E H T S ’ R E K I H H C T I O H T E D I GU ACY V I R P N G I S E D Y B Barbara
Peruskovic
About THE AUTHOR Barbara Peruskovic has been working in the field of information architecture for over 30 years. At the age of 12 she learned the principles of programming ( read – did not have a computer so wrote her code on paper), at the age of 14 she wrote her first application ( read – high school assignment to track ethnicity of her fellow students). As this last one was part of a bigger scale ‘mistake’ ( read – massive war on local scale somewhere in Europe), she counted her blessings and continued her education in Western Europe. Not used to peace and quietness, after rushing through high school and a freshman year of Mathematics faculty, she decided to try her luck tacking Y2 problems in the corporate world (despite all the odds this did not lead to any major galactic catastrophe). By total accident ( read – IQ measurements by inadequate recruitment agency ) she ended up at the Information Management department of a great hidden software company. After learning the craft ( read – being called youngster for 10 years), she started her own consulting service providing advisory services to help organisations form their own solutions, visions and teams while facing data challenges. With years of hands-on experience with different tools, techniques and organisation models, she learned to favour the approach of practical wisdom. Meaning that one can learn the principles of action, but applying them in the real world, in situations one could not have foreseen, requires experience of doing ( read – she made many mistake and now can warn/prevent others from making the same).
Being diagnosed as Philomath ( read – officially addicted to learning) she followed courses in Applied Psychology, several technologies ( read – you know, the big 4’s ) and by total accident Ethics and Privacy. Combined with her love for mathematical models, data and engineering, this led to an true obsession. Nowadays, she is teaching Privacy by Design in the area of Data & Analytics and consulting in Ethical Data Governance ( read – she can finally choose assignments and customers). All wisdom in her work and this paper is to be accredited to great contributors from her professional network and the academic society. She is just the implementer of privacy and governance principles in an exciting but troubled world of data. (P.S. Her only truly unique accomplishment is a vertical catwalk of some public building in Amsterdam ( read climbing 60m head down attached to a small rope – which in some tiny, hidden part of the universe is considered to be a profession).
FOREWORD By Ann Cavoukian, Ph.D. The Hitchhiker’s Guide to Privacy by Design is by far one of the most creative and delightful texts to read! I have always linked the importance of privacy to enabling innovation and creativity regarding the ways in which we can make technology work for us – Protegrity is showing us that effectively transferring this knowledge benefits greatly from taking a design approach. I applaud Barbara Peruskovic, the author of this guide, for her ingenuity and dedication to teaching in the areas of Privacy by Design, and data analytics. For anyone overwhelmed by the magnitude of the GDPR, this is indeed a ‘must read’. What could be a better stage on which to demystify this complex new approach to privacy rights than the entire universe – a space galaxy! The saying ‘a picture is worth a thousand words’ rings true with the Hitchhiker’s Guide to Privacy by Design – it uses colourful images that convey the meaning and essence of Privacy by Design, elements of the GDPR, and privacy ethics more effectively than a lengthy 10,000+ description could ever achieve. Bravo Barbara, Protegrity and the entire team! Remember that privacy forms the foundation of our freedom – you cannot have free and democratic societies without privacy. By embedding it into the design of our operations, we can be assured that privacy will be preserved – now, and well into the future. Ann Cavoukian, Ph.D., LL.D. (Hon.), M.S.M., is a distinguished Expert-in-Residence at the Privacy by Design Centre of Excellence, Ryerson University
T ’ N DO IC N A P
THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN | 3
contents
2 ABOUT THE HITCHHIKER’S GUIDE 3 FOREWORD 4 THE GREAT QUESTION 5 THE VALUE OF PERSONAL DATA 6 DATA ECONOMY IN THE REGULATORY EU UNIVERSE 11 DESIGNING THE PRINCIPLES OF TRUST 12 Engineering ethics into data 14 Privacy by Design (PbD) 16 Terminology of privacy 20 Privacy risk management framework 26 Privacy Enhancing Technologies (PETs) 30 FRAMEWORKS FOR IMPLEMENTING PRIVACY 38 VALUE INCREASING EFFECT OF PRIVACY 42 Conclusion 43 THE RESTAURANT AT THE END OF THE UNIVERSE 45 ABOUT PROTEGRITY THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN | 1
“In many of the more relaxed civilizations on the Outer Eastern Rim of the Galaxy, the HitchHiker’s Guide has already supplanted the great Encyclopaedia Galactica as the standard repository of all knowledge and wisdom, for though it has many omissions and contains much that is apocryphal, or at least wildly inaccurate, it scores over the older, more pedestrian work in two important respects. First, it is slightly cheaper; and secondly it has the words DON’T PANIC inscribed in large friendly letters on its cover.” Douglas Adams, The Hitchhiker’s Guide to the Galaxy 2 | THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN
THE GREAT QUESTION “The Answer to the Great Question… Of Life, the Universe and Everything… Is… Forty-two,’ said Deep Thought, with infinite majesty and calm.” Douglas Adams, The Hitchhiker’s Guide to the Galaxy
Privacy has always been context related, but our data hungry society has added various extra dimensions to it. The perception of it today is not only considered an ethical question but it also poses various economical, legal and technical questions. And the main answer to it all – required by society and law – is Privacy by Design. Unfortunately, it is very hard to find out how to achieve it. The aim of this Guide is to provide a repository of the knowledge and wisdom of many brave scientists, researchers and practitioners who have reached for it.
4 | THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN
42
THE VALUE OF PERSONAL DATA “The History of every major Galactic Civilisation tends to pass through three distinct and recognisable phases, those of Survival, Inquiry and Sophistication, otherwise known as the How, Why, and Where phases.” Douglas Adams, The Restaurant at the End of the Universe
Technological development is not only increasing our ability to store and exploit data, but is also nudging us to share tremendous amount of personal information. In a current economy that classifies data as an asset, a commodity and even a currency, personal data has a huge value potential. A study from BGC (ref 1) states that value generated by application build on personal data “can deliver a €330 billion annual economic benefit for organisations in Europe by 2020”. This growth is under pressure as consumers worry about violation of their privacy – caused by data breaches as well as by misuse of their personal data. The challenge is to establish an environment in which a fundamental human right to privacy and safety is also applied in context of data – data privacy protection – while the economic value is maintained. THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN | 5
DATA ECONOMY IN THE REGULATORY EU UNIVERSE “In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.” Douglas Adams, The Restaurant at the End of the Universe
Being primarily an economic union, the EU acknowledged the fact that the opportunities related to a digital identity market are crucial for the region to compete on a global level in the data driven economy. In order to do so the EU must “make sure that the relevant legal framework and the policies, such as on interoperability, data protection, security and IPR are data-friendly, leading to more regulatory certainty for business and creating consumer trust in data technologies” (ref 2) As an early adopter of embedding economical aspects at a political level, the EU is setting up an extended data regulatory framework. With this small universe of directives and regulations, the EU is pioneering on the frontiers of the technology based legislation.
6 | THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN
Conclusion “There is a theory which states that if ever anyone discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable. There is another theory which states that this has already happened.” Douglas Adams, The Restaurant at the End of the Universe
As every universe, privacy is constantly changing. Hopefully this Guide can navigate you through the Galaxy of Privacy by Design safely. To meet all those whose insights made this possible go to The Restaurant at the End of the Universe.
42 | THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN
THE RESTAURANT AT THE END OF THE UNIVERSE 1 Boston Consulting Group, November 2012, “The Value of Our Digital Identity”, http://www.libertyglobal.com/PDF/public-policy/ The-Value-of-Our-Digital-Identity.pdf 2 EU 2014 Communication “Towards a thriving data-driven economy”, https://ec.europa.eu/digital-single-market/en/news/communicationdata-driven-economy 3 https://linc.cnil.fr/fr/reglement-europeen-protection-donnees/dataviz 4 Hadar, Irit and Hasson, Tomer and Ayalon, Oshrat and Toch, Eran and Birnhack, Michael and Sherman, Sofia and Balissa, Arod, Privacy by Designers: Software Developers’ Privacy Mindset (March 24, 2014). 23(1) Empirical Software Engineering 259-289 (2018). Available at SSRN: https:// ssrn.com/abstract=2413498 or http://dx.doi.org/10.2139/ssrn.2413498 5 “The Privacy Engineer’s Manifesto Getting from Policy to Code to QA to Value”, Authors Michelle Finneran Dennedy, Jonathan Fox, Thomas R. Finneran, DOI https://doi.org/10.1007/978-1-4302-6356-2 6 Hildebrandt, Mireille, Privacy As Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning (December 3, 2017). Available at SSRN: https://ssrn.com/abstract=3081776 or http://dx.doi.org/10.2139/ssrn.3081776 7 Hildebrandt, M. & B.J. Koops (2010), ‘The Challenges of Ambient Law and Legal Protection in the Profiling Era’, 73 Modern Law Review, DOI: 10.1111/j.1468-2230.2010.00806.x · Source: OAI 8 T.Z. Zarsky, Thinking outside the box: considering transparency, anonymity, and pseudonymity as overall solutions to the problem in information privacy in the internet society, University of Miami Law Review, 58 (2003) 1028-1032. 9 Ref 7 10 Quote Dr. Ann Cavoukian transcript https://blog.varonis.com/ interview-privacy-expert-dr-ann-cavoukian/ 11 Mattsson, Ulf T., A New Scalable Approach to Data Tokenization (June 19, 2010). Available at SSRN: https://ssrn.com/ abstract=1627284 or http://dx.doi.org/10.2139/ssrn.1627284 12 Pete Warden, O’Reilly Media’s blog “Why You Can’t Really Anonymize Your Data” (2011), https://www.oreilly.com/ideas/anonymize-data-limits 13 EU PIAF A Privacy Impact Assessment Framework for data protection and privacy rights, (2011), JLS/2009-2010/DAP/AG, www.vub.ac.be/LSTS/pub/Dehert/507.pdf 14 M. Ryan Calo, The Boundaries of Privacy Harm 86 Ind. L.J.1131, 1133 (2011)
15 H. Nissenbaum, Privacy in Context: Technology, Policy and the Integrity of Social Life (Palo Alto: Stanford University Press, 2010) 16 Solove, Daniel J., A Taxonomy of Privacy. University of Pennsylvania Law Review, Vol. 154, No. 3, p. 477, January 2006; GWU Law School Public Law Research Paper No. 129. Available at SSRN: https://ssrn. com/abstract=667622 17 NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems by NIST (2017), https://csrc.nist. gov/publications/detail/nistir/8062/final 18 CNIL Methodology for Privacy Risk Management (2012), https://www.cnil.fr/sites/default/files/typo/document/CNILManagingPrivacyRisks-Methodology.pdf 19 LINDDUN Privacy threat modelling, https://linddun.org/ 20 Fritsch, L. (2007), “State of the art of Privacy enhancing Technology (PET)”. Norwegian Computing Center Report, No. 1013. Available at: http://publ.nr.no/4589 21 London Economics, Study on the economic benefits of privacyenhancing technologies (PETs), (2010), https://londoneconomics. co.uk/blog/publication/study-on-the-economic-benefits-of-privacyenhancing-technologies-pets/ 22 Koorn et al., Privacy Enhancing Technologies – Witboek voor beslissers; [R. Koorn, H. van Gils, J. ter Hart, P. Overbeek, P. Tellegen, J. Borking]; Ministry of internal affairs and Kingdom relations; The Hague, 2004 23 Privacy Enhancing Technologies – A Review of Tools and Techniques, The Technology Analysis Division of the Office of the Privacy Commissioner (2017), https://www.priv.gc.ca/en/opc-actionsand-decisions/research/explore-privacy-research/2017/pet_201711/ 24 Stanford Cyberlaw PET wiki, https://cyberlaw.stanford.edu/wiki/ index.php/PET 24 ENISA “Privacy by Design in Big data” (2015), https://www.enisa. europa.eu/publications/big-data-protection 26 ISO/IEC 29100:2011, https://www.iso.org/standard/45123.html 27 ISO/IEC 27550 Privacy engineering, https://www.iso.org/ standard/72024.html 28 ISACA Privacy Principles and Program Management Guide, http://www. isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/ ISACA-Privacy-Principles-and-Program-Management-Guide.aspx
THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN | 43
29 IEEE P7002™ Data Privacy Process, https://standards.ieee.org/ develop/project/7002.html 30 Dr. Ann Cavoukian, 2012, “Operationalizing Privacy by Design”, http://www.cil.cnrs.fr/CIL/IMG/pdf/operationalizing-pbd-guide.pdf 31 Yong-Sang Cho, Tore Hoel, Weiqin Chen (2016), Mapping a Privacy Framework to a Reference Model of Learning Analytics, http://www. laceproject.eu/wp-content/uploads/2015/12/ep4la2016_paper_4.pdf 32 Prinsloo, P. and Slade, S. (2017). Ethics and Learning Analytics: Charting the (Un)Charted. In Lang, C., Siemens, G., Wise, A. F., and Gaevic, D., editors, The Handbook of Learning Analytics, pages 49–57. Society for Learning Analytics Research (SoLAR), Alberta, Canada, 1 edition 33 OASIS Privacy Management Reference Model (PMRM) TC, https:// www.oasis-open.org/committees/tc_home.php?wg_abbrev=pmrm 34 OASIS Privacy by Design Documentation for Software Engineers (PbD-SE) TC, https://www.oasis-open.org/committees/tc_home. php?wg_abbrev=pbd-se 35 MITRE Privacy Engineering Framework 2014, https://www.mitre.org/ publications/technical-papers/privacy-engineering-framework 36 PRIPARE, Preparing Industry to Privacy-by-design by supporting its Application in Research, http://pripareproject.eu/ 37 J.-H. Hoepman: Privacy design strategies, eprint arXiv:1210.6621 (October 2012) 38 London economics, “Analysis of the potential economic impact of GDPR – October 2017”, https://londoneconomics.co.uk/blog/ publication/analysis-potential-economic-impact-gdpr-october-2017/ 39 Campbell, James David and Goldfarb, Avi and Tucker, Catherine E., Privacy Regulation and Market Structure (August 15, 2013). Available at SSRN: https://ssrn.com/abstract=1729405 or http://dx.doi. org/10.2139/ssrn.1729405 40 Gómez, David & Rojas, Alfonso. (2015). An Empirical Overview of the No Free Lunch Theorem and Its Effect on Real-World Machine Learning Classification. Neural computation. 28. 1-13. 10.1162/ NECO_a_00793. 41 Dr. Anthony Scriffignano, Chief Data Scientist at Dun & Bradstreet, and Dr. David Bray, Executive Director at People-Centered Internet, CXOTalk episode 270, “Data, AI, and Algorithms: New Year’s Resolutions for 2018” January 2018, https://www.cxotalk.com/ episode/data-ai-algorithms-new-years-resolutions-2018 42 DOE/Lawrence Berkeley National Laboratory. “’Minimalist machine learning’ algorithms analyze images from very little data: CAMERA
44 | THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN
researchers develop highly efficient neural networks for analysing experimental scientific images from limited training data.” ScienceDaily. ScienceDaily, 21 February 2018. <www.sciencedaily. com/releases/2018/02/180221122909.htm>. 43 Yves-Alexandre de Montjoye, Ali Farzanehfar, Julien Hendrickx and Luc Rocher, « Solving Artificial Intelligence’s Privacy Problem », Field Actions Science Reports [Online], Special Issue 17 | 2017, Online since 31 December 2017, connection on 05 March 2018. http:// journals.openedition.org/factsreports/4494 44 Open Algorithms (2017), OPAL, http://www.opalproject.org/ 45 “Uniquely Generation Z: What brands should know about today’s youngest consumers.” IBM Institute for Business Value. January 2017. https://www-935.ibm.com/ services/us/gbs/ thoughtleadership/uniquelygenz/ 46 “Gen Z brand relationships Authenticity matters.” IBM Institute for Business Value 2017. http://www-935.ibm.com/services/us/gbs/ thoughtleadership/genzbrand/ 47 The German Government’s Digital Summit, White Paper on Pseudonymisation Drafted by the Data Protection Focus Group 2017, https://www.eprivacy.eu/fileadmin/Redakteur/News/2017_ Data_Protection_Focus_Group-White_Paper_Pseudonymisation.pdf 48 Introduction to Local Interpretable Model-Agnostic Explanations (LIME). A technique to explain the predictions of any machine learning classifier. By Marco Tulio RibeiroSameer Singh, Carlos Guestrin August 12, 2016, https://www.oreilly.com/learning/ introduction-to-local-interpretable-model-agnostic-explanations-lime 49 https://www.darpa.mil/program/explainable-artificial-intelligence 50 Reuben Binns, Max Van Kleek, Michael Veale, Ulrik Lyngs, Jun Zhao and Nigel Shadbolt (2018) ‘It’s Reducing a Human Being to a Percentage’; Perceptions of Justice in Algorithmic Decisions. ACM Conference on Human Factors in Computing Systems (CHI’18), April 21–26, Montreal, Canada. doi: 10.1145/3173574.317395 51 J. Indumathi (2012). A Generic Scaffold Housing the Innovative Modus Operandi for Selection of the Superlative Anonymisation Technique for Optimized Privacy Preserving Data Mining, Data Mining Applications in Engineering and Medicine, Associate Prof. Adem Karahoca (Ed.), InTech, DOI: 10.5772/49982. Available from: https://www.intechopen.com/books/data-mining-applications-inengineering-and-medicine/a-generic-scaffold-housing-the-innovativemodus-operandi-for-selection-of-the-superlative-anonymisat 52 Hintze, Mike and LaFever, Gary, Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics (January 2017). Available at SSRN: https://ssrn.com/ abstract=2927540 or http://dx.doi.org/10.2139/ssrn.2927540
“What do I mean by who am I?” Douglas Adams, The Hitchhiker’s Guide to the Galaxy
PUBLISHED BY Protegrity: Proven Experts in Data Security Protegrity is the only enterprise data security software platform that combines machine learning, data discovery and classification tools, with scalable, data-centric encryption and pseudonymisation technologies, to help businesses secure sensitive information everywhere while maintaining its usability. Built for complex, heterogeneous business environments, Protegrity provides unprecedented levels of data security for applications, data warehouses, mainframes, big data and the cloud with the industry’s first all-in subscription solution. Companies trust Protegrity to help them identify, locate and protect sensitive data by design and by default, enterprise wide, to reduce risk, manage privacy, achieve compliance, enable business analytics and confidently adopt new platforms. For additional information visit www.protegrity.com
www.protegrity.com
“Arthur blinked at the screens and felt he was missing something important. Suddenly he realised what it was.” Douglas Adams, The Hitchhiker’s Guide to the Galaxy
Like Arthur Dent in The Hitchhiker’s Guide to the Galaxy, organisations around the world are suddenly realising they have been missing something important: that people care about their privacy. As digital citizens we have no choice but to trust the educators, healthcare providers, government agencies, financial institutions, retailers, social media platforms, tech firms and communications companies we engage with daily via mobile apps, websites and connected devices. The reality is that those we entrust with our personal information are the only ones who can truly safeguard our privacy. In this context, the exponential growth in personal data and the analysis of it has led to increasingly rigourous legislation that has globally heightened a sense of organisational responsibility. Europeans have taken the lead here with their General Data Protection Regulation but enterprises around the world are concerned about honouring their responsibilities as custodians of our personal information, so it is my very great pleasure to present “the answer to the great question”: The Hitchhiker’s Guide to Privacy by Design, by Barbara Peruskovic. Suni Munshani, Protegrity CEO
Published by Protegrity 2018 46 | THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN
T ’ N DO IC N A P