Thinking small about big data: Privacy considerations for the public sector Shaun Brown Partner, nnovation LLP

Similar documents
A Q&A with the Commissioner: Big Data and Privacy Health Research: Big Data, Health Research Yes! Personal Data No!

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers

HIPAA and Big Data Twenty Third National HIPAA Summit. March 17, 2015 Mitchell W. Granberg, Optum Chief Privacy Officer

Big Data Analytics. Prof. Dr. Lars Schmidt-Thieme

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

How To Respond To The Nti'S Request For Comment On Big Data And Privacy

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

MEMORANDUM. I. Accurate Framing of Communications Privacy Policy Should Acknowledge Full Range of Threats to Consumer Privacy

The CPS incorporates RCPO. CPS Data Protection Policy

Westpac Privacy Policy. Our privacy commitment to you

RAMS Privacy Policy. When you trust us with your personal information, you expect us to protect it and keep it safe.

Privacy & Big Data: Enable Big Data Analytics with Privacy by Design. Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014

Policies & Procedures

PRIVACY AND CREDIT REPORTING POLICY

Big Data and Complex Networks Analytics. Timos Sellis, CSIT Kathy Horadam, MGS

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

2016 OCR AUDIT E-BOOK

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

DATA PROTECTION POLICY

Credit Reporting Privacy Policy of Baybrick Pty Ltd

ICG PRIVACY POLICY. Developed in compliance with applicable privacy legislation in each relevant ICG operational jurisdiction

Re: Big Data Request for Information

Annex B. The Proposed Amendments AMENDMENTS TO NATIONAL INSTRUMENT MARKETPLACE OPERATION

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Analytics, Big Data, & Threat Intelligence: How Security is Transforming

The De-identification of Personally Identifiable Information

Best Practices for Protecting Individual Privacy in Conducting Survey Research

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

The Top Challenges in Big Data and Analytics

Ann Cavoukian, Ph.D.

DESTINATION MELBOURNE PRIVACY POLICY

Big Data & Analytics. A boon under certain conditions. Dr. Christian Keller General Manager IBM Switzerland IBM Corporation

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Data Compliance. And. Your Obligations

BITKOM& NIK - Big Data Wo liegen die Chancen für den Mittelstand?

Policy Brief: Protecting Privacy in Cloud-Based Genomic Research

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Digital Evidence meets the Charter: Peer-to-Peer (P2P) File-Sharing Networks

Predictive Analytics

Personal Information Protection and Electronic Documents Act

Loyalty program assessment: flybuys

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

International Journal of Advanced Engineering Research and Applications (IJAERA) ISSN: Vol. 1, Issue 6, October Big Data and Hadoop

Mr President, Ladies and Gentlemen Members of the Court, Mr Advocate. Thank you for inviting the European Data Protection Supervisor today.

YOUTH RECORDS - WHAT ARE THEY - WHO CAN GET THEM - FOR HOW LONG

COMMENTARY Scope & Purpose Definitions I. Education. II. Transparency III. Consumer Control

Privacy Policy Statement

Information Privacy Policy

Buckinghamshire County Council Transport for Buckinghamshire ANPR Code of Practice

Demystifying Big Data Government Agencies & The Big Data Phenomenon

DEMYSTIFYING BIG DATA. What it is, what it isn t, and what it can do for you.

Privacy and Cloud Computing for Australian Government Agencies

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Risk management systems of responsible entities

Privacy Impact Assessment

Transforming Insurance Risk Assessment with Big Data: Choosing the Best Path

Ausgrid Privacy Policy

PRIVACY POLICY. I. Introduction. II. Information We Collect

A New Era Of Analytic

Real-Time Analytics on Large Datasets: Predictive Models for Online Targeted Advertising

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

SURVEILLANCE AND PRIVACY

Commonwealth of Pennsylvania Department of Banking and Securities Bureau of Securities Division of Licensing, Compliance and Examinations

Opportunities with Predictive Analytics. Greg Leflar, Vice President

RSA Adaptive Authentication For ecommerce

SecTor 2009 October 6, Tracy Ann Kosa

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Industry insight into FCRA-compliance and its benefits to healthcare organizations.

Data Protection Act. Conducting privacy impact assessments code of practice

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Generally Accepted Recordkeeping Principles How Does Your Program Measure Up?

Verified Volunteers. A division of SterlingBackcheck. Privacy Policy. Last Updated: November 5, 2014

technical factsheet 176

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Transcription:

Thinking small about big data: Privacy considerations for the public sector Shaun Brown Partner, nnovation LLP March 30, 2016

Thinking small about big data: objectives Consider big data as a concept Focus on predictive analytics Emphasize practical over policy Understand the legal landscape (Privacy Act) Key takeaways: Three step analytical framework Practical considerations when using predictive analytics 2

What is big data? The three Vs : High-Volume High-Velocity High-Variety About linking datasets and identifying patterns Fueled by ICTs, cheap storage, applications that create digital exhaust 3

What is big data? A problem to be solved: a term for data sets that are so large or complex that traditional data processing applications are inadequate. Challenges include analysis, capture, data curation, search, sharing, storage, transfer, visualization, querying and information privacy (Wikipedia) 4

What is big data? (Business) Opportunity: information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation. (Gartner) 5

What is big data? Our worst nightmare? Systematic discrimination Loss of autonomy Rise of the machines Difficult policy issues about regulation of technology 6

Predictive Analytics Predictive Analytics: thinking a bit smaller statistical techniques from predictive modeling, machine learning, and data mining that analyze current and historical facts to make predictions about future or otherwise unknown events (Wikipedia) 7

Predictive Analytics It is already everywhere: Credit scoring Online behavioural advertising (OBA) Recommendation engines (e.g., Amazon, Netflix) Human resources: employability and retention Crime prevention and anti-terrorism: predict when and where crime is likely to happen. 8

Legal landscape: Privacy Act Applies to the collection, use and disclosure of Personal Information (PI) by federal government institutions (departments, ministries, parent Crown Corporations) PI very broadly defined: Information about an identifiable individual in any form Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information. (Gordon v. Canada, Federal Court) Includes things such as internet protocol address 9

Legal landscape: Privacy Act Authority: Can only collect PI if it relates directly to an operating program or activity Contrast to private sector which relies on consent & reasonableness Identify Purposes: individuals must be informed of purpose for collection (some exceptions) 10

Legal landscape: Privacy Act Additional requirements where PI used for an Administrative Purpose : Decision making process that directly affects an individual Direct Collection: PI collected for administrative purpose must be collected directly from individual (some exceptions) Retention: PI used for administrative purpose must be retained long enough for individual to access (minimum 2 years) Accuracy: Must take reasonable steps to ensure PI used for administrative purpose is as accurate and up-to-date as possible 11

Legal landscape: Privacy Act PI can only be used for the purpose for which it was collected or a consistent purpose (some exceptions) PI can only be disclosed with consent (some exceptions) Access Requirements: PI and non-pi is subject to access under Privacy Act and Access to Information Act, respectively 12

Understanding PA: three step framework 1. Collect Data 13 3. Apply Models to Individuals 2. Analyze and Develop Models Highly simplified understanding of most common applications Applies to public sector orgs. looking to apply predictive analytics to a database of individuals Case study: Beware Threat Rating System used by Law Enforcement Agencies (LEAs)

Step 1: Data Collection What is feeding the machine? Remember the three Vs (volume, velocity and variety) Are predictive models based on data collected in the past (or from other sources)? e.g., credit scoring systems Is your data feeding the machine? If so: Who has access to data? Is it being used by the vendor? Other customers of the vendor? Remember restrictions on disclosure of PI Data should be rendered so it is not PI (e.g., de-identified) whenever possible 14

Step 1: Data Collection Beware Crawls billions of records in commercial and public databases Social media and other internet chatter Court documents (for records of criminal convictions)? Data provided by LEAs? 15

Step 2: Analyze Data and Develop Models Have models already been created? Is your PI being used to develop models? If so: Are the research questions and goals clearly defined? Openended exploratory research involving PI should be avoided Is research for or consistent with purpose for which PI was originally collected? 16

Step 2: Analyze Data and Develop Models Beware: Threat rating system uses proprietary algorithm to predict threat based on available information Threat rating formula not publicly disclosed Presumably cross-references incidents of criminal behaviour with various other information about an individual Feedback from LEAs would be helpful in validating and improving models 17

Step 3: Apply Predictive Models Individuals are scored, rated, categorized and treated accordingly Involves collection and use of PI about an individual Need PI to feed the model The score is new PI that is created 18

Step 3: Apply Predictive Models Beware: LEA enters name, address and/or cell no. of individual into app (on computer or mobile device) Beware analyzes all available data about that individual Applies model to give a threat rating Do ratings already exist? Created in real-time? 19

Step 3: Impact on individuals Does it result in or contribute to an administrative decision? If so, how can we verify accuracy? Is information retained long enough (2 years)? Does the outcome become part of a permanent record? Who might see this in the future? Does it discriminate, either directly or indirectly? Is the final decision made by a human (e.g., model is merely for filtering purposes)? 20

Summary and Practical Considerations The Privacy Act imposes few restrictions on which applications can be used Predictive Analytics require information about real people: is your data being used? De-identification is crucial Predictive Analytics is much more than a data collection issue: can result in uses, disclosures, and administrative decisions 21

Summary and Practical Considerations Predictive Analytics can be complex: you need to understand what is happening and the privacy impacts Do not be afraid to push back on vendors for more information How will the public be informed? Privacy Impact Assessments are essential: Identify and mitigate privacy-related risks Documenting business processes data flows About more than just privacy: Must consider human rights issues (s. 15 of the Charter right to equal treatment without discrimination) Sometimes it can be just plain creepy (Target) 22

Resources Tene, Polonetsky, Judged by the Tin Man: Individual Rights in the Age of Big Data, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2311040 TBS Standard on Privacy and Web Analytics: http://www.tbssct.gc.ca/pol/doc-eng.aspx?id=26761 Privacy Commissioner Policy Position on OBA: https://www.priv.gc.ca/information/guide/2012/bg_ba_1206_e.asp Cavoukian & El Emam, De-identification Protocols: Essential for Protecting Privacy, Jun. 25, 2014: https://www.ipc.on.ca/images/resources/pbd-deidentifcation_essential.pdf Beware: https://www.west.com/safety-services/publicsafety/powerdata/beware/# 23

About nnovation LLP Ottawa-based, boutique firm that specializes in regulatory matters, including privacy, access to information, advertising, and competition law Our clients include many government institutions at the federal and provincial levels, in addition to private sector companies, not-for-profit entities and industry associations We regularly provide a variety of services to public sector clients, either as consultants or legal counsel, including: Privacy Impact Assessments (over 150 completed) Privacy Management Frameworks Legal opinions Draft outsourcing agreements Advise on and assist with specific privacy and access to information-related matters on an as-needed basis 24

Shaun Brown sbrown@nnovation.com 613-656-1297

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information