420 likes | 552 Vues
2013 Criminal Justice Information Forum on Data Exchange and Information Sharing Standards and Models. Privacy for Practitioners—Real Case Studies Illustrating Privacy Policy Development and Impact Assessment February 5, 2013. Cabell Cropper Christina M. Abernathy
E N D
2013 Criminal Justice Information Forum on Data Exchange and Information Sharing Standards and Models Privacy for Practitioners—Real Case Studies Illustrating Privacy Policy Development and Impact AssessmentFebruary 5, 2013 Cabell Cropper Christina M. Abernathy National Criminal Justice Association Institute for Intergovernmental Research Diana GraskiBecki Goggins National Center for State Courts State of Alabama
Topics • Privacy overview • Global privacy resources • Illinois privacy resources • Global success stories • Keys to success • Technical privacy case studies and success stories
Privacy Overview What is privacy? • Privacy refers to individuals’ interests in preventing the inappropriate collection, storage, use, and release of personally identifiable information • Privacy, as it relates to information sharing, concerns information whose confidentiality is enforceable by law or social norms
Privacy Overview What Is a Privacy Policy? What Is the Purpose of a Privacy Policy?
Privacy Overview What Is the Difference Between a Privacy Policy and a Security Policy?
Privacy Overview Why do you need a privacy policy? • “the public’s acceptance of an integrated justice information system is related to its confidence that the government is taking measures to protect individual’s privacy interests” • There is “a need to educate the public as to what information about citizens is available in the justice system and what is available to the public” • “Privacy issues are raised when the government collects information about individuals for investigatory purposes absent any suspicion of criminal wrongdoing . . . mere collection of personally identifiable victim and witness information raises genuine privacy concerns . . . factors should be identified to balance the amount of data collected to address privacy concerns while still meeting legitimate law enforcement needs” • “A sound privacy policy should clearly identify appropriate uses of the information contained in the information system” ‒ IIJIS’ Privacy Issues Confronting the Sharing of Justice Information in an Integrated Justice Environment
Privacy Overview Reasons for Having a Privacy Policy It’s the Right Thing to Do!
What Can Happen Without a Privacy Policy? • Effects of Improper Practices • Tarnish an individual’s reputation • Personal or financial injury to individuals • Loss of ability to share information • Lawsuits and paying settlements or judgments • Loss of public support and confidence • Loss of funding and resources • Getting shut down • Decline in morale
From Privacy to Information Quality • The collection and sharing of poor quality information raises serious privacy concerns because the two concepts are inherently linked • Quality information plays an extremely important role in the protection of the privacy rights of individuals • Through cross-collaboration among local, state, tribal, and federal justice entities, information is shared to form the records that underlie justice decision-making • As cross-collaboration increases, it is imperative that justice entities address the quality of the information shared
From Privacy to Information Quality How Can You Develop and Implement Privacy and Information Quality Policies and Procedures?
Global Justice Information Sharing Initiative—or “Global” • Federal advisory body to nation’s chief law enforcement officer, the U.S. Attorney General (AG) • Supported by the Bureau of Justice Assistance (BJA) and the Office of Justice Programs (OJP), U.S. Department of Justice (DOJ) • Representatives from across the justice landscape, affecting the work of more than 1.2 million justice professionals • Global’s Advisory Committee (GAC) working groups, councils, and task teams are formed around timely justice issues: • Intelligence • Infrastructure, standards, security • Business solutions • Privacy and information quality
Global Privacy Resources Booklet • A road map to help justice entities navigate the diverse privacy resources available today • Structured to help determine which products to use when and for what purpose • Products are grouped according to their use at each step of a Privacy Program Cycle • All Global Privacy Resources are available online at www.it.ojp.gov/privacy
Global Privacy Resources • Step 1. Educate and Raise Awareness • Executive Summary for Justice Decision Makers: Privacy, Civil Rights, and Civil Liberties Program Development • 7 Steps to a Privacy, Civil Rights, and Civil Liberties Policy
Global Privacy Resources • Step 2. Assess Agency Privacy Risks • Guide to Conducting Privacy Impact Assessments for State, Local, and Tribal Justice Entities (or “PIA Guide”)
Global Privacy Resources • Step 3. Develop the Privacy Policy • Privacy, Civil Rights, and Civil Liberties Policy Development Guide for State, Local, and Tribal Justice Entities (Global Privacy Guide) • Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities (SLT Policy Development Template)
Global Privacy Resources • Step 4. Perform a Policy Evaluation • Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities: Policy Review Checklist
Global Privacy Resources • Step 5. Implement and Train • Coming Soon! Establishing a Privacy Officer Function Within a Justice or Public Safety Entity: Recommended Responsibilities and Training • The Importance of Privacy, Civil Rights, and Civil Liberties Protections in American Law Enforcement and Public Safety DVD—or “Line Officer Video”
Global Privacy Resources • Step 5. Implement and Train • Implementing Privacy Policy in Justice Information Sharing: A Technical Framework • Privacy, Civil Rights, and Civil Liberties Compliance Verification for the Intelligence Enterprise • Recommendations for First Amendment-Protected Events for State and Local Law Enforcement Agencies (and reference card) • Criminal Intelligence Systems Operating Policies (28 CFR Part 23) Online Training
Global Privacy Resources • Step 6. Conduct an Annual Review • Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities:Policy Review Checklist
Global’s Information Quality (IQ) Series • Information Quality: The Foundation for Justice Decision Making • 9 Elements of an Information Quality Program • Information Quality Self-Assessment Tool • Information Quality Program Guide • Available online at www.it.ojp.gov/IQ_Resources
Illinois Privacy Resources • Where do I look for existing privacy policies? • Employee handbooks • Concept of operations manuals • Standard operating procedures • Security manuals • Memoranda of understanding • User agreements • State and federal statutes
Illinois Privacy Resources • Local examples of privacy standards and recommendations: • IIJIS’ Privacy Policy Guidance, www.icjia.state.il.us/iijis/ • Illinois State Police Academy curriculum
Illinois Privacy Resources IIJIS Privacy Policy Subcommittee’s charge: “Developing policies to ensure that the enhanced sharing of justice information made possible through advancing information technologies is carried outin accordance with Illinois law and its citizens’ reasonable expectation of privacy”
Illinois Privacy Resources Excerpt from IIJIS’ Mission: “Through integrated justice information sharing we will enhance the safety, security, and quality of life in Illinois; improve the quality of justice, the effectiveness of programs, and the efficiency of operations; and ensure informed decision-making, while protecting privacy and confidentiality of information” Strategic Issue 3: Serve justice, public safety, and homeland security needs while protecting privacy, preventing unauthorized disclosures of information, and allowing appropriate public access
Illinois Privacy Resources • July 27, 2010—Illinois Statewide Terrorism Intelligence Center, Illinois State Police, successfully finalized its comprehensive privacy policy, fully meeting all ISE Privacy Guidelines and DHS standards
Illinois Privacy Resources • March 11, 2011—Chicago Crime Prevention and Information Center, Chicago Police Department, finalized a comprehensive privacy policy that fully met the Information Sharing Environment (ISE) Privacy Guidelines and federal standards set by the U.S. Department of Homeland Security (DHS)
Global Success Stories Connect South Dakota—NGA Privacy TA Effort “Using Global Resources, such as the SLT Policy Development Template, we were able to ‘Connect South Dakota’ (Connect SD) law enforcement in a statewide data exchange project, while ensuring the privacy rights and civil liberties of the citizens we serve. Upon completion of the Connect SD privacy policy, it was important to ensure our officers were trained on privacy protections. To accomplish this goal, we utilized Global’sline officer training video and First Amendment-protected event resources” —Bryan Gortmaker, Director South Dakota Division of Criminal Investigation
Global Success Stories CONNECT Consortium—NGA Privacy TA Effort “For several years, the Alabama Criminal Justice Information Center (ACJIC) has been involved in a multi-state initiative—called CONNECT—which has served as a proof-of-concept for sharing rich criminal justice information across state lines. Since its inception, the CONNECT leadership has recognized the importance of adopting a strong privacy and civil liberties policy to govern usage of CONNECT. Thanks to the Global SLT Policy Development Template and the Global Privacy Impact Assessment Guide, CONNECT was able to craft a model policy to meet the needs of the member states (Alabama, Kansas, Nebraska and Wyoming). Despite the fact that each state has its own set of governing laws and policies concerning the sharing of criminal justice information, the Global templates were robust enough to allow for the creation of a single policy to govern CONNECT usage” —Maury Mitchell, Director, Alabama Criminal Justice Information Center
Global Success Stories • Hawaii Integrated Justice Information Sharing (HIJIS) Program—NGA Privacy TA Effort • Indiana Data Exchange (IDEx) • 77 DHS Designated Fusion Centers and 15 Regional Nodes
Global Success Stories Alabama Fusion Center “DOJ’s OJP Web site pertaining to Global Privacy Resources, www.it.ojp.gov/privacy, is an amazing resource and I highly recommend it to anyone that wants to learn more about privacy, civil rights, and civil liberties. The site is designed to help with all aspects of the Privacy Program Cycle, including providing all the materials necessary to develop a comprehensive privacy policy or to evaluate an existing policy. As a relatively new Fusion Center Director, privacy was one of the first areas that I focused on and this site provided all the materials necessary to help create our program. Thanks to the DOJ subject matter experts who developed this site!” —Joe B. Davis, Ph.D., Director, Alabama Fusion Center
Keys to Success • Executive sponsorship • Input from stakeholders • Designation of privacy officer • Ongoing training and review
Technical Privacy: Resources and Success Stories • Business drivers for technical privacy enforcement: • From user’s perspective, too many user IDs and rules to manage • From technologist’s perspective, too many users and rule changes to manage • From enterprise’s perspective, policy experts cannot manage policy’s implementation in applications and cannot reasonably audit for compliance • Solution: Global’s Privacy Policy Technical Framework
Benefits of External Authentication • From a user’s perspective, single sign-on • From a technologist’s perspective, application no longer contains user sign-on logic, and user tables are managed elsewhere • From the enterprise’s perspective, trusted, shared standards for identity proofing and provisioning and deprovisioning users
Benefits of External Authentication • From a user’s perspective, not much impact • From a technologist’s perspective, application no longer contains authorization logic • From the enterprise’s perspective, policy experts now manage access-control policies, revised policies are implemented immediately across the suite of applications, and compliance tools can be implemented on audit data
Learn More: TechnicalPrivacyTraining.org • Executive briefing video • Interactive primer (seven 15-minute modules) • Readiness assessment (with case studies, surveys, and tailored recommendations for next steps) • Implementation Guide (for your developers, with XACML lessons and a virtual machine) • Resources • Request for technical assistance