PMRM Spec Draft v06 Oct 26 2011

Document Sample
PMRM Spec Draft v06 Oct 26 2011 Powered By Docstoc
					Draft Specification
PMRM v0.4
October 19, 2011

1. Executive Summary
   1.1. Overview of the Document
   1.2. Terminology
   1.3. Normative References
   1.4. Non-Normative References
2. Introduction
   2.1. Overview
To meet the objectives of the PMRM charter, the Committee examined data privacy policies in the context
of specific use cases in order to define a reference model that would improve the ability to deliver
operational privacy management and assured compliance across policy and system boundaries.
The Committee recognized that predictable and trusted privacy management must function in a complex,
inter-connected set of networks, systems, applications, devices and data. This privacy management
capability is needed both in traditional computing and in emerging cloud computing service delivery
environments. It mandates development of a specification that describes both personal information and
associated policies in sufficient detail to enable the assignment of privacy management actions
throughout the lifecycle of the PI. It must also accommodate a changing mix of PI and policies, whether
inherited or communicated to and from external domains or imposed internally. It must also include a
methodology so that a detailed, structured analysis of the service environment can be carried out.
This analysis is the basis for defining a privacy management architecture appropriate for a particular use
case or operational environment and for implementing integrated controls capable of executing privacy
policies with predictability and assurance
Multiple jurisdictions and inconsistent and often-conflicting laws, regulations, business practices, and
consumer preferences create huge barriers to online privacy management and compliance. It is unlikely
that these barriers will diminish in any significant way, especially in the face of rapid technological change
and innovation and differing social and national values, norms and policy interests. Therefore a privacy
management reference model can provide policymakers, program and business managers, system
architects and developers the tools needed to improve privacy management and compliance in multiple
jurisdictional contexts while also supporting service delivery and business objectives. In this model, the
controls associated with privacy (and security) will be flexible, configurable and scalable and operate in
concert with associated technical mechanisms, business process and policy components. These
characteristics require a specification that is policy-configurable, since there is no uniform, internationally-
adopted privacy terminology and taxonomy.
The core of the specification is expressed in two normative sections: the High Level Privacy Analysis and
the Detailed Privacy Management Reference Model Description. The Detailed PMRM Description section
is informed by the general findings associated with the high level analysis. However, it is much more
detail-focused and requires development of a use case which clearly expresses the complete application
and/or business service within which personal information is collected, communicated, processed, stored,
and disposed. The Reference Model is modular. It may be utilized against a use case subset and across
use cases. It is also iterative, meaning that it supports multiple levels of analysis and modification.
It is also important to point out that the model is not generally prescriptive, in that users of the model may
choose to adopt some parts of the model and not others. However, from a capability perspective, it is the
view of the Committee that a complete utilization of the model will make possible a more comprehensive
privacy management architecture for a given service or application. In this sense, the PMRM may serve
as the basis for the development of privacy-focused capability maturity models and improved compliance
Given the general reliance by the privacy policy community on non-uniform definitions of Fair Information
Policies/Practices (FIP/Ps), the Committee adopted a working set of operational privacy definitions to
provide a foundation for utilizing the model. With their operational focus, these working definitions are not
intended to supplant or to in any way suggest a bias for or against any specific policy or policy set. They
may prove valuable as a tool to help deal with the inherent biases built into current terminology
associated with privacy and to abstract their operational features.
In addition to the operational privacy definitions, the specification also defines a set of abstract Services
necessary to implement the management and compliance of detailed privacy requirements within a
particular use case. The Services are sets of functions which form an organizing foundation to facilitate
the application of the model and to support the identification of the specific mechanisms which will be
incorporated in the privacy management architecture appropriate for that use case.

    2.2. The PMRM Committee
    2.3. Challenge and Scope
    2.4. Documentation Set

3. High Level Privacy Analysis
The first phase of the PMRM is the scoping of the privacy aspects of the application or service – in effect,
identifying the complete environment in which the application or service exists. The extent of the scoping
analysis and the definition of “application” are set by the entity utilizing the PMRM scoping methodology.
These may be defined broadly or narrowly, and may include lifecycle (time) elements.
The high level analysis may also make use of privacy impact assessments, risk assessments, privacy
maturity assessments, compliance reviews, and accountability model assessments. However, the scope
of the high level privacy analysis (including all aspects of the service or application under review and all
relevant policy requirements) must correspond with the scope of Section 4, “Detailed Privacy
Management Reference Model Description.”
   3.1. Scope of High Level Privacy Analysis
       3.1.1.Application and Business Process Descriptions
       Create an inventory of the services and applications under review at the level of
                    granularity appropriate for the analysis.
             This can include applications and business processes; products; policy
                          environment; legal and regulatory jurisdictions; systems supporting the services
                          and applications; data; time; and other factors Impacting the collection,
                          communication, processing, storage and disposition of PI or PII
             Define a high level use case which reflects elements deemed relevant
       3.1.2.Statutory, Regulatory and Other Applicable Privacy Requirements
       Define and describe all of the material legal, regulatory and other privacy
                    requirements applicable in the scope of analysis
       3.1.3.Initial Privacy Impact Assessment [or Other Assessment] [optional]
       Prepare an initial privacy impact assessment or privacy impact assessment, risk
                    assessment, privacy maturity assessment, compliance review, or accountability model
                    assessment applicable within the scope of analysis carried out in step 3.1.1
4. Detailed Privacy Use Case Analysis
   4.1. Use Case Development
       4.1.1.Prepare and document a Detailed Privacy Management Use Case Analysis which
             corresponds with the Scope of Analysis. The Detailed Use Case must be clearly bounded
             and must include the following components.
       Privacy Domains
             Identify the Privacy Domains included in the use case.
             Privacy Domains are the physical or logical areas within the use case
                          subject to control by defined Domain Owners.
       Domain Owners
             Identify the Domain Owners in the use case
          For purposes of this specification, Domain Owners are entities having
                      responsibility for managing privacy requirements in business processes and
                      technical systems where PI is managed.
          Privacy Domains may be under the control of individuals or data
                      subjects; service providers; data processors; data controllers; and other distinct
                      entities having defined operational privacy management responsibilities.
          Domain Owner identification is important for purposes of establishing
                      accountability.     Data Flows
          Identify the data flows carrying PI and privacy policy requirement
                      expressions among actors in the Use Case.
          Data flows may be multidirectional and unidirectional     Touch Points
          Identify the touch points at which the data flows intersect with Privacy
                      Domains or Systems within Privacy Domains.
          Touch Points are the intersections of data flows with Privacy Domains or
                      Systems within Privacy Domains
          The main purpose for identifying touch points in the use case is to clarify
                      the data flows and ensure a complete picture of all systems in which PI is used.     Systems [and Subsystems]
          Identify the systems [and optionally subsystems] where PI is collected,
                      communicated, processed, and stored within a Privacy Domain
          A system or subsystem is a collection of components organized to
                      accomplish a specific function or set of functions having a relationship to privacy
                      management.     Actors
          Identify actors having privacy management responsibilities
          An actor is a human or non-human agent interacting with PI within a
                      system or subsystem
4.2. Identify PI in Use Case Systems
    4.2.1.Specify the PI collected, created, communicated, processed or stored within Systems or
          Subsystems in three categories     Incoming
          Incoming PI is PI flowing into a system or subsystem within a Privacy
          Incoming PI may be defined at whatever level of granularity appropriate
                      for the scope of analysis of the Use Case and the Privacy Requirements
                      established in 3.1     Internally Generated
          Internally Generated PI is PI created within the System [or Subsystem]
          Examples include device information, time-stamps, location information,
                      other system-generated data that may be linked to an identity
          Internally Generated PI may be defined at whatever level of granularity
                      appropriate for the scope of analysis of the Use Case and the Privacy
                      Requirements established in 3.1     Outgoing
          Outgoing PI is PI flowing out of one system or subsystem to another
                      system or subsystem within a Privacy Doman or to another Privacy Domain.
4.3. Identify Operational Privacy Control Requirements
    4.3.1.For Incoming, Internally Generated and Outgoing PI, specify the operational control
          requirements needed to enforce the privacy policy requirements associated with the PI.     Inherited Control Requirements
          Specify the privacy control requirements which are inherited from Privacy
                      Domains     Internal Control Requirements
          Specify the privacy control requirements which are mandated by internal
                      Privacy Domain policies     Exported Control Requirements
          Specify the privacy control requirements which must be exported to other
                      Privacy Domains
4.4. Services Required to Support Privacy Controls
    4.4.1.Service Definitions     A set of Operational Services is the organizing structure which will be used to link
                the privacy control requirements specified in Section 4.3 to operational mechanisms
                necessary to implement those requirements     Agreement Services
          Identify permissions and rules for the handling of PI based on policies
          Provide Actors with a mechanism to negotiate new permissions and
          Express the agreements for use by other services     Usage Services
          Ensure that the use of PI complies with the terms of any applicable
                      permission, policy or regulation
          Including when PI is subjected to information minimization, linking,
                      integration, inference, transfer, derivation, aggregation, and pseudo-
                      anonymization     Validation Services     Evaluate and ensure the information quality of PI in terms of Accuracy,
                Completeness, Relevance, Timeliness     Certification Services
          Validate the credentials of any actor or system component involved in
                      processing PI
          Verify compliance and trustworthiness of that actor or system component
                      against policies     Enforcement Services
          Initiate response actions, policy execution, and recourse when audit
                      controls and monitoring indicate that an actor or system does not conform to the
                      terms or policies of an agreement     Security Services
          provide the policy, process, and technical operational controls necessary
                      to ensure that confidentiality, integrity, and availability of personal information
          enforce accurate and trustworthy processing, communication, storage
                      and disposition     Interaction Services
          facilitate a generalized interface as required for presentation,
                      communication, and other movement of relevant information associated with PI
                      and operational policies
          encompass functionality such as user interfaces, system-to-system
                      information exchanges, and agents    Access Services
         Enable Actors, as required and/or allowed by policy or regulation, to:
                 Review their PI that is held by other actors; and
                 Propose changes to their PI
    4.4.2.Select the Necessary Services to Operationalize the Controls
    4.4.3.Define the Business Process and Technical Mechanisms Supporting Each Service     Implementation Functions and Technologies     Business Practices
4.5. Risk Assessment
    4.5.1.Detailed operational risk assessment per Service
    4.5.2.Control Selection to Mitigate Risks
   4.6. Iterative Process
       4.6.1.Detailed Operational Risk Assessment across Use Case and PI Lifecycle
       4.6.2.Lifecycle Weaknesses and Risk Evaluation
       4.6.3.Control, Mechanisms, Operational requirements, Policy and Other Modifications
5. Operational Definitions Supporting Fair Information Practices/Principles
   5.1. Accountability: Functionality enabling reporting by the business process and technical systems
        which implement privacy policies, to the individual or entity accountable for ensuring compliance
        with those policies, with optional linkages to redress and sanctions.
   5.2. Notice: Functionality providing Information regarding an entity’s privacy policies and practices
        including: definition of the Personal Information collected; its use (purpose specification); its
        disclosure to parties within or external to the entity; practices associated with the maintenance
        and protection of the information; options available to the individual regarding the collector’s
        privacy practices; retention and deletion; changes made to policies or practices; and other
        information provided to the individual at designated times and under designated circumstances.
   5.3. Consent: Functionality, including support for Sensitive Information, Informed Consent, Change
        of Use Consent, and Consequences of Consent Denial, enabling individuals to agree to allow
        the collection and/or specific uses of some or all of their Personal Information either through an
        affirmative process (opt-in) or implied (not choosing to opt-out when this option is provided).
   5.4. Collection Limitation and Information Minimization: Functionality exercised by the
        information collector or information user to limit the information collected, processed,
        communicated and stored to the minimum necessary to achieve a stated purpose and, when
        required, demonstrably collected by fair and lawful means.
   5.5. Use Limitation: Functionality exercised by the information collector or information user to
        ensure that Personal Information will not be used for purposes other than those specified and
        accepted by the individual or provided by law, and not maintained longer than necessary for the
        stated purposes.
   5.6. Disclosure: Functionality enabling the release, transfer, provision of access to, use for new
        purposes, or divulging in any other manner, Personal Information held by an entity in accordance
        with notice and consent permissions and/or applicable laws and functionality making known the
        information collectors policies to external parties receiving the information.
   5.7. Access and Correction: Functionality allowing individuals having adequate proof of identity to
        discover from an entity, or discover and/or correct or delete, their Personal Information, at
        specified costs and within specified time constraints; and functionality providing notice of denial
        of access and options for challenging denial when specified.
   5.8. Security/Safeguards: Functionality that ensures the confidentiality, availability and integrity of
        Personal Information collected, used, communicated, maintained, and stored; and that ensures
        specified Personal Information will be de-identified and/or destroyed as required.
   5.9. Information Quality: Functionality that ensures that information collected and used is adequate
        for purpose, relevant for purpose, not excessive in relation to the purposes for which it is
        collected and/or further processed, accurate at time of use, and, where specified, kept up to
        date, corrected or destroyed.
   5.10.        Enforcement: Functionality ensuring compliance with privacy policies, agreements and
        legal requirements and to give individuals a means of filing complaints of compliance violations
        and having them addressed, including recourse for violations of law, agreements and policies.
   5.11.        Openness: Functionality making availability to individuals the information collector's or
        information user's policies and practices relating to their management of Personal Information
        and for establishing the existence of, nature and purpose of use of Personal Information held
        about the individuals.
   5.12.        Anonymity: Functionality which renders personal information anonymous so that an
        individual is no longer identifiable.
   5.13.        Information Flow: Functionality enabling the communication of personal information
        across geo-political jurisdictions by private or public entities involved in governmental, economic,
        social or other social activities.
   5.14.        Sensitivity: Functionality that provides special handling, processing, security treatment
        or other treatment of specified information, as defined by law, regulation or policy
6.   Conformance
7.   Use Cases
8.   Acknowledgments
9.   Other Considerations

Shared By: