dragon

TERRA INCOGNITA
Privacy Horizons

29^th International Conference of
Data Protection and Privacy Commissioners

Workshop
"Law Meets Technology" Dragon
Standards

September 26
13h30 - 16h00

Terra Incognita, workbook series # 5

Biographies

Mr. John Borking – Chair
Dr. Colin Bennett
Mr. John P. Hopkinson
Mr. John Sabo

Saying what you do and Doing what you say: Arguments and Prospects for an International Privacy Standard (C. Bennett and R. Bayley)

Introduction
What can management standards contribute to data protection?
The rationale for a privacy management standard
The history of privacy management standardization
Conclusion: Implications for data protection authorities
Endnotes

Advancing the Privacy Agenda in Canada: Developing a Canadian Standardization Strategy – Workshop held February 22, 2007 – Ottawa

Security Initiatives in the International Telecommunications Unions (M. Harrop)

Canadian Privacy Standards Strategy Workshop – ISO/IEC JTC 1 Briefing – February 2, 2007

Biographies

Mr. John Borking
A former Privacy Commissioner for the Netherlands (1994 – 2006), John Borking is Director of Borking Consultancy, a one man consultancy firm on privacy protection and e-ADR (alternative dispute resolution). Mr. Borking currently participates in a number of privacy-related research initiatives including PRIME (Privacy and Identity management for Europe), EUROPRISE (privacy seals), the Dutch research group PAW (Privacy in an Ambient World) and the Norwegian research group PETWEB (PET for web applications). These initiatives cover topics as diverse as RFIDs, software agents, and trying to create an e-immunity environment around a person for protecting privacy and enhance security in the ambient world. He is general secretary of The Wroclaw Foundation dealing with standardization of privacy and PET technologies. He is and has been (co-) author of many books and articles about privacy and privacy enhancing technologies, software protection, computer law, e-gaming, alternative dispute resolution and e-mediation.

Dr. Colin Bennett
Colin Bennett received his Bachelor's and Master's degrees from the University of Wales, and his Ph.D from the University of Illinois at Urbana-Champaign. Since 1986 he has taught in the Department of Political Science at the University of Victoria, where he is now Professor. From 1999-2000, he was a fellow at Harvard’s Kennedy School of Government. In 2007 he was a Visiting Fellow at the Center for the Study of Law and Society at University of California, Berkeley. His research has focused on the comparative analysis of surveillance technologies and privacy protection policies at the domestic and international levels. In addition to numerous scholarly and newspaper articles, he has published three books: Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell University Press, 1992); Visions of Privacy: Policy Choices for the Digital Age (University of Toronto Press, 1999, with Rebecca Grant); The Governance of Privacy: Policy Instruments in the Digital Age (Ashgate Press, 2003; MIT Press, 2006 with Charles Raab).

Mr. John P. Hopkinson
John P. Hopkinson is Security Strategist, EWA Information & Infrastructure Technologies Inc., an EWA Company and President, ISSEA (International Systems Security Engineering Association). Mr. Hopkinson joined /IIT in May 2001 and is responsible for Standards and Consortia activities and liaison. He develops strategies and action plans to fulfill those strategies. John Hopkinson has over 35 years of experience in the security field in the military and commercial sectors. He has conduced research in many areas related to information technology security. Mr. Hopkinson was a key contributor to the development of the SSE-CMM, ISO/IEC 21827. He is the Chairman of the Technical Committee on Information Technology, Head of the Canadian Delegation for ISO/IEC JTC 1, he is a Member of the Academic Board of the International Systems Security Professional Certification Scheme, Member of ISO/IEC JTC 1/SC 27 and a Member of the Canadian National Committee on ISO. He has received the Award of Merit from the Canadian Standards Association and the Leadership Award form the Standards Council of Canada.

Mr. John Sabo
John Sabo, CISSP, is Director, Global Government Relations for CA, Inc., providing expertise in the use of CA technologies in trusted infrastructures and leading internal and external security and privacy initiatives. Mr. Sabo is a member of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee and serves in a number industry leadership positions: President, International Security, Trust, and Privacy Alliance (ISTPA); President, Information Technology-Information Sharing and Analysis Center (IT-ISAC); Chair, ISAC Council; member, IT Sector Coordinating Council; and member, OASIS IDtrust Member Section Steering Committee. Prior to his work in the private sector, Mr. Sabo was Director of the Social Security Administration’s Electronic Services Staff, where he addressed online security and privacy policy and operational issues. Mr. Sabo holds degrees from King’s College (Pennsylvania) and the University of Notre Dame, and is a Certified Information Systems Security Professional (CISSP).

TERRA INCOGNITA
Privacy Horizons

29^th International Conference of Data Protection and Privacy Commissioners

Saying what you do and Doing what you say: Arguments and Prospects for an International Privacy Standard
by: Colin J. Bennett and Robin Bayley

Paper commissioned by the Office of the Privacy Commissioner of Canada. The views and opinions contained in this document are those of the author and do not necessarily reflect the views and opinions of the Office of the Privacy Commissioner of Canada nor of the Government of Canada.

I. Introduction

A network and a discourse have grown up over the last 30 years surrounding the concepts of privacy and data protection. Policies have generally emerged out of a profound and widespread concern about the erosion of a fundamental human right in the face of some powerful bureaucratic and technological forces. At the same time, there has been a similarly expanded network and growing discourse in the standards community surrounding the notion of "quality assurance." For the most part, these worlds have not intersected. Each has its own assumptions, institutions, practices and language. The purpose of this paper is to trace the history of the attempts to bring these worlds together, and to suggest ways in which the institutions and skills of the standards community might contribute to the implementation of privacy rights and responsibilities in complex public and private organizations.

In the 1970s and 1980s, it was commonly presumed in many areas of the world, that the only instrument necessary for the protection of personal information was an information privacy (data protection) law, overseen by an independent data protection authority.¹ In the 1990s, those assumptions changed. Legislation was then seen as a necessary but not sufficient condition for resolving the myriad personal information problems encountered in a globally connected and networked environment. Other self-regulatory and technological instruments also had to be part of the solution: codes of practice, privacy seal programs, privacy-enhancing technologies and privacy impact assessments. This is the context in which the idea of a management standard devoted to the protection of personal information arose.²

This paper first outlines the rationale for general management standards and how they intersect with the requirements for responsible privacy and data protection. It then outlines the rationale for a separate management standard devoted solely to protecting privacy, and traces the various attempts to develop such a privacy standard through the Canadian Standards Association (CSA) and subsequently through the International Organization for Standardization (ISO), the European Committee for Standardization/Information Society Standardization System (CEN/ISSS) and the International Security, Trust, and Privacy Alliance (ISTPA). The paper concludes that the rationale for an international privacy management standard is powerful but that much activity has yielded few real achievements. It suggests the reasons and provides some ways forward for the community of data protection authorities.

II. What can management standards contribute to data protection?

Two sets of preliminary questions have to be answered in order to address the contribution of management standards to data protection. Firstly, to what extent can existing quality assurance systems³ promote the principles of data protection and thereby assist the compliance work of data protection authorities? Secondly, is there a separate case for a stand-alone management standard which could, for some organizations, be "bridged"⁴ to the registration of an existing quality assurance standard, like ISO 9001?

For many years the privacy and data protection community–regulators, academics, consultants and advocates–have insisted on the importance of building a "culture of privacy" within organizations.⁵ This normally means that privacy and data protection principles cannot be imposed from without; they have to be seen internally as the ‘right thing to do’. There must be a public commitment to the information privacy principles, as well as to the organization’s processes and values to ensure that they are carried out.

In the words of standards bodies, organizations should "say what they do and do what they say". The ISO 9000 family of quality assurance standards essentially embodies a series of documents that require organizations to:

Document what they do
Perform to that documentation
Ensure the process is effective
Record the results of the work ⁶

The ISO 9000 series was first produced in 1987, updated in 1994 and further revised in 2000, when the generic standard (ISO 9001) consolidated the requirements of a number of older standards in the series. The 2000 version placed a stronger emphasis on ‘process management’ and monitoring of internal tasks and activities, rather than just inspecting the final product. "Generic" means that the same standards can be applied to any organization, regardless of size, activity or product. These standards apply to the entire management system and bear a number of essential features which any organization has to implement if it wants the registration and the cachet of "total quality management". The same principles apply to the equivalent system of environmental process standards within the ISO 14000 series.

More and more organizations, in both public and private sectors, are recognizing the benefits of quality management registration.⁷ A survey in 2004 demonstrated that by the end of that year, the worldwide total of ISO 9000 certificates was at 670,399, an increase of 172,480 over the previous year. The number of countries in which ISO 9000 certificates have been issued is now 154.⁸ It is also commonly assumed that quality assurance systems apply solely to the private sector. But an increasing number of public sector agencies are also seeing the benefits of ISO 9001 registration–for instance, many organizations in the health care sector. Independent studies have demonstrated an improvement of patient care without leading to excessive bureaucracy.⁹ Universities, schools and local governments have also seen the benefits.

Quality assurance methods are, therefore, global in character, applicable in all sectors and seemingly on the increase.

The following is a brief explanation of the ISO quality assurance process.
According to one report, ISO 9000 quality assurance:

Provides the means for staff to perform their tasks at the right time;
Provides the means for identifying the right tasks and specifying them in a way that will yield the right results;
Provides the means for documenting the company’s experience in a structured manner and thus establishing a basis for educating and training staff and the systematic improvement of performance;
Provides objective evidence that can be used to demonstrate the quality of the company’s products and services, and that its operations are under control to assessors, customers’ representatives, etc.;
Reduces "fire fighting" and thus frees managers from having to intervene constantly in business operations;
Helps maintain consistency in the quality of products or services;
Brings clarity and transparency to duties and responsibilities;
Improves traceability (material can be traced at any stage from procurement to every stage of processing and final delivery to customer).¹⁰

Of course, no one quality assurance system is like another; the organization is obliged to tailor the standard to its own processes and functions. The general requirements set out in ISO 9001 (a relatively brief 12 pages), need to be interpreted and set out in a quality manual for each organization. Each organization indicates how it will implement the requirements and outlines this in a manual which guides the development of a set of prescriptive procedures for each unit of the organization. It is this documentation which forms the basis of quality planning and review, and internal audit. Organizations are then generally registered by a professionally accredited third party (a registrar)¹¹ whose auditors determine whether the quality system criteria have been successfully met. Registrars can be special units in large accounting/consultancy firms, stand-alone specialized firms, or a body within a national standards organization, such as the Quality Management Institute in Canada.

Once registered, each organization (or system within an organization) is subject to periodic audits of sections of its operation, and usually a full-scale re-audit every three years, or a rolling audit of a third of its operations every year. Thus the quality assurance process is dynamic and organizations are expected to review their systems continually and make appropriate adjustments to the registration if there is a dramatic change in operations.¹²

Therefore, it is plausible to contend that those organizations that have gone through ISO 9001 quality assurance are less likely to experience breaches of personal data and other privacy scandals, for a number of reasons, including:

The organization will have undergone thorough internal and external audits and should therefore be aware of its various operating systems and what personal data they hold.
The organization is less likely to suffer from the "left hand not knowing what the right hand is doing" problem, so often encountered when organizations are exposed for flouting privacy standards. Total quality management should at least give top management a comprehensive overview of operations and a regular process for fixing problems.
Staff will have undergone training.
While documenting their processes for registration, organizations are required to examine and address any regulatory requirements.
Outside expertise is brought in during auditing to obtain registration, and auditors have the opportunity to alert the organization to areas where there is room to improve their practices.

There are indeed more explicit parallels between the existing ISO 9001 framework and privacy and data protection principles, especially for those personal data intensive organizations whose purpose is the delivery to clients of accurate personal data. For companies in the data brokerage, credit-reporting, and direct-marketing industries, their "product" is personal data. Total quality management can assure suppliers and clients that these data are accurate, up-to-date and complete; that appropriate security safeguards are in place; and that there are appropriate retention schedules, among others. In short, quality assurance can help establish that the organization is accountable and responsible for the personal data in its custody–the principal assumption behind most data protection regimes.

Contemporary privacy auditors and consultants essentially think in very similar and holistic "quality assurance" terms, even if they are not explicit, or even cognizant of this approach. The Ponemon Institute in the United States, for instance, extols "Responsible Information Management" – "a process for ensuring trust and confidence in how a company’s leaders conduct business. Specifically, it has to do with the alignment of the privacy preferences of key stakeholders–such as consumers, employees and the general public–with business, data and technology."¹³

Quality assurance can test whether procedures are in place for interacting with consumers, as well as business clients. For example, the receipt, processing and response to customer complaints are central components of a quality assurance system for many companies. There are "quality" ways to set up a complaints resolution process, and there are "less quality" ways. There are established quality procedures for linkage between a system of individual complaint resolution and the analysis of larger systemic problems. There is nothing inherently different between effective complaints resolution for faulty widgets, and complaints resolution concerning the mistreatment of personal information.

Of course, quality assurance standards cannot serve as a substitute for law which is crucial in establishing the general lines which organizations cannot cross. However, once legal rules for privacy protection are established, (as indeed they are in the vast majority of advanced industrial states), then the critical task is to ensure that declared data protection or privacy policies are implemented throughout an organization. A standards registration process whereby organizations say what they do, and have their practices verified to determine if they do what they say, could potentially become one of the various "policy instruments" within the toolbox of data protection officials.

III. The Rationale for a Privacy Management Standard

Much of contemporary data protection implementation is about transparency – internally to management and staff, and externally to data subjects and regulators. In the 1990s, a number of privacy and data protection experts began to realize that using an international quality assurance standard could contribute to resolving the perennial problem of trying to determine what actually happens to personal data within complex organizations. The experts also recognized that although privacy is a fundamental human right, it is also one that entails implementation in complex organizations.

Thus in the terms of fair information principles¹⁴, management standards can:

Promote transparency of organizational policy and purposes
Improve and verify the procedures for interacting with data subjects
(complaint resolution, access requests, and consent provisions)
Improve and verify internal procedures for personal data management
(data security, data quality, and data retention)

Several factors motivated this community to begin thinking about the possibility of using standards as one of the instruments in the privacy toolkit.

First, there was a broad recognition that consumer concerns about privacy and security had to be properly satisfied during the development and integration of global electronic commerce in the mid-to late 1990s. This recognition raised the problem of determining the comparability of privacy standards internationally and whether such instruments were indeed being properly implemented. Much of this analysis occurred as a result of the "adequacy" test under the 1995 EU Data Protection Directive. It is reasonably straightforward to compare the "black letter of the law" to determine whether legal provisions were indeed equivalent. It is also possible to compare the roles and responsibilities of supervisory authorities to determine the extent of independent oversight. Obviously, it was far more difficult to measure and compare actual compliance and thus give consumers real assurances that personal data transferred internationally were being afforded adequate levels of protection. Global electronic commerce increased the urgency of grappling seriously and internationally with the fundamental question: how were data protection authorities going to evaluate whether data protection rules were indeed being followed within other jurisdictions, especially when many of them lacked serious audit powers and methodologies?¹⁵

Second, the early attempts to address this concern did not inspire much confidence. There are, in fact, a variety of poorly defined and understood self regulatory instruments: privacy commitments about how an organization believes it treats personal information; privacy codes of practice which embody a codified set of rules for employees; privacy standards which imply not only a common yardstick for measurement, but also a process through which conformity to these norms might be assessed; and privacy seals – the ‘good housekeeping’ stamps of approval which give the organization that mark, symbol or cachet of privacy compliance. Ideally, the self regulatory process should be cumulative. An organization should declare its commitment to personal privacy protection, codify its policy, seek external certification for its practices, and then receive the seal of approval. ¹⁶

In reality, the process of adopting these instruments is rarely a linear one. More often that not, public claims are made – especially on websites – without systematic internal analysis. Often "privacy policies" are not carefully codified. Frequently, privacy seals have been awarded without the kind of systematic and rigorous investigation and auditing characteristic of quality assurance programs.

Many companies were very keen to demonstrate their privacy-friendliness when the Internet became a powerful and widespread tool for electronic commerce. This enthusiasm resulted in a mad rush to develop and implement privacy seal programs which generally did not satisfy international regulators.¹⁷ Further, there has been a proliferation of private sector privacy auditors, consultants, etc., who are not necessarily investigating and auditing to the same rigorous standards.

A third motivator for using a privacy management standard as part the privacy policy toolkit was a trend towards government outsourcing of personal data. This practice was creating situations where contractors were not being held to the same privacy standards as government agencies. Outsourcing has been a trend in many countries, especially in North America, although the contracted organizations have been all over the world. On other continents, contracts refer to standards and thus relieve government agencies of having to perform direct oversight of a contractor’s operations. A condition of doing business with the government in some locations, therefore, is an ongoing registration to a particular standards program.¹⁸ Even though there will be concerns that registration to a standard should not reduce government’s regulatory responsibilities, nor relax privacy standards, there is an obvious potential for data protection authorities to use the standards registration process to ensure compliance when personal data is transmitted to an entity not otherwise covered by privacy protection law.

Any international privacy management standard should therefore entail:

translating the existing fair information principles for processing personal data into standards language and format;
separate guidance on how the principles should be implemented in organizations;
conformity assessment tools, appropriate to the size of business and the sensitivity of the personal data processed;
an audit guide; and
a system for the accreditation of privacy auditors.

Hypothetically, there might be a number of ways in which a management standard for privacy might circulate around the global information economy.

Use of Educational and Regulatory Powers of Data Protection Authorities

Data protection authorities could use their discretion and influence in a number ways in order to increase the practice of organizations registering to a privacy standard (either a future international standard or, in Canada, the existing CSA standard), including:

Publicly urging companies or sectors "at risk" to register. This could be particularly effective if timed to follow a public breach which, although perpetrated by one organization, has damaged the reputation of the entire sector;
Obtaining the organization’s agreement to seek registration during the mediation process, as a way for the organization to avoid the matter proceeding to an Inquiry;
Using their authority to order an organization to register, should there be sufficient justification in their formal finding and the seriousness and breadth of noncompliance; and
In the final instance, court-ordered registration in lieu of, or in addition to, a fine or other criminal penalties.¹⁹

Privacy Standards for Competitive Advantage

The greater the disparity between registered and unregistered organizations, the greater the perceived competitive advantage of being registered to a standard. Therefore, registered organizations are likely to publicize the fact in order to distinguish themselves, and will wear that registration as a badge of honour. This could take the form of organizations highlighting their registration in advertising, in corporate information and on websites, as they do with other such socially-responsible activities as recycling, adhering to fair trade practices and giving to the local community. When the "good privacy players" are seen to have registered, the value of the standard increases.

An organization’s desire to distance itself from other players in a sector that has experienced a privacy breach could serve as a powerful incentive to register, and to publicize this fact. The closer an organization is to meeting the standards and regulations of its home jurisdiction, or those where it does business, the more likely it is to seek registration. In other words, those with good privacy practices are more likely to become registered in order to demonstrate that they are good privacy corporate players.

For organizations doing business internationally, particularly with jurisdictions whose level of privacy regulation is more stringent than its home jurisdiction, the organization could seek to distinguish itself from local competition by registering to a privacy standard. The benefits of this would be best felt if the standard were international.

Referencing the Standard in Contracts

Contracts can require the contractor to demonstrate registration to a recognized standard as a way to avoid stipulating certain practices or quality in detail. While both public and private sector organizations have often referenced standards in procurement documents, the onus is on the contract manager to audit to ensure adherence to standards. However, when an organization is registered to the standard, there is independent corroboration²⁰, and risks are decreased for the contracting party.

Referencing an international standard further decreases the risk when contracts are made between or among organizations with different jurisdictional bases which may have different national norms (the case with privacy). European organizations would be able to demonstrate due diligence in contracting out processes involving personal information when requiring the contractor to be registered to an international privacy standard that incorporated the EU rules. This takes the guesswork out of the business of determining adequate protection.

As with governments and businesses seeking to contract within or outside of their countries, research-funding organizations may require applicants to register to a standard. In Canada, organizations such as the Medical Research Council, the Social Sciences and Humanities Research Council and the Natural Sciences and Engineering Councils could require universities or other research institutions to register to the CSA privacy standard as a condition for receiving funding. In this way, the councils could ensure that the organization using their funds adhered to the same ethical standards for the treatment of personal information, without having to conduct checks on each organization or wade through documentation to determine if their standards were met.

IV. The History of Privacy Management Standardization

Four main standards bodies have been involved over the last 10 to 15 years in attempts to develop an information privacy protection standard: the Canadian Standards Association (CSA), the International Organization for Standardization (ISO), the European Committee for Standardization/Information Society Standardization System (CEN/ISSS) and the International Security, Trust and Privacy Alliance (ISTPA).

The Canadian Standards Association

Many national standards associations have embarked on standards initiatives with close connections to, and implications for, privacy and data protection. ²¹ Only one, however, has constructed a general management standard embracing the entire set of information privacy principles, and applying to all organizations. Work on a "privacy code" within a Technical Committee of the CSA began in 1993. Negotiations were time-consuming, but on September 20th, 1995, the Model Code for the Protection of Personal Information (Model Code) was passed. It was subsequently approved as a national standard of Canada (Q830) by the Standards Council of Canada in March 1996.

CSA’s Model Code is constructed around 10 principles, each of which is accompanied by an interpretive commentary. Organizations and trade associations were expected to incorporate all principles in their entirety in their codes of practice and apply them to specific sectoral conditions. The Model Code was accompanied by a Workbook giving more practical advice and interpretation. At the time, some envisaged that the CSA Model Code would spread throughout the Canadian economy as a result of market pressures, moral suasion, contractual obligations and a general sense within Canadian business that this was a necessary way to avoid government regulation.

Although the Model Code uses certain prescriptive language such as "shall" and "must", it was designed as a voluntary instrument in the sense that organizations were not compelled to adopt it. Once adopted by an organization, however, the Model Code was designed to operate like any other standard. Claims of adoption would carry obligations: organizations would have to say what they do and do what they say. Accordingly, in 1996, the Quality Management Institute (QMI) announced a recognition program designed to allow businesses to register to the Model Code and thus demonstrate their compliance. This recognition program was sensitive to the fact that the privacy obligations of a large bank, insurance company and direct marketing firm were different from those of smaller or local enterprises. ²² Thus, unlike other self-regulatory instruments such as the OECD guidelines²³, QMI clearly specified what it meant to "adopt" the Model Code. Businesses would have to develop an internal code of practice consistent with the Code, produce a set of guidelines for its internal implementation, and then apply to an accredited registrar to achieve a registration. Like other standards, the CSA’s Model Code was intended for registration, and to motivate some consistency in the marketplace and a higher level of consumer confidence.

The implementation of this Model Code was never fully realized because the Canadian government decided to develop private sector privacy legislation in 1999. The Protection of Personal Information Protection and Electronic Documents Act (PIPEDA) began its phased application in 2001. The central purpose of the legislation was to require organizations engaged in commercial activity in Canada to comply with the Model Code, reproduced verbatim in its Schedule 1. Thus, what had begun as an innovative self-regulatory measure was overtaken by political and legislative pressures. Transforming the code from a standard to law increased the breadth of its application but made compliance reactive rather than proactive, as it would have been for companies registering to the standard.

There were explicit reasons why the drafters of PIPEDA decided to legislate by reference to CSA’s Model Code. First, they believed that, since the private sector had already negotiated this standard, the legislation would do nothing more than force companies to "live up to their own rules". Secondly – and this point has been lost – the CSA Model Code in itself was seen as a crucial mechanism for ensuring compliance which could augment the federal Privacy Commissioner’s modest compliance resources. If an organization were registered, the Model Code would cease to be a "voluntary" mechanism. That organization would have to produce a code and a related set of operational guidelines and be subjected to regular and independent auditing of its practices by an accredited registrar. A Commissioner, in sanctioning an organization for a well-founded complaint, could not only assess a fine, but also require the organization to change its practices – and to demonstrate that it had – by registration to the privacy standard. Conversely, the demonstration that a code of practice is indeed complied with throughout the organization should have powerful evidentiary force. This should not exempt the organization from the provisions of PIPEDA, but it should carry weight in any investigations by, or proceedings before, the Commissioner or the courts.

Furthermore, registration to the CSA Model Code would assist in the interpretation and enforcement of Principle 4.1.3 which requires organizations to "use contractual or other means to provide a comparable level of protection while the information is being processed by a third party". It could also assist with the tricky question of how to assure comparable levels of protection when a Canadian company outsources personal data processing to an overseas organization. Contracts could reference the standard; registration to the standard would be a condition for continual processing of Canadian personal data.

Has the need to become certified been made redundant by the code’s inclusion in PIPEDA? Why would organizations go to the time and expense of demonstrating compliance through registration when they are already required by law to comply?

According to the Commissioner’s 2006 Annual Report on PIPEDA, of 424 complaints, only 21 per cent were "not well founded", an indication that organizations’ compliance with the legislation is underwhelming.²⁴

Further studies have found that many organizations are unaware of their obligations, and that stated privacy policies are misleading and incomplete.²⁵ Many organizations that are aware of the law simply wait for a complaint to be made, knowing that they can demonstrate willingness during investigation and mediation and escape without penalties. Other companies may not consciously see themselves taking a business risk but merely hold off making any changes in their personal information practices, waiting to see what individuals object to. It appears that the pro-active CSA Standard, in becoming law, has become a more reactive instrument.

The International Standardization Organization (ISO)

By the late 1990s, observers were calling for Canada’s national standard, the CSA Model Code, to become internationalized, and there was pressure on ISO to take up the issue. Privacy protection laws were proliferating around the world and regulations were "trading up" as countries and regions were trying to establish competitive advantages in electronic commerce. Companies were also looking for ways to simplify and improve confidence in their sub-contracting and contracting out processes concerning the treatment of personal information.

Many felt that a separate ISO privacy standard would be in the interests of all nations and stakeholders. It would carry far greater weight and credibility worldwide, therefore benefiting more people and organizations. It would attract attention and international registration efforts from different national standards bodies, and would create a market for more specialized compliance tools. And it would give businesses in countries which have not been deemed "adequate" under European data protection law a more reliable and consistent method of demonstrating their conformity to international data protection standards.²⁶ In May 1994, ISO’s consumer associations’ committee (COPOLCO) established a working group to determine whether the then-draft standard of the Canadian Standards Association could form the basis of an international standard for protecting personal data. The Group recommended to COPOLCO in April 1996 that ISO develop an international standard. ISO’s General Council accepted this recommendation in September 1996 and resolved that rapid advances in technology and the growth of electronic communication and databases demanded global rules for the protection of personal information. It noted that, while regulations differ throughout the world, consensus based standards could help provide a global base of protection. The ISO General Council also asked the Secretary-General to refer the COPOLCO recommendation to the Technical Management Board (TMB) for appropriate action, together with the comments made during the meeting. In determining how work would begin on this standardization effort, ISO’s twelve-member TMB decided to refer the issue to an ad hoc advisory group (AHAG) in January 1997. The AHAG was supposed to produce a positive TMB resolution in 1998. However, reservations about this initiative from representatives of the American National Standards Institute (ANSI) had already been circulated, and the expected resolution did not materialize. The AHAG continued to study the issue for another year but was disbanded in June, 1999. A meeting in Hong Kong later that year concluded that some other useful standardization instruments, short of a full-fledged privacy standard, could be negotiated but that a general management standard should be laid "dormant". It recognized that the work was being taken up by the European Committee for Standardization (CEN) and was prepared to take up the issue again if requested.

Privacy protection does, however, intersect with standards development in other sectors. A few examples include: Financial Services (TC 680); Road Transport Informatics (TC 204); Geographic Information and Geomatics (TC 211); and Health Informatics (TC 215). Also, there is now a family of standards on IT security within an ISO 27000 series.²⁷ ISO 27002 is the generic code of practice for IT security, itself based on the original British standard, BS 7799. Most notably, privacy-related work has been independently pursued by a joint technical committee (JTC-1) of the ISO and International Electro-Technical. This joint committee has been building various base standards in the field of information and communications technology, some of which have key privacy components.²⁸

There are a number of technical committees within JTC-I of which Subcommittee 27 is the lead on IT security. SC 27 has the task of standardizing "generic IT security services and techniques". This includes identifying generic requirements (including requirements methodology) for IT system security services; developing security techniques and mechanisms (including registration procedures and relationships of security components); developing security guidelines (e.g., interpretative documents, risk analysis); developing management support documentation and standards (e.g. terminology and security evaluation criteria); and standardizing cryptographic algorithms for integrity, authentication and non-repudiation services.²⁹ Within SC-27 there are five working groups, the most recent of which is Working Group No. 5, responsible for Identity Management (IdM) and Privacy Technologies. Its remit includes developing and maintaining standards and guidelines to address security aspects of identity management, biometrics and the protection of personal data.³⁰

The following initiatives are currently being undertaken:

A Framework for Identity Management (ISO/IEC 24760)
A Privacy Framework (ISO/IEC 29100)
A Privacy Reference Architecture (ISO IEC 29101)
An Authentication Context for Biometrics (ISO/IEC 24761)
A Biometric Template Protection (ISO/IEC 24745)

The first two seem to be the most advanced. The Framework for Identity Management is designed to provide a framework for the secure and reliable management of identities online with appropriate definitions, concepts and models. It describes the basic components of IdM and the life cycle of identities as they are established, modified, suspended and archived. This standard is designed to form the basis of future ISO identity standards and is currently at the level of a working draft.

ISO/IEC 29100 provides a more general privacy framework. It provides common privacy terminology and defines the basic privacy principles. It is also designed to relate privacy requirements to existing security standards and guidelines, and particularly those within the ISO 27000 series. On the face of it, ISO 29100 appears to be intended as a general privacy standard of similar breadth and applicability to that contemplated in the late 1990s. But it is also obvious that the principal motivation is the need to address online privacy risks. This proposed standard is accompanied by ISO/IEC 29101 designed to standardize best practices for the consistent technical implementation of personal information privacy requirements, the assumption being that the privacy framework should be established before the architecture.

It is premature to conclude which of these initiatives will materialize into full ISO standards. What is apparent is that distinctions between technical and management standards tend to be breaking down, that privacy protection principles are embedded in the work of ISO at many different levels and in many different projects, and that the community of international privacy and data protection agencies need to be more adequately informed about, and involved in, the ISO standards development process.

The European Committee for Standardization/Information Society Standardization System (CEN/ISSS)

CEN, the European Committee for Standardization, was founded in 1961 by the national standards bodies in the European Economic Community and the European Free Trade Area countries.³¹ CEN is now "contributing to the objectives of the European Union and European Economic Area with voluntary technical standards which promote free trade, the safety of workers and consumers, interoperability of networks, environmental protection, exploitation of research and development programmes, and public procurement".

CEN’s involvement with privacy began through a multi-stakeholder group entitled the Initiative for Privacy Standardization in Europe (IPSE) which reported in 2002.³² IPSE recommended that CEN/ISSS should: identify a common European set of voluntary best practices for data protection; develop a generic set of contract clauses reflecting the requirements of Article 17 of the European Directive; prepare an inventory of data protection auditing practices; conduct a survey of web seal programs as a basis for considering further standardization; develop a coherent approach for assessing the impact of ongoing technological developments; and compile and deliver a targeted range of educational and guidance material on privacy-related standardization issues. IPSE did not, however, recommend a management standard at the European level, arguing that "there is no evident immediate industry demand at the European level for a management type standard for privacy". IPSE also suggested that "any work on a European management standard is premature at this time, and that individual European privacy interests have an avenue to pursue these objectives through the ISO route, building on the COPOLCO resolutions, if desired".³³ CEN’s work has proceeded through a series of workshops of its Information Society Standardization System (ISSS), including the Data Protection and Privacy Workshop (CEN/ISSS/WS/DPP). The Workshop’s aim is to "help organizations to comply with the Data Protection Directive and relevant national legislation by facilitating harmonization of practice, developing the understanding and predictability of detailed or sector practices, contributing to resolving ICT technical compliance issues, and encouraging consistency of assessment and oversight".³⁴

The Workshop has already completed several reports in 2005 and 2006, including:

an inventory of Data Protection Auditing Practices;
an analysis of Privacy Protection Technologies, Privacy-Enhancing Technologies (PET), Privacy Management Systems (PMS) and Identity Management systems (IMS), the Drivers thereof and the need for standardization;
a standard form contract to assist compliance with obligations imposed by article 17 of the Data Protection Directive 95/46/EC (and implementation guide);
Personal Data Protection Audit Framework (EU Directive EC 95/46): Part I: Baseline Framework – The protection of Personal Data in the EU; and
Personal Data Protection Audit Framework (EU Directive EC 95/46) Part II: Checklists, questionnaires and templates for users of the framework – The protection of Personal Data in the EU.³⁵

In addition, the workshop participants have identified further work areas to be developed, with a focus on small and medium enterprises, on self-assessment and on a much closer dialogue between firms and regulators.

These further work areas are:

a Common European set of voluntary best practices for data protection management to help businesses and data managers comply with the Directive and, where possible and appropriate, the diverse European national laws and additional requirements;
EU privacy audit tools: towards a practical approach of audit tools for data managers, enabling them to perform self assessment; and
a Voluntary Technology Dialogue System: ensuring new products, technologies and services comply with the relevant Data Protection and Privacy laws as transposed in all EU member states can be a challenging task for industry.

In addition, regulators find themselves somewhat unaware of potential new technologies likely to reach the market in the near future.

The International Security, Trust and Privacy Alliance (ISTPA)

"ISTPA" is the International Security, Trust, and Privacy Alliance, founded in 1999. It is a "global alliance of companies, institutions and technology providers". Its self-proclaimed mission is to "clarify and resolve existing and evolving issues related to security, trust, and privacy". Further, it states that its "focus is on the protection of personal information".³⁶

Its goals are to:

Develop a Framework for the protection of personal and organizational data, which defines security, privacy, and trust services and their relationship.
Develop an understanding of the usability, manageability and cost implications of technologies supporting data protection.
Conduct research, demonstrations and inter-operability projects which address critical privacy, security, and trust issues.
Provide guidance to member companies.
Provide international forums for discussion of issues and solutions.
Serve as a voice and resource for industry on privacy technology issues.
Promote the ISTPA's work and its mission.

ISTPA’s Privacy Framework 1.1 was intended primarily for an audience of privacy officers or those responsible for privacy within their organizations but also for legislators and government officials seeking to regulate.³⁷ ISTPA had developed the Framework as "a comprehensive and valuable aid for those implementing privacy policies in information systems containing personally identifiable information".³⁸ It was also intended to help organizations deal with technical issues when grappling with privacy across jurisdictions. The Framework was subsequently submitted by the International System Security Engineering Association (ISSEA) as a candidate for an ISO Publicly Available Specification (PAS), ³⁹ and was also brought forward to the international data protection commissioners at their conference in Wroclaw, Poland in 2004.

Historically, data protection authorities have not been heavily involved with standards related activities. However, their Article 29 Working Group did issue an opinion on May 29, 1997, expressing its support for such initiatives as "significantly contributing to the protection of fundamental rights and privacy on a world-wide basis".⁴⁰ In Wroclaw, the commissioners passed a resolution that "a global privacy standard(s) and specifically a privacy technology standard be developed by ISO that would support the implementation of legal rules on privacy and data protection where they exist and the formulation of such rules where they are still lacking". In doing so, the commissioners also expressed their concern that initiatives in ISTPA and JTC1 were producing privacy management frameworks which would be inconsistent with extant European data protection law. They went on to resolve that "developing an international privacy standard must be based on the fair information practices as well as the concepts of data scarcity, minimization and anonymity".⁴¹ ISTPA is re-writing the ISTPA Privacy Framework document to address the concerns raised by the International Conference, with the eventual goal of re-introducing the document for consideration as an ISO standard.

IV. Conclusion: Implications for Data Protection Authorities

At the end of 2007, the landscape for privacy standardization features:

A national privacy standard for Canada which has been rendered almost redundant by the passage of PIPEDA;
Significant activity within the ISO JTC-1 towards negotiating base technical standards, some of which have key privacy components and implications; and
A considerable amount of work within CEN/ISSS on data protection audit and contracting processes, as well as on privacy-enhancing technologies. However, it is not yet clear how this work is being integrated into the day- to-day work of the data protection authorities, and less still into the practical data protection compliance of European companies.

The idea of a general management standard – an international version of the
CSA Model Code – has been difficult to realize. This can be explained by:

a certain reluctance by standards bodies to enter an area traditionally conceived in terms of human rights;
a skepticism on the part of privacy advocates and regulators about the appropriateness of another set of international institutions becoming involved with this issue;
a fear among advocates and regulators that a general management standard would undermine existing data protection law;
in some areas, stiff opposition to the idea of a general management standard from certain private sector interests; and
the proliferation of seal and certification schemes on the Internet, which have allowed companies to provide an illusion of privacy compliance without having to undertake a rigorous standards registration process.

One wonders then if a management standard for privacy protection is an idea whose time has passed. Yet, in contemporary circumstances, where data breaches are commonplace, the vision for a fully functioning standards system for privacy protection which can support existing law remains as valid as ever.

The process of attaining and maintaining registration to a privacy standard can relieve pressure on data protection agencies as the sole oversight authorities. In an environment of global personal data processing, the scrutiny of laws and contracts provides no assurances to data protection authorities that the receiving jurisdiction complies with data protection rules. Registration to a standard, which would oblige independent and regular auditing, would provide a greater certainty that the receiving organization practices "adequate" data protection, wherever it is located and whatever its business. Registration can also provide more meaningful guarantees for consumers looking to conduct business with privacy-friendly organizations – "meaningful" because an organization’s adherence to good privacy practices has been independently verified, and also because, as a product of a standards authorities, its requirements are rigorous and harmonized.

Given that a stand-alone international privacy management standard is desirable but is unlikely to materialize in the near future (for the reasons outlined), there are still ways in which existing management standards can be used to promote good data protection or privacy management internationally.

Organizations anywhere in the world that are otherwise registered to ISO 9000 series standards may incorporate privacy management into existing registration. Data protection authorities need to be aware of existing, and contemplated, registrations in order to encourage organizations to included personal information management as part of their "quality management systems".
Any organization that wishes a separate registration for privacy can always take the existing CSA Model Code, adapt it to its legal environment and organizational conditions and processes.
Any organization can "bridge" the existing CSA standard (Q830) to an existing or planned ISO 9000 registration.
Data protection agencies (as well as courts) can use their existing regulatory powers to encourage, or in some instances, require registration to a privacy standard when there are obvious privacy failures.

No privacy standard, and no standard registration, can substitute for properly enforced data protection legislation which applies to all organizations (public and private) within a given jurisdiction. Conversely, no law can be truly effective without appropriate mechanisms to allow organizations to truly say what they do, and do what they say.

Endnotes

In this paper, we use the generic term "data protection authority" to refer to the family of independent bodies responsible for the oversight of national data protection or privacy statutes.
See Colin J. Bennett and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective (Cambridge: MIT Press, 2006).
Quality assurance" refers to all the planned and systematic activities implemented within a quality 3 system and demonstrated through internal and external quality audit.
"Bridging" refers to the process whereby organizations declare their adherence to two complementary standards, and thereby save resources by engaging in only one conformity assessment process.
Only this March, for example, the current chair of the U.S. Federal Trade Commission gave a speech about the importance of instilling a culture of privacy and security within the organization. Deborah Platt Majoras, "Building a Culture of Privacy and Security – Together," Speech to the IAPP Privacy Summit.
James W. Kolka, ISO 9000: A Legal Perspective (Montclair: International Forum for Management Systems, 1998), p. 13.
In this paper, the term "registration" is used for the process of independent verification and recognition 7 on by a national or international official standards agency. "Certification" is used for other system of attestation that an organization complies with some other standards.
http://www.simplyquality.org/howmany.htm
Jaap van den Heuvel, Lida Koning, Ad J.J.C. Bogers, Marc Berg, Monique E.M. van Dijen, "An ISO 9001 quality management system in a hospital: Bureaucracy or just benefits?" International Journal of Health Care Quality Assurance 2005 Vol. 18, No. 5: 361 – 369
International Trade Centre, Applying ISO 9000 Quality Management Systems (Geneva: 10 ITC,1998), p.p. 13-14.
ISO, as the publisher of standards, does not issue certificates of conformity to any standard. Certificates of conformity to specified standards are issued by certification/registration bodies which are independent of ISO and of the businesses they certify. There are over 740 certification or registration bodies worldwide. Source: International Accreditation Forum
James W. Kolka, ISO 9000: A Legal Perspective (Montclair: International Forum for Management Systems, 1998), pp. 17%18.
"The Michigan-based Ponemon Institute© is dedicated to advancing responsible information on and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries." at
http://www.ponemon.org/. See http://www.ponemon.org/rim.html for more information regarding Responsible Information Management.
The codification of the Fair Information Practices varies. They essentially boil down to the following. An organization (public or private):
- must be accountable for all the personal information in its possession
- should identify the purposes for which the information is processed at or before the time of collection
- should only collect personal information with the knowledge and consent of the individual (except under specified circumstances)
- should limit the collection of personal information to that which is necessary for pursuing the identified purposes
- should not use or disclose personal information for purposes other than those identified, except with the consent of the individual (the finality principle)
- should retain information only as long as necessary
- should ensure that personal information is kept accurate, complete and up-to-date should protect personal information with appropriate security safeguards
- should be open about its policies and practices and maintain no secret information system
- should allow data subjects access to their personal information, with an ability to amend it is inaccurate, incomplete or obsolete. From Bennett and Raab, p. 12.
David H. Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill: University of North Carolina Press, 1989).
Bennett and Raab, Ch. 6.
For example, under the most popular progam (TRUSTe), there is no requirement for an on site examination of a website’s privacy practices as a precondition for receiving the TRUSTe mark. Comprehensive examinations of an organization are only initiated "for cause" and when there is a privacy violation. Other programs, that of WebTrust, for instance, have more comprehensive auditing requirements. See: "Web Seals: A Review of Online Privacy Programs" A Joint Project of the Office of the Information and Privacy Commissioner/Ontario and the Office of the Federal Privacy Commissioner of Australia
Increasingly, for example in the area of environmental sustainability, registration to one of the ISO 14000 standards is seen as a prerequisite for doing business with government in many areas. See, Michael McKloskey, ISO 14000: An Environmentalist’s Perspective
There have been examples of court-ordered registration to ISO 14000 as penalties for environmental pollution.
The ISO/IEC Guides and the IAF Guidance to them are designed to ensure that certification/registration bodies are both competent to carry out the work involved and are operated independently of businesses that are certified. Source, International Accreditation Forum (IAF), Inc.
The American National Standards Institute (ANSI) for example has issued standards on privacy impact assessments, the privacy of communication in electronic funds transfers, standards for electronic health records, telecommunications security in ISDN and so on. See:
http://webstore.ansi.org/ansidocstore/find.asp?
CSA, PLUS 8830 – Implementing Privacy Codes of Practice, Colin J. Bennett, 22 August 1995.
Organisation for Economic Co-operation and Development (OECD) (1981), Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, (Paris: OECD).
[LINK]
See e.g., John Lawford, Consumer Privacy under PIPEDA: How are we Doing? (Public Interest Advocacy Centre: November 2004); Rajen Akalu et al. Implementing PIPEDA: A Review of Internet Privacy Statements and Online Practices (May 2005)
See the arguments in: Colin J. Bennett, Prospects for an International Standard for the Protection on of Personal Information: A Report to the Standards Council of Canada (August 1997)
www.27000.org Commission (IEC).
2006 privacy-related publications include: Information technology - Security techniques Selection, deployment and operations of intrusion detection systems and Multimedia security - Guideline for privacy protection of equipment and systems in and out of use, with work in progress on Multimedia Security - Guideline for privacy protection of equipment and systems in use and disused % Part 2: Software method for privacy protection (TC 100). [LINK]
http://www.ni.din.de/sc27
[LINK]
From the CEN website, 31 , at: http://www.cen.eu/cenorm/aboutus/index.asp Its complex hierarchy and relationships are well%depicted graphically online
Initiative for Privacy Standardization in Europe: Final Report
Ibid, p. 51.
CEN website
CEN website
The CWAs are available for download online
From http://www.istpa.org/about/index.htm Members and affiliates include AMD, BITS, The Technology Group for the Financial Services Roundtable, Carnegie Mellon University, Computer Associates International, CYVA Research Corporation, DiscoverTek, EWA Information and Infrastructure Technologies, Inc., Gemplus, Government of Alberta, Office of the CIO, GSR Strategic Consulting, Harry Lewis, Esq., HiSoftware Company, IBM, International Systems Security Engineering Association, Jonathan Moore, Johns Hopkins University, Kendall Scott, KLS Consulting, LLP, Motorola, NCR, OneName Corporation, Potter Group, Seagate Technology, TVC UK Ltd, TRUSTe, Vanguard Integrity Professionals, Wave Systems Corporation
http://www.istpa.org/faqs/framework.htm
Borking, John J., Privacy Standards for Trust, October, 2005, p. 5
A PAS is a "A normative document representing the consensus within a working group", so less than a full% fledged standard: [LINK]
[LINK]
Resolution on a Draft ISO Privacy Framework Standard, ISO/IEC JTC1 SC36# N1231, 2006% 02%15, available online. The subsequent organization (the Wroclaw Foundation), which was formed to address procedural issues and facilitate their formal recognition in the standard’s development, did not realize its goal.

TERRA INCOGNITA
Privacy Horizons

29^th International Conference of Data Protection and Privacy Commissioners

Advancing the Privacy Agenda in Canada: Developing a Canadian
Standardization Strategy
Workshop held February 22, 2007 – Ottawa

Executive Summary

On Feb.22, 2007, the Office of the Privacy Commissioner of Canada and partners in the National Standards System, including: the Canadian Standards Association, the Canadian General Standards Board, and the Standards Council of Canada, sponsored a workshop on the topic of privacy and standardization in Canada. Attended by 62 invited stakeholders representing business, privacy practitioners, government, consumer and public organizations, academia and standards development, the workshop was the first step in the establishment of a Canadian standardization strategy and roadmap for advancing privacy in Canada.

During the workshop lessons learned were discussed and key success factors to the development and implementation of a national standardization strategy were captured. Key success factors included the need for a clear business case, stakeholder engagement, long-term objectives, practical tools, scalable solutions, realistic goals, transparency, and resources.

The following key workshop themes were identified:

Standardization bridges gaps – Referencing of voluntary standards in legislation and position standardization as complimentary to legislation.
Baseline standards are useful – Baseline requirements with a common set of "principles" with additional sector-specific applications of standards.
Focus on special needs – Address special needs with supplementary requirements (e.g., health researchers, outsourcing, trans-boarder sharing of information, SMEs)
Demonstrating conformance – Importance of ability to demonstrate conformance through self-assessment or third party in order to measure effectiveness.
Sharing best practices – An inclusive process is needed including all stakeholder groups.
Timing is critical – Must start now to see benefits in the future.
Engaging stakeholders – Start with clear and transparent approach to gain commitment and build a business case for the business community.

Background

The Workshop objectives were to:

Enhance participants understanding of the current landscape of privacy protection in Canada;
Explore current privacy issues where standardization could provide tools and solutions for Canada and beyond;
Provide a forum to bring together Canadian expert stakeholders to explore and build consensus on a ‘Way Forward’ for privacy standardization in Canada, and
Explore technical and non-technical standardization solutions for Privacy.

Format of Workshop

The workshop was designed to stimulate dialogue and to obtain feedback from participants to help create a roadmap covering the current landscape for privacy standardization activities, needs, issues and potential opportunities. The format included presentations from keynote speakers followed by breakout sessions on 4 streams in the morning and 4 different streams in the afternoon. This report highlights the key themes identified by keynote speakers as well as a summary of the outcomes from the 8 breakout sessions.

The Role for Privacy Standards in Canada

To address harmonization issues not captured in legislation;
To address specific practices;
To address new technology concerns (e.g. RFIDs, biometrics, genetic information, location tracking, data mining and profiling, video surveillance, etc.);
To address baseline issues such as limiting collection, data retention, safeguards, etc.;
To address emerging public and policy issues such as transborder flows and identity theft; and
For Privacy Impact Assessments, Threat/Risk Assessments and Audits.

Lessons Learned related to Key Success Factors

Need to present a clear business case for standardization
Focus on long term objectives
Make standards offerings relevant and realistic by providing practical tools and realistic goals
Provide an Inclusive process with the engagement of all stakeholders
Ensure transparency of the standardization process
Need for resources to support exercise
Solutions must be scaleable – needs of small and medium-sized organizations must be considered in the development of solutions
Focus on standards products that bridge current gaps in the privacy landscape
Stakeholders need to agree on the agenda and the process

Questions to be Addressed in Developing a Standardization Strategy

Do we need new standards in Canada?
Should we be looking at global standards?
Who takes the lead role?
How do they integrate with legislation?
How do organizations adopt them and certify to them?
What is the value add for organizations?
What is the value add for the public?

Key Workshop Themes

Standardization Bridges Gaps

Assist with implementation of privacy legislation and requirements
Referencing of voluntary standards in legislation
Standardization is complimentary and supplementary to legislation

Baseline Standards

Baseline requirements at National level
Common set of "principles" (National and International)
Sector-specific applications of standards

Focus on Special Needs

Special needs addressed by supplementary requirements (e.g., health researchers)
Outsourcing
Trans-boarder sharing of information (global issue)
Small and medium sized organizations (scalability)
Others to be identified

Demonstrating Conformance

Audit tools (ability to demonstrate conformance through self-assessment or third party)
Measure effectiveness
Management System Standards

Sharing Best Practices

Need for inclusive process, including all stakeholder groups
Need for information sharing resource

Timing is Critical

Must start now to see benefits in the future

Engaging Stakeholders

Start with clear and transparent approach to gain commitment
Business case for the business community
Funding

Breakout Session 1: Standardization Needs

STREAM 1: Legal and Regulatory

The objective of this session was to identify the existing and needed standards and initiatives required to establish a Canadian Standardization Strategy to Support Privacy from a legal and regulatory perspective.

PIPEDA is perceived to be a good and reasonable law setting out what needs to occur in the private sector. What is needed in support of PIPEDA (and similar provincial requirements) is:

Guidance on application, especially to small and medium enterprise;
Clarity on sanctions for non-compliance;
Clear requirements for breach notification;
Consistency in application of laws/regulations across Canada;
Best practices for different sectors and industries; and
Details on limits of outsourcing to firms beyond Canada’s laws.

Most of these identified gaps can be addressed through the standardization process with additional resources required to engage those delivering services where privacy needs to be respected. Some of the gaps will need additional regulation to be filled.

The federal law on privacy was recognized as being in need of revision in light of the rapidly increasing ease of acquiring personal information from individuals and the ease with which information can be shared and aggregated – with unintended consequences affecting the integrity of the data and the privacy of the individual.

The increasing number of IT offerings to assist government in their obligations was noted, along with the lack of clarity over whether the emphasis is on data security or the privacy rights of the individual.

The standards system was perceived of potential use to government provided there was a desire to have all affected parties involved in the discussions to revise the ATIP.

STREAM 2: Commercial and Product Vendors

A need was felt for standards to both support conformance to legislation as well as to provide suites of best practices for different industries and commercial exchanges.

A variety of complementary ideas were indicated:

Privacy Impact Assessment as an important factor in any Risk Management/Assessment activity
A common data collection policy is needed that addresses a variety of risk levels
The control of transfer of data needs to be in the hands of the party whose information is being transferred/shared
The intrusiveness of data collected needs to match the need for the data
Clear rules are required for what data may be collected, the use of that data, the disclosure/sharing/sale of that data, the protection of that data (security), the transfer of that data – in particular to jurisdictions outside where the data was collected, and the disposal of the data

This needs to be accomplished while taking into account the limited capacity/resources of SMEs to understand what is needed and to implement appropriate policies and protocols.

STREAM 3: Services and Product Users

Service and product users include a wide range of stakeholders from private citizens to the Canadian government. It must be scalable to be implemented by small, medium and large enterprises. This is particularly important as governments and large organizations look more to outsourcing services, including data collection and management services. It was discussed that the focus was on the protection of personal information of individuals and not on company-related information. The key elements for the federal government were the outsourcing of data management that may involve personal information to the private sector.

From the federal government perspective, this requirement was how to communicate the policies to the contractors and provide the ability to enforce these policies. This should be done in a way that is clear and explicit for the contractors. Standards would be very useful in this area as it has been in the IT and security areas. The ability to quote the standards to vendors in a contract was invaluable.

Another area of concern was where there was a stream of data; there may be policy implications beyond just privacy, such as encompassing security and IT. There was a sense that participants would rather see a more general or comprehensive standard that encompassed these requirements rather than a myriad of standards covering specific requirements. The discussion led to the notion that standards could help explain goals, uses and requirements. Privacy cannot be dealt with in isolation. It was identified that one set of standards need to be developed rather than disjointed standards for each area.

Liability was raised as an issue. It was pointed out that liability ultimately comes back to the individual who is wronged. However, through such practices as ID theft or data mining, the individual may be financially or morally ruined and must seek compensation or restitution independently. Also, the question of the obligation of an organization to report the discovery of the problem was discussed. The need for safeguards and requirements of data stores such as logs to be verifiable (using standardized date formats for example) were identified. This issue can bee addressed contractually, through certification or other legal means. However, this requires a commonly-understood "language" between and among the various players.

The problems associated with the collection of data by medical researchers, especially where the collection involves more detail than the commonly-accepted "basic" information was identified. Researchers are faced with a myriad of policies, legislations, and regulations across Canada that are not harmonized. The need for a "roadmap" to navigate these policies and this plethora of legislation was identified.

Improving awareness in the area of privacy is also critical. The harmonization of provincial and federal regulations is required so that users can develop products based on one set of regulations. The unique needs of various groups need to be identified.

STREAM 4: Consumer and Public Interest

While the breakout group was made up of individuals from a range of stakeholder interests, there was strong agreement that any standards strategy development and standards work in the area of privacy needed to take a very inclusive approach, where the interests of all stakeholders were represented. In particular, it was noted that resources may need to be identified to ensure that consumer voice is represented and to build the capacity of the consumer constituency in Canada on this subject.

In terms of existing standards and legislation, there was general agreement that PIPEDA and provincial laws, based on the CSA Model Code, provide the essential principles for privacy protection in Canada. It was noted that while many consumers feel that their privacy is eroding, they may be willing to give up personal information as long as they are assured that their information will be protected and that there will be consequences for non-compliance. A recent study by the University of Ottawa has shown that there is widespread non-compliance with PIPEDA.

Industry codes such as the Canadian Marketing Association Privacy Code are useful in providing consumer assurance, but it is important to have direct consumer involvement in the development of these codes and public review of the draft codes. Other initiatives that should be reviewed include: OECD’s initiative to harmonize security and privacy principles, Generally Accepted Privacy Principles (GAPP from the Accounting Sector), Short Notice as outlined in the Berlin Memorandum, and CEN audit standards and best practice guidelines.

Gaps in standards and legislation should be identified through risk assessment – what are the risks to consumers? While standards have been developed to cover security of information, the other 9 principles in PIPEDA (based on the CSA Code) have not been well developed and there is a need to develop more specific, clear implementation guidelines and best practices for the other principles, which would assist organizations with implementation. For example, it is difficult to make disclosure meaningful to consumers – more guidance is needed in this area. The issue of breach notification was also raised a current gap in legislation. Any work on best practices needs to be supported with legal commentary.

Overall, the group was in support of a national standards strategy for privacy in Canada, building on existing standards, codes and legislation. A holistic approach was recommended, utilizing partnerships and engagement of all stakeholders.

Breakout Session 2: Standardization Solutions

STREAM 1: Role of Standards within Government Policy

The objective of this session was to identify solutions related to government policy for the needs identified in each of the following categories: 1) Legal and Regulatory, 2) Commercial and Product Vendors, 3) Services and 4) Product Users and Consumer and Public Interest.

It was generally agreed that PIPEDA is good principle-based legislation and what is missing is likely a number of guidelines about its interpretation. However, it was noted that these guidelines should offer a certain level of flexibility for businesses.
A number of issues were raised with regards to Information Management laws. As an example, it was noted that the concept of identity theft may have different interpretations. A number of issues were raised with regards to the disclosure of personal information when a breach has occurred. It was felt that while a breach notification is a good idea, it should probably be handled differently depending on the nature of the personal information disclosed (i.e. medical versus financial).

The issue of data encryption was raised but it was not clear whether encrypted information is still considered personal information and apparently the government policy on this type of information is not well known.

It was generally agreed that having clear privacy legislation in a country helps in commercial transactions. It was also noted that Canadian legislation has a global impact on commerce.

STREAM 2: Technical Standards, Tools, and Best Practices

The objective of this session was to identify potential solutions related to technical standards, tools, and best practice for the needs identified in each of the following categories: 1) Legal and Regulatory, 2) Commercial and Product Vendors, 3) Services and Product Users, and 4) Consumer and Public Interest.

It was estimated that 60-70% of the requirements needs to satisfy privacy already exist in other standards. However, there are some very different requirements that are not yet addressed in other standards (e.g. consent, usage permission). It was recommended to look at the existing public standards as a starting point and determine if they are adequate. Participants suggested standardizing the general privacy principles first, then developing a family of standards under each.

The desire to focus on the national level first was identified while taking into consideration what technical standards already exist at the international level. The development of a subcommittee to feed into the international process and work was recommended.

STREAM 3: Security Support for Privacy

The overarching need identified was the need to undertake a holistic approach to the blend of technology, policy and process addressing the full information life cycle from initial collection, use, disclosure, sharing, transfer, and disposal.

The results must be useful to SMEs – through targeted messages employing the information dissemination vectors normally used by SMEs, as well as inspections provided on a social basis, along the lines of fire hazard inspections.

There needs to be a clear and succinct description of the relation amongst privacy, accessibility and security.

To-date there has been much focus on security needs to protect technology from criminal elements; there are also other types of security needs that need to be addressed, such as ignorance and human error for person-to-person transactions, especially discussion of private details in a public space.

The inability of individuals to be aware of who accesses private data and for what reason is a major concern. There was support for the idea that individuals be alerted of every access to files containing private data.

An informational initiative to promote "Fair Information Practices" was seen as beneficial to both consumers and providers of services/goods to consumers.

STREAM 4: Verification, Audit and Conformity Assessment

The objective of this session was to identify potential solutions related to verification, audit and conformity assessment in each of the following categories: 1) Legal and Regulatory, 2) Commercial and Product Vendors, 3) Services and Product Users, and 4) Consumer and Public Interest.

In this breakout session there was general agreement that there was a need to evolve the area of verification and audits for privacy in Canada. There were a variety of opinions on the tools that are needed and the range of alternatives that should exist. Some members felt that any standards strategy for privacy needed to be based on nationally recognized consensus standards supported by accredited 3rd party conformity assessment programs. However, others in the group felt that verification could be achieved through self certification or through industry association programs for verification. Clearly, it would appear that there is a need for a continuum of options for verification and auditing, depending on the sector and the needs of stakeholders. For example, it would be helpful to develop self –assessment and internal audit checklists for small and medium enterprises. Some of these tools are being developed by Privacy Commissioners and by trade associations. It was also noted that 3rd party registrars are starting to offer audit services for the new ISO standard on Security Management and this experience should be evaluated /monitored to assess the value of this verification.

There was general concern that existing terms of reference for audits are poorly framed and in some cases not very robust. Every stakeholder has a different perspective on what is required. CEN has well developed audit tools and these should be considered for international or national application. Furthermore, trust marks or seals are not the total solution – they do not necessarily provide the consumer with required confidence or trust that their privacy has been protected. In light of recent breaches, consumers are looking for more assurance of compliance.

It was noted that in addition to audits and verification of privacy policies and procedures, there may be a need for personnel certification in this field. For example, the certification of privacy auditors or of engineers developing security systems may be appropriate. In the area of software applications, there are many providers but it is difficult at this stage to know if they meet privacy requirements. Verification and auditing would appear to have an increasing role to play as our data systems and information management structures become more complex, to ensure that privacy rights are assured.

The group had a lively discussion on the use of privacy impact assessments and the need for standardization of these tools. There were some who felt that these were not robust enough and some general standardized requirements may be required in this field. However, experience in Europe has shown that it may be better to simply have solid risk assessment practices, not to develop specific requirements for privacy. Guidance on the requirements for privacy impact assessments must come from Data Protection Commissioners, but could be provided through a voluntary standards solution.

TERRA INCOGNITA
Privacy Horizons

29^th International Conference of Data Protection and Privacy Commissioners

Security Initiatives in the International Telecommunications Unions
by: Michael Harrop

Michael Harrop
Rapporteur, ITU-T Study Group 17 Question 4: Communications Security Project

Introduction

In a world that increasingly relies on electronic communications and electronically-stored data, effective security is of critical importance in protecting the functioning of systems and the data they process and hold. Without effective security, all electronically-processed data is at risk. One of the primary objectives of the ITU-T work is to provide a sound basis for the development and implementation of secure products and services by ensuring the needed security standards are available. Effective security also depends on users following safe computing practices and adhering to the requirements of local security policy. In support of this, the standards community is playing an increasing role in promoting security awareness and good practices.

Although the terms security and privacy are often confused and, not infrequently, used interchangeably, security and privacy are really quite different attributes and it is important to recognize the differences. For example, security mechanisms can address the technical measures needed to support privacy (e.g. by protecting against unauthorized disclosure, modification or destruction of sensitive information) but privacy extends to legal and sociological considerations that are beyond the scope of the security work. To illustrate this point further, it is entirely possible for personal information to be held quite security by an organization but if that organization should not have collected that information in the first place, the privacy of the person or persons that are the subject of that information has been violated. Nevertheless, although security and privacy are different attributes, there is an important intersection between these attributes in that security services and mechanisms can be used to support privacy.

As the leading international telecommunications standards body, the International Telecommunications Union (ITU) has established a number of initiatives to address communications security issues pro-actively within its own Study Groups and in collaboration with other standardization bodies.

The paper provides a brief overview of the ITU security-related standards work, and highlights some of the work of particular relevance to privacy protection. More detail is available via the web linkages provided for each of the topics.

Role of the ITU-T

The International Telecommunication Union (ITU) is one of the specialized agencies within the United Nations system. The Telecommunication Standardization Sector (ITU-T) acts as a forum where governments and the private sector develop standards for global telecommunications networks and services.

A guide to the ITU-T and how it operates is available at itu.int/ITU-T/promotion

The ITU-T works on a four-year cycle (called a Study Period) during which Recommendations (i.e. ITU standards) are developed and published. The work is grouped by topic and assigned to Study Groups (SGs). Within each SG the work is subdivided into projects known as Questions.

Table 1 identifies the 12 Study Groups of the ITU-T that have been identified as having security-related activities during the 2004-2008 Study Period. Each of these SGs has appointed a specific contact for security liaison. More detailed information about the activities of each SG is available at:

http://www.itu.int/ITU-T/studygroups/com17/security-questions.doc

SG 17, Security, Languages and Telecommunications Software, has been designated the Lead Study Group for telecommunications security issues and has responsibility for security coordination across all Study Groups.

Table 1: ITU-T Study Groups with security responsibilities
Study Group 2: Operational aspects of service provision, networks and performance (Lead Study Group for service definition, numbering and routing) (Lead Study Group for Disaster Relief/Early Warning)
Study Group 4: Telecommunication management
Study Group 5: Protection against electromagnetic environment effects
Study Group 6 Outside Plant and related indoor installations
Study Group 9 Integrated broadband cable networks and television and sound transmission
Study Group 11 Signalling requirements and protocols (Lead Study Group on Signalling and Protocols and Intelligent Networks.)
Study Group 12 Performance and quality of service
Study Group 13 Next Generation Networks (Lead Study Group for NGN and satellite matters.)
SG 15: Optical and other transport networks
SG 16: Multimedia services, systems and terminals (Lead Study Group on multimedia terminals, systems and applications, and on ubiquitous applications (such as e-health and e-business)).
Study Group 17: Security, languages and telecommunication software (Lead Study Group on telecommunication security)
SG 19: Mobile Telecommunications Networks

Study Group 17 Program of Work

SG 17 has established a number of security-related Questions (i.e. projects) in the current Study Period. These are illustrated in Figure 1. Most of the Questions will result in one or more Recommendations (i.e. standards). In addition, SG17 has a number of Focus Groups examining security-related issues. (Focus Groups have greater flexibility than SGs in terms of participation and working methods. They are established to give rapid consideration to evolving standardization needs.) These initiatives are reviewed in greater detail below.

Figure 1: SG 17 Security Questions (2004-2008)

A Closer look at some of the SG 17 Security Initiatives

As the Lead Study Group for security, SG 17 is engaged in a number of initiatives in to coordinate security efforts across the ITU-T and to raise awareness about our security activities.

Telecommunications Security Guide

Our publication Security in Telecommunications and Information Technology provides an overview of issues and the deployment of existing ITU Recommendations for secure telecommunications. The manual includes a brief summary of each security-related recommendation and is available online as well as in hard copy format. The online version is available at:

http://www.itu.int/itudoc/itu-t/86435.html

Security Compendium

A three-part Security Compendium has been developed comprising: a catalogue of approved ITU-T Recommendations related to Telecommunication Security; approved ITU-T security definitions; and a listing of ITU-T security-related Questions. The Compendium is on-line as follows:

Security Roadmap

Although a great deal of work is in progress and many security standards have been developed by international organizations, it is not easy for standards users (or even developers) to determine precisely what security standards already exist. Even within standards development organizations, security standards tend to be listed along with other IT standards, rather than being classified in terms of the particular aspects of security being addressed. To try to address this problem, SG 17 has developed a Roadmap of existing security standards.

The Roadmap, which is a work-in-progress, identifies existing completed security standards, standards in development, and areas where a need for standards has been identified but where work has not yet been initiated. Standards are listed under the particular aspect of security that they address (e.g. general security guidance, biometrics, security policy etc). The Roadmap includes not only ITU-T Recommendations but also the standards and work of other formal and informal regional and international standards development organizations. It is hoped that the Roadmap will contribute to the coordination of security standardization activities by providing an up-to-date summary of work that has been completed and work that is in progress, as well as identifying the major organizations participating in this work. By knowing what has been done already, and what work is in progress, it will be possible to avoid duplication of effort and also to identify gaps that need attention. A new part has recently been added to the Roadmap to cover recognized good practices.

The current version of this Roadmap covers the security standards of ITU-T, ISO/IEC JTC 1, IETF, IEEE, ATIS, ETSI and OASIS.

The Roadmap is available online.

Focus Group on Identity Management (FG IdM)

In December 2006 ITU-T SG 17 and the European Union IST Daidalos Project held a workshop entitled Digital Identity for Next Generation Networks. Workshop objectives were to investigate different approaches digital identity, analyze gaps in today’s standards, identify future challenges and find common goals which will provide direction to the work currently being undertaken in the different projects and standards development organizations.

Details on the workshop and the results are documented online.

The workshop was considered as timely and useful, and resulted in a follow-up meeting to answer some of the questions raised. The need for a co-ordination mechanism was also seen as necessary. Discussions continued after the workshop and resulted in the establishment of an SG 17 Focus Group on Identity Management.

The overall objective of the Focus Group is to facilitate the development of a generic Identity Management framework, by fostering participation of all telecommunications and ICT experts on Identity Management.

The objectives include:

Establishing a living list of standards bodies, fora, and consortia dealing with Identity Management, including information concerning their activities and documents in the context of an IdM framework;
Conducting a global analysis on IdM requirements and capabilities;
Developing a set of IdM telecommunications/ICT use cases that can be used to derive requirements; and
Identifying new standards work that ITU-T SGs and other SDOs should undertake.

The Focus Group is attracting wide participation and interest and membership is open to ITU Member States, Sector Members and Associates as well as any individual from an ITU member country willing to contribute to the work. See the latest results and more information.

Security-related Recommendations

Approximately 50 security-Recommendations are currently under development. A summary of these Recommendations may be found online.

Further information

This paper presents only a brief overview of the ITU-T security work. A considerably more detailed presentation is available online.

Summary

Effective security is vital to protect the confidentiality, integrity and authenticity of information, all of which are of concern in the context of privacy. The ITU-T is pursuing an ambitious program of work directed towards all facets of telecommunications security. Much of this work will contribute to the protection of individual and organizational privacy.

TERRA INCOGNITA
Privacy Horizons

29^th International Conference of Data Protection and Privacy Commissioners

Canadian Privacy Standards Strategy Workshop – ISO/IEC JTC 1 Briefing
February 2, 2007

ISO/IEC JTC 1 is tasked with developing "Base Standards" in the field of Information and Communications Technology (ICT). The term "Base Standards" means standards that other standards developers both inside and outside ISO and IEC can use to develop domain and application specific standards. This means that JTC 1 is unique within the standards world, in-so-much-as 30% of its customers are other standards developers. This is one of the reasons why JTC 1 standards are so important.

As consequence of the above, JTC 1 and its Sub Committees (SCs) must always consider the worst case scenario when developing its standards in order to ensure that those standards will be applicable and usable in any environment. As an example, ISO/IEC JTC 1/SC 27 which develops standards for security, must always develop those standards to work in a "hostile" environment. Some other Technical Committees and SCs within ISO and IEC do not have to work under such strict constraints, and those committees developing standards for a specific business domain may select less stringent requirements more appropriate to their domain. They can thus take a JTC 1 standard and "soften" the requirements thus making it more applicable to their domain, always bearing in mind that in so doing, their standard may not be applicable to the generalized domain.

JTC 1 currently has six Sub-Committees (SCs) developing standards related to Privacy. The SCs are:

ISO/IEC JTC 1/SC 17 – Cards and Personal Identification,
ISO/IEC JTC 1/SC 27 – IT Security Techniques,
ISO/IEC JTC 1/SC 31 – Automatic Identification and Data Capture Techniques (RFID),
ISO/IEC JTC 1/SC 32 – Data Management and Interchange,
ISO/IEC JTC 1/SC 36 – Information Technology for Learning, Education & Training, and
ISO/IEC JTC 1/SC 37 – Biometrics.

Brief details of their relevant published standards, work currently under development and planed work is provided in separate briefs for each SC, see the annexes to this document.

Currently, JTC 1 has a resolution directing all future work on Privacy related standards, that do not fall within the existing programs of work of the other 5 SCs, to SC 27. While Canada has and does support the work of developing Privacy Standards related to Privacy Protection being performed by SC 27, and is actively supports this work, Canada has and does maintain that it is inappropriate for SC 27 to be responsible for developing other Privacy related standards, for example Database Standards or Operating System standards. It is currently estimated that Privacy Protection standards equate to approximately <20% of the total standards needed for Privacy. It is also estimated that the work being currently performed by the other JTC 1 SCs represents a further 10% of the total needed. For the remaining 70% of standards work needed, that is not related to Privacy Protection, to be assigned to SC 27 has long seemed an anathema to Canada.

For the last 5 years Canada has been urging JTC 1 to establish an SC specifically to focus on Privacy Technology. Thus far, Canada has not met with success in this regard. The major impediment seems to be a lack of funding to support the secretariat for such an SC. While sufficient National Bodies express and interest and willingness to participate in such an SC, none are willing to fund the Secretariat.

Apart from the lack of Privacy Technology SC within JTC 1 to coordinate the activities of the six JTC 1 SCs and ensure that the products work together, and to develop privacy related technology standards, two other major impediments exist that are hampering the work. The first and most important is the lack of an internationally agreed set of harmonized privacy principles. While this is not a problem from a strictly Canadian perspective, it is for JTC 1. JTC 1 can not develop national specific standards. Thus without an agreed set of harmonized privacy principles it is very hard to develop standards that will respect all nations different sets of privacy principles The development of such a set can not be done by JTC 1, this is outside their purview, although they could perhaps find a way to publish such a set from another source.

The second major impediment is the disconnect between the Privacy Community, the privacy advocates and privacy management and policy people, and the technical standards community. It is not that anybody is expecting the Privacy Community to write the technical standards, but the technical standards community desperately needs the input of the Privacy Community. Legislation and Policy is primarily reactive, it addresses what is to happen when privacy is lost, technical standards are primarily proactive, they address how the technology and communications are to work in order that privacy will not be lost.

While there are many other things that need to be done, most of them will have little impact if these three impedimenta are not addressed. Finding a way forward on each of these would provide a significant boost to society and a significant step forward. JTC 1 is not the only place that things need to be done, but it is one of the most important. If we are not to end up with disparate approaches that will not work together JTC 1 standards are essential. A lack of standards in a specific domain can be compensated for by the generalized standards of JTC 1.

In Summary, there is a lack of coordinated leadership for Privacy within ISO/IEC JTC 1 and the Canadian JTC 1 group CAC-JTC1 needs to help of the Privacy Community in order to take a leadership position to correct this situation, and in developing privacy related technical standards.

Annex A
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 17

ISO/IEC JTC 1/SC 17 develops standards in the area of Cards and Personal Identification. SC 17 is concerned with privacy related to card technology applications. This includes data on smart and optical cards and throughout the entire related system, starting with the original capture of the data through to its final secure destruction.

SC17 is not currently reviewing published privacy standards, however the chairman has authored two Privacy Impact Assessment procedures for advanced card technologies in partnership with the Information & Privacy Commissioner Ontario and is in the final stages of a third, designed for contactless card applications.

Annex B
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 27

ISO/IEC JTC 1/SC 27 develops standards in the area of Security. By virtue of a decision at the JTCI level in 2004 (Berlin), SC27 has been attributed the responsibility of establishing study periods in the field of "Privacy" and "Identity Management", as these fields were considered as needing, as well as, providing safeguards and/or protection; hence the responsibility of SC27. The reports of the study periods were to be presented to JTC1 in Nov 2006 at the Kruger Park, SA meeting for recommendations and attribution to 1 or more SCs, if so deemed.

In November 2005 (KL), 2 study groups (Privacy and Identity Management) within SC27 presented favorable reports to SC27 management and the recommendations were for SC27 to adopt and establish standards for Privacy and Identity Management. These recommendations were adopted and calls for the creation of a new WG and for NWIs was made within SC27. This was without the official endorsement of JTC1, though it seemed officious on their behalf (as per SC27 management). It was explained that SC27 had a reputation for delivering product to the marketplace in a timely fashion and security was closely related to privacy and identity management.

In response to the call for the creation of a WG following KL, Canada strongly objected to the creation of WG5 and associated NWIs and recommended the creation of SC on Privacy, probably including Identity Management.

The title and scope for the new WG are "Identity management and privacy technologies", and the scope of SC27/WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and the protection of personal data.

Three current SC 27 projects from other WGs are transfered to WG5:

Framework for Identity Management (ISO/IEC 24760)
Biometric template protection (ISO/IEC 24745)
Authentication context for biometrics (ISO/IEC 24761)

Other topics requested as NWIs in the area of privacy include:

A Privacy Framework
A Privacy Reference Architecture
Privacy infrastructures
Anonymity and credentials
Specific Privacy Enhancing Technologies (PETs)
Privacy Engineering

Request for other NWI in identity Management and Biometrics were also made (details available on request).

Because no overall foundation on privacy exists within ISO, some responses to the privacy NWIs expand beyond the scope of security techniques, specifically to date, Privacy Framework, and Privacy Reference Architecture. Example of these proposals include determining globally the requirements for "Personally Identifiable Information" and a set of "common privacy terminologies" for any information and communication systems and in any jurisdiction. It may be important to note that many responses to these privacy NWI are presented by consortia that have related patented technologies.

Canada officially requested to SC27 that an SC on Privacy be created to address issues and requirements outside the scope of SC27, such as the ones described above, so that SC27 deal only with relevant and pertinent subjects related to information security techniques. The above NWIs have specifications beyond the scope and competency of SC27.

A NWI proposal for Authentication Assurance is currently submitted for review. It seeks to define what are the acceptable criteria and levels to authenticate an "entity and establish an "authentication assurance" or "Quality of Authentication (QoA) scheme; and it also seeks to enhance trust and confidence in authentication. It references E-Authentication documentation used by the Government of the USA. There is also a strong willingness for this NWI to establish metrics in order to quantify risk for identity management, but does not establish or define "identity" itself, which is beyond the scope of SC27, but not under the purview of one ISO SC in particular.

At the JTC1 level, Canada has proposed a Workshop on privacy to list and establish responsibilities and scope for the various standards, projects and NWI so that proof can be brought forward to demonstrate the need to have one SC on privacy with liaisons to pertinently scoped SCs and groups.

Annex C
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 31

ISO/IEC JTC 1/SC 31 develops standards in the area of RFID. ISO Standards activities for RFID for item management are focused on technology, compliance of technology, data content, data communication and implementation. Currently – none of the technologies – according to committee members use data encryption techniques over the air interface. The Kill bit function was recently added to the ISO/IEC 18000-6 standard for the air interface. Memory blocks include password protection.

Standard	Status	Title	Privacy Functions
15961	IS/TR	Radio frequency identification (RFID) for item management -- Data protocol -- Part 1: Application interface (Revision of ISO/IEC 15961:2004)	Not included
24791-1	WD	Radio Frequency Identification (RFID) for item management - Software system infrastructure - Part 1: Architecture"	Under Review
24791-2	WD	Radio Frequency Identification (RFID) for item management - Software system infrastructure - Part 2: Data Management"	No available
24791-3	WD	Radio Frequency Identification (RFID) for item management - Software system infrastructure - Part 3:Application Management"	Not Available
24791-4	WD	Radio Frequency Identification (RFID) for item management - Software system infrastructure - Part 4: Application interface"	Not available
24791-5	WD	Radio Frequency Identification (RFID) for item management - Software system infrastructure - Part 5:Device Interface	Not available
24791-6	WD	Radio Frequency Identification (RFID) for item management - Software system infrastructure - Part 6:Security"	Not available
24730-1	IS/TR	Automatic identification and data capture techniques -- Real Time Locating Systems (RTLS) -- Part 1: Application programming interface (API)"	Under review
24730-4	NWIP	Automatic identification and data capture techniques – Real Time Locating Systems (RTLS) – Part 4: Global Locating Systems (GLS)"	Under review

Annex D
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 32

ISO/IEC JTC 1/SC 32 develops standards in the area of Data Management and Interchange. The mandate of ISO/IEC JTC1/SC32 is to develop ICT-based standards in the field data management and interchange (including e-commerce). Here, SC32/WG1 "e-Business" has a prominent role. This is because e-Business pertains to any electronic digital interchange (EDI) which involves the makes of any kind of commitment among Persons (natural or legal). This includes recognition of "individual" as a particular sub-type of Person having rights which e-Business standards must be able to support. Further, from the outset, legal and regulatory requirements which apply to the making of commitments among participating parties, i.e. as a type of "external constraint" form part of the Open-edi Reference Model (ISO/IEC 14662) and are addressed and supported in the ISO/IEC 15944 in its Business transaction Model (BTM).

From a CAC JTC1/SC32 perspective, the vast majority of the legal (and regulatory) requirements of "privacy" are of a data management and interchange nature. SC 32 has identified the following relationships between its activities and Privacy:

WG1 "e-Business" standards are of definite importance in supporting privacy requirements.
WG2 "Metadata" standards do not as such support privacy requirements but is metadata model and data element attributes likely do contain constructs which may be useful with respect to the management and interchange of "personal information"
WG3 "Database Languages" standards focus on Standard Query Language (SQL) standards do contain a number of features which support some of the privacy requirements.
WG4 "SQL Multimedia and Application Packages"" standards work on ISO/IEC 13249-6 re:"Data Mining" and ISO/IEC 13249-7 re: "History" may contain features.

It is noted that, in the development of the multipart ISO/IEC 15944 "e-business" standard, the need to be able to support legal requirements of a privacy/data protection nature has already been fully incorporated (along with public policy requirements of a similar nature pertaining to an "individual" (as a human right) such as consumer protection, individual accessibility, etc). This is because such public policy requirements must be supported in data management and interchange standards which address and support the making and exchange of "commitments" among Persons in their role as individuals, organizations and/or public administrations.

In conclusion, once "privacy" requirements have been identified , CAC JTC1/SC32 will be able to determine (1) which of these are of a "data management and interchange" ; (2) of these, whether or not, its existing standards or standards development work already supports those privacy requirements which are of a "data management and interchange" nature; and, (3) if not , determine whether or not it should launch a new standards development project in support of these requirements, either a new standard or project division of an existing multipart standard.

Specific activities of SC 32 WG related to Privacy include:

Working Group 1 - "e-Business"
- ISO/IEC 15944-1:2002 Information technology – Business operational view – Part 1: Operational aspects of Open-edi for implementation
- ISO/IEC FDIS 15944-5:2006 Information technology- Business Operational View- Part 5: Identification and referencing of requirements of jurisdictional domains as sources of external constraints.
- Based on a JTC1/SC32/WG1 resolution (31 October-4 November, 2006) for an analysis by Canada and UK as to the need for a project split in 15944 for a new Part n: Identification and referencing of Privacy Protection requirements as a source of external constraints (provisional title). This analysis is based on the assumption that 65% + of this work is already done, i.e. imbedded in existing SC32/WG1 standards, the remainder data management aspects cover another 10-20%, leaving 15-25% additional work to fill existing gaps from a data interchange perspective.
Working Group 2 – Metadata
- ISO/IEC 11179 (multipart) – Information technology - Metadata registries (MDR)
- ISO/IEC CD/FCD 19763 (multipart) - Information technology -- Framework for metamodel interoperability
- ISO/IEC CD/FCD 20944 (multipart) - Information technology -- Metadata Registries Interoperability and Bindings (MDRIB)
Working Group 3 - Database Languages
- ISO/IEC 9075-2:2003 (2nd edition) Information technology -- Database languages -- SQL -- Part 2: Foundation (SQL/Foundation)
JTC1/SC32 Study Period "Information SQL Security.

Annex E
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 36

ISO/IEC JTC 1/SC 36 develops ICT standards in the area of Learning, Education & Training. JTC1/SC36 wishes to ensure that its ICT standards are be structured to be able to support the legal requirements of the jurisdictional domains in which they are to be implemented and used. This is particularly so where such standards are utilized to capture and manage recorded information used in decision-making about individuals. Common legal and regulatory requirements of this nature include those pertaining to individual accessibility, privacy, protection, consumer protection, human rights, etc.

Here in support of "individual accessibility" requirements JTC1/SC36 is developing a multipart ISO/IEC 24751 standard title "Individualized Adaptability and Accessibility in e-Learning, Education and Training / Adaptabilité et accessibilité en e-apprentissage, education et formation". The first three parts which are reaching the FDIS stage are:

Part 1: Framework and reference Model
Part 2: "Access for All" Personal needs and Preference for Digital Delivery
Part 3: "Access for All" Digital resources.

These three standards, as well as future parts, support privacy/data protection requirements as they apply in this context. Canada fully supports the development of the multipart "Access for All" standard and has resourced the French version of Part 1 and ensuring the development of English/French language equivalent terms and definitions for Parts 2 and 3, and will do so for future parts.

Because JTC1/SC36 wishes to ensure that its standards be structured to be able to support the legal requirements in the jurisdictional domains in which they are to be implemented and used, is also is investigating the legal requirements of its P-members with respect to the ability to be able to support privacy / data protection requirements.. This is because the application and use of the majority of JTC1/SC36 standards involve the role of an individual as "learner". The result is that any recorded information on or about an identifiable individual as a "learner" is subject to applicable privacy/data protection requirements.

Given the importance of ensuring that its standards development projects also support privacy/data protection requirements, where applicable, JTC1/SC36 decided at its September, 2006, Wuhan, China Plenary Meeting to establish an "Ad-Hoc Group on Privacy" and mandate this Ad-Hoc to undertake a Survey on Privacy/Data Protection requirements for Education, Learning and training (LET), a.k.a. "e-Learning" (see document JTC1/SC36 N1436 which is being made available to the Privacy Workshop).

In Canada, the eLearning Standards Advisory Council of Canada (eLSACC), whose major stakeholders are the Ministries of Education is implementing this JTC1/SC36 Survey on privacy/Data Protection on behalf of CAC JTC1/SC36. The 1st Phase focused on obtaining responses from Alberta, British Columbia, Ontario and Québec. The results of this 1st Phase will be made available to the SCC Privacy Workshop. The 2nd Phase widens to respondents to include all the members of the Council of ministries of Education of Canada (CMEC) as well as those federal and provincial ministries with responsibility in the areas of learning and training. This is being coordinated via eLSACC.

Annex F
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 37

ISO/IEC JTC 1/SC 37 develops standards in the area of Biometrics. Privacy related activities are concentrated within Working Group 6. Current activities include:

Project 24714: Technical Reports on "Cross-Jurisdictional and Societal Aspects of Implementation of Biometric Technologies"

Part 1: "Guide to the Accessibility, Privacy and Health and Safety Issues in the deployment of Biometric Systems for Commercial Application"
Development stage: PDTR

The purpose of the TR is to offer guidance on the design and development of systems using biometrics with regards to

societal norms and legal requirements in the use of biometric data between different jurisdictions, in particular as regards privacy and personal data protection,
usability of biometrics by the widest population of individuals health and safety.

Section 4.2.2 of the current draft addresses privacy issues in the context of the jurisdictional requirements arising from the location and nature of biometric deployments. Biometrics are described in terms of both potential privacy risks as well as a potential privacy enhancing technology. The privacy risks associated with biometrics include enhanced forms of (possibly covert) identification, possibilities for data linking, activity tracking. application function creep, and the possibility of "spoofing" identities.

A set of privacy principles for biometric deployments are offered in Section 4.2.3. These principles are modeled after the OECD guidelines and included such areas as consent, data limitation, retention policies, and security practices.
The importance of privacy protection for the acceptance of biometric systems is described in Section 4.7.2. Biometric system adopters are encouraged to be as transparent as possible about the biometric systems, including reasons for use, personal data that is collected, how it is stored and shared, and any associated risks.

In general, the discussions of privacy in the current draft is limited to the introduction of concepts and issues. Little specific guidance is offered and only limited deployment contexts are considered. Canada submitted comments in April 2006 suggesting specific enhancements including better references to existing standards documents and terminology, suggestions for specific privacy guidelines based on work done by the Ontario Privacy Commissioner, and a discussion of the trade-offs people are often willing to make between privacy and convenience.

Part 2: "Practical application to specific contexts"
Development Stage: WD

This TR goes beyond the general issues discussed in Part 1 to address specific biometric technologies (e.g., fingerprint, iris, face recognition) and specific deployment contexts (e.g., workplaces).

This document is still in a very early form with many parts containing section titles only. Privacy is not addressed in a specific section of the document, although it is mentioned in some places. For example, with fingerprint technologies, privacy risks can be reduced if the fingerprints (or their templates) are stored in a token belonging to the user (e.g., a smart card). Also, when discussing workplace deployments, privacy requirements and regulations are discussed, including Canada's PIPEDA laws. Again, some privacy principles are offered for workplace usage, including proportionality, use limitation, and necessity.

Canada has submitted two sets of comments related to this activity, and is continuing to work to develop and improve the document.

Date modified: 2007-09-14

Important Notices

TERRA INCOGNITA Privacy Horizons

Workshop "Law Meets Technology" Dragon Standards

Table of contents

Biographies

TERRA INCOGNITA Privacy Horizons

Saying what you do and Doing what you say: Arguments and Prospects for an International Privacy Standard by: Colin J. Bennett and Robin Bayley

I. Introduction

II. What can management standards contribute to data protection?

III. The Rationale for a Privacy Management Standard

Use of Educational and Regulatory Powers of Data Protection Authorities

Privacy Standards for Competitive Advantage

Referencing the Standard in Contracts

IV. The History of Privacy Management Standardization

The Canadian Standards Association

The International Standardization Organization (ISO)

The European Committee for Standardization/Information Society Standardization System (CEN/ISSS)

The International Security, Trust and Privacy Alliance (ISTPA)

IV. Conclusion: Implications for Data Protection Authorities

Endnotes

TERRA INCOGNITA Privacy Horizons

Advancing the Privacy Agenda in Canada: Developing a Canadian Standardization Strategy Workshop held February 22, 2007 – Ottawa

Executive Summary

Background

Format of Workshop

The Role for Privacy Standards in Canada

Lessons Learned related to Key Success Factors

Questions to be Addressed in Developing a Standardization Strategy

Key Workshop Themes

Standardization Bridges Gaps

Baseline Standards

Focus on Special Needs

Demonstrating Conformance

Sharing Best Practices

Timing is Critical

Engaging Stakeholders

Breakout Session 1: Standardization Needs

STREAM 1: Legal and Regulatory

STREAM 2: Commercial and Product Vendors

STREAM 3: Services and Product Users

STREAM 4: Consumer and Public Interest

Breakout Session 2: Standardization Solutions

STREAM 1: Role of Standards within Government Policy

STREAM 2: Technical Standards, Tools, and Best Practices

STREAM 3: Security Support for Privacy

STREAM 4: Verification, Audit and Conformity Assessment

TERRA INCOGNITA Privacy Horizons

Security Initiatives in the International Telecommunications Unions by: Michael Harrop

Introduction

Role of the ITU-T

Study Group 17 Program of Work

A Closer look at some of the SG 17 Security Initiatives

Telecommunications Security Guide

Security Compendium

Security Roadmap

Focus Group on Identity Management (FG IdM)

Security-related Recommendations

Further information

Summary

TERRA INCOGNITA Privacy Horizons

Canadian Privacy Standards Strategy Workshop – ISO/IEC JTC 1 Briefing February 2, 2007

Annex A Privacy Related Standards Activities of ISO/IEC JTC 1/SC 17

Annex B Privacy Related Standards Activities of ISO/IEC JTC 1/SC 27

Annex C Privacy Related Standards Activities of ISO/IEC JTC 1/SC 31

Annex D Privacy Related Standards Activities of ISO/IEC JTC 1/SC 32

Annex E Privacy Related Standards Activities of ISO/IEC JTC 1/SC 36

Annex F Privacy Related Standards Activities of ISO/IEC JTC 1/SC 37

TERRA INCOGNITA
Privacy Horizons

Workshop
"Law Meets Technology" Dragon
Standards

TERRA INCOGNITA
Privacy Horizons

Saying what you do and Doing what you say: Arguments and Prospects for an International Privacy Standard
by: Colin J. Bennett and Robin Bayley

TERRA INCOGNITA
Privacy Horizons

Advancing the Privacy Agenda in Canada: Developing a Canadian
Standardization Strategy
Workshop held February 22, 2007 – Ottawa

TERRA INCOGNITA
Privacy Horizons

Security Initiatives in the International Telecommunications Unions
by: Michael Harrop

TERRA INCOGNITA
Privacy Horizons

Canadian Privacy Standards Strategy Workshop – ISO/IEC JTC 1 Briefing
February 2, 2007

Annex A
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 17

Annex B
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 27

Annex C
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 31

Annex D
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 32

Annex E
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 36

Annex F
Privacy Related Standards Activities of ISO/IEC JTC 1/SC 37