract controls at the data-flow level Controls are mechanisms and processes designed to provide reasonable assurance of the achievement of stated objectives o Technical o Administrative o Physical Controls can be pre-defined/baseline (e.g. NIST SP 800- 53r4 Appendix J) and/or bespoke o Decomposition of individual controls into pre-defined supporting services o Design and implementation of concrete functionality and processes comprising the services

3 Use Case Privacy Control Development (Four Further Stages) Inherited Privacy Controls Internal Privacy Controls Exported Privacy Controls Supporting Services Risk Assessment Technical Functionality and Business Processes

4 Use Case Privacy Control Development Stage Six Acme Insurance Customer Vehicle Programs Customer Profile Dept. Analytics Domain Customer Portal Software Development Group Data Communications Local Agent portal Incoming PI (Driving patterns and assessed risk linked to VIN) Generated PI (Driving patterns and assessed risk) Outgoing PI (Name, account number, driving pattern and assessment summaries)

5 Use Case Privacy Control Development Stage Six 1.Specify privacy controls inherited from Privacy Domains or Systems within Privacy Domains 2.Specify privacy controls mandated by internal Privacy Domain policies 3.Specify privacy controls exported to other Privacy Domains or Systems within Privacy Domains

6 Use Case Privacy Control Development Stage Six Acme Insurance Customer Vehicle Programs Customer Profile Dept. Analytics Domain Customer Portal Software Development Group Data Communications Local Agent portal Generated PI (Driving patterns and assessed risk) Outgoing PI (Name, account number, driving pattern and assessment summaries) Exported Control AR-3: Requirements for Contractors Internal Control DI-1: Data Quality Incoming PI (Driving patterns and assessed risk linked to VIN) Inherited Control DM-1: Minimization of PII

7 Use Case Privacy Control Development Stage Seven 4.Identify Services satisfying privacy controls

8 Use Case Privacy Control Development Stage Seven AGREEMENT Define and document permissions and rules for the handling of PI based on applicable policies, data subject preferences, and other relevant factors; provide relevant Actors with a mechanism to negotiate or establish new permissions and rules; express the agreements for use by other Services USAGE Ensure that the use of PI complies with the terms of any applicable permission, policy, law or regulation, including PI subjected to information minimization, linking, integration, inference, transfer, derivation, aggregation, and anonymization over the lifecycle of the use case VALIDATION Evaluate and ensure the information quality of PI in terms of Accuracy, Completeness, Relevance, Timeliness and other relevant qualitative factors

9 Use Case Privacy Control Development Stage Seven CERTIFICATION Ensure that the credentials of any Actor, Domain, System, or system component are compatible with their assigned roles in processing PI; and verify their compliance and trustworthiness against defined policies and assigned roles. ENFORCEMENT Initiate response actions, policy execution, and recourse when audit controls and monitoring indicate that an Actor or System does not conform to defined policies or the terms of a permission (agreement) SECURITY Provide the procedural and technical mechanisms necessary to ensure the confidentiality, integrity, and availability of personal information; make possible the trustworthy processing, communication, storage and disposition of privacy operations

10 Use Case Privacy Control Development Stage Seven INTERACTION Provide generalized interfaces necessary for presentation, communication, and interaction of PI and relevant information associated with PI; encompasses functionality such as user interfaces, system-to-system information exchanges, and agents ACCESS Enable data-subjects, as required and/or allowed by permission, policy, or regulation, to review their PI that is held within a Domain and propose changes and/or corrections to their PI

11 Use Case Privacy Control Development Stage Seven Internal Control DI-1: Data Quality o Validation service Inherited Control DM-1: Minimization of PII o Usage service o Security service Exported Control AR-3: Requirements for Contractors o Agreement service

12 Use Case Development Use Case Development Stage Eight 5.Define technical functionality and business processes supporting selected services

13 Use Case Privacy Control Development Stage Eight Validation service o Vehicle data cleansing E.g., check for inconsistent event sequences Usage service o Automated interfaces to maintain separation of data using identifier with relatively inaccessible auxiliary info Security service o Role-based access control Agreement service o Chain-of-trust contract clause

14 Use Case Privacy Control Development Stage Eight Acme Insurance Customer Vehicle Programs Customer Profile Dept. Analytics Domain Customer Portal Software Development Group Data Communications Local Agent portal Generated PI (Driving patterns and assessed risk) Outgoing PI (Name, account number, driving pattern and assessment summaries) Exported Control AR-3: Requirements for Contractors Internal Control DI-1: Data Quality Incoming PI (Driving patterns and assessed risk linked to VIN) Inherited Control DM-1: Minimization of PII

15 Use Case Development Use Case Development Stage Nine 6.Risk assessment o VIN sufficient to maintain data separation? o If not, implement usage service via random pseudonymous identifiers shared between Acme Insurance Company and Hudson Motor Company

Download ppt "Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Privacy By Design Sample Use Case

Privacy By Design Sample Use Case
Privacy By Design Draft Privacy Use Case Template

Privacy By Design Draft Privacy Use Case Template
SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works

Security Controls – What Works
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.

Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
PMRM Overview and Privacy Management Analysis Tools Development John Sabo Gershon Janssen

PMRM Overview and Privacy Management Analysis Tools Development John Sabo Gershon Janssen
OASIS PRIVACY MANAGEMENT REFERENCE MODEL EEMA European e-identity Management Conference Paris, 12-13 June 2012 John Sabo, CA Technologies Co-Chair, OASIS.

OASIS PRIVACY MANAGEMENT REFERENCE MODEL EEMA European e-identity Management Conference Paris, June 2012 John Sabo, CA Technologies Co-Chair, OASIS.
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.
Integrated Capability Maturity Model (CMMI)

Integrated Capability Maturity Model (CMMI)
Chapter 15 Database Administration and Security

Chapter 15 Database Administration and Security

Similar presentations

Ads by Google