Privacy Risk Models and Frameworks

• Nissenbaum’s Contextual Integrity

• Calo’s Harmful Dimensions

• Legal Compliance

• FIPPs

• NIST/NICE framework

• FAIR (Factors Analysis in Information Risk)

Privacy by Design Foundational Principles

• Full Life Cycle Protection

• Embedded into Design

• Full Functionality

• Visibility and Transparency

• Proactive not Reactive

• Privacy by Default

• Respect for Users

Value Sensitive Design

• How Design Affects Users

• Strategies for Skillful Practice

The Data Life Cycle

• Collection

• Use

• Disclosure

• Retention

• Destruction

Fundamentals of privacy-related IT

• Organization privacy notice

• Organization internal privacy policies

• Organization security policies, including data classification policies and schema, data retention and data deletion

• Other commitments made by the organization (contracts, agreements)

• Common IT Frameworks (COBIT, ITIL, etc.)

• Data inventories, classification and records of processing

• Enterprise architecture and data flows, including cross-border transfers

• Data Protection and Privacy impact assessments (DPIA/PIAs)

Information Security

• Transactions which collect confidential data for use in later processing activities

• Breach/disclosure incident investigations and responses—security and privacy perspectives

• Security and privacy in the systems development life cycle (SDLC) process

• Privacy and security regulations with specific IT requirements

The privacy responsibilities of the IT professional

• Consultation on internal and external policies

• Consultation on contractual and regulatory requirements

• Understanding how IT supports information governance in an organization

During Data Collection

• Asking people to reveal personal information

• Surveillance

During Use

• Insecurity

• Identification

• Aggregation

• Secondary Use

• Exclusion

During Dissemination

• Disclosure

• Distortion

• Exposure

• Breach of Confidentiality

• Increased accessibility

• Blackmail

• Appropriation

Intrusion, Decisional Interference and Self Representation

• Behavioral advertising

• Cyberbullying

• Social engineering

Software Security

• Vulnerability management

• Intrusion reports

• Patches

• Upgrades

• Open-source vs Closed-source

Data Oriented Strategies

• Separate

• Minimize

• Abstract

• Hide

Techniques

• Aggregation

• De-identification

• Encryption

• Identity and access management

• Authentication

Process Oriented Strategies

• Informing the Individual

• User Control

• Policy and Process Enforcement

• Demonstrate Compliance

During Data Collection

• Asking people to reveal personal information

• Surveillance

During Use

• Insecurity

• Identification

• Aggregation

• Secondary Use

• Exclusion

During Dissemination

• Disclosure

• Distortion

• Exposure

• Breach of Confidentiality

• Increased accessibility

• Blackmail

• Appropriation

Intrusion, Decisional Interference and Self Representation

• Behavioral advertising

• Cyberbullying

• Social engineering

Software Security

• Vulnerability management

• Intrusion reports

• Patches

• Upgrades

• Open-source vs Closed-source

Data Oriented Strategies

• Separate

• Minimize

• Abstract

• Hide

Techniques

• Aggregation

• De-identification

• Encryption

• Identity and access management

• Authentication

Process Oriented Strategies

• Informing the Individual

• User Control

• Policy and Process Enforcement

• Demonstrate Compliance