In Privacy and Freedom (1967), Alan Westin formulated the classic early definition of privacy: "Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others."

This definition evolved into The Privacy Act of 1974 (U.S.) in response to concerns about how the creation and use of computerized government databases might affect individuals' privacy rights. From that point, privacy has become a set of "privacy principles and practices," often containing some or all of the following composite requirements:

	Notice and awareness
	Choice and consent
	Access by the subject of the personal information
	Information quality and integrity
	Update and correction
	Enforcement and recourse

Influence of law on privacy
The recently completed "Analysis of Privacy Principles: An Operational Study" published by the International Security, Trust and Privacy Alliance (ISTPA) reviews most of the privacy regulations worldwide. Based on this review, ISTPA derived a set of operationally focused working definitions, taking a practical approach to huge variations in language and the differing placement of many principles/practices in each regulation.

There is value in developing what the ISTPA calls "composite operational definitions" for fair information practice (FIP) principles. The composites incorporate primary operational characteristics of each FIP and can be useful in a number of ways. Foremost, they can provide you with a basis for mapping privacy requirements. The composites do so by establishing categories of requirements for your business processes and systems into which more granular requirements can be placed. Such composites can also be used to clearly link requirements that may fall into more than one category. For example, data quality includes data destruction, which also implicates security and safeguards.

To develop a basis for implementing FIP principles, ISTPA accepted 11 restructured privacy requirements.

11 Restructured privacy requirements
Openness: Availability to individuals of the data collector's or data user's policies and practices relating to its management of personal information and for establishing the existence of nature and purpose of use of personal information held about them.

Disclosure: The release, transfer, provision of access to, use for new purposes, or divulging in any other manner, of information by the entity holding the information only with notice and consent of the data subject; the data collectors policies must be made known to and observed by third parties receiving the information, and sensitive health information disclosures must be managed.

Notice: Information regarding an entity's privacy policies and practices including: a definition of the personal information collected, its use (purpose specification), its disclosure to parties within or external to the entity, the practices associated with the maintenance and protection of the information, the options available to the data subject regarding the collector's privacy practices, the changes made to policies or practices, and information provided to the data subject at designated times and under designated circumstances.

Collection limitation: Constraints exercised by the data collector and user to limit the information collected to the minimum amount necessary to achieve a stated purpose and when required demonstrably collected by fair and lawful means.

Use limitation: Controls exercised by the data collector or data user to ensure that personal information will not be used for purposes other than those specified and accepted by the data subject or provided by law, and not maintained longer than necessary for the stated purposes.

Consent: The capability, including support for Sensitive Information, Informed Consent, Change of Use Consent, and Consequences of Consent Denial, provided to data subjects to allow the collection and/or specific uses of some or all of their personal data either through an affirmative process (opt-in) or through an implied process (not choosing to opt-out when this option is provided).

Accountability: Reporting made by the business process and technical systems that implement privacy policies to the individual or entity accountable for ensuring compliance with those policies, with optional linkages to sanctions.

Access and correction: Capability allowing individuals having adequate proof of identity to find out from an entity, or find out and/or to correct, their personal information, at reasonable cost, within reasonable time constraints, and with notice of denial of access and options for challenging denial.

Data quality: Ensures that information collected and used is adequate for purpose, relevant for purpose, not excessive in relation to the purposes for which it is collected and/or further processed, accurate at time of use, and, where necessary, kept up to date, rectified or destroyed.

Security/safeguards: Policies, practices and controls that ensure the confidentiality, availability and integrity of personal information collected, used, maintained, and destroyed; and ensure that personal information will be destroyed or de-identified as required.

Enforcement: Mechanisms to ensure compliance with privacy policies, agreements and legal requirements and to give data subjects a means of filing complaints of compliance violations and having them addressed, including recourse for violations of law, agreements and policies.

enlarge Through a logical configuration of the services in the ISTPA Privacy Framework with an agent service representing both the subject and the data requestor, security services are available to all the privacy services.

ISTPA Privacy Framework
Without a common framework for analyzing the privacy issues and options, the policy debate over specific and emotionally charged privacy issues is difficult. The ISTPA Privacy Framework was developed to be a clearly defined and standardized set of operational privacy controls.

The figure at right shows an example set of the privacy framework services and how they support data subject and data requestor interactions. In this example, the agent service represents a data subject and data requestor; each representative agent draws upon a set of assurance services (validation, certification, audit and enforcement) to protect agent interactions.

These assurance services provide additional functionality in managing personal information exchanges and processing. Each service works with the other services as needed in support of privacy requirements, independent of underlying platform and technology, giving implementers a reusable set of services to better manage and address privacy legal requirements that are complex and often difficult to interpret.

As an operational set of privacy services, this framework represents a comprehensive translation of legal and regulatory requirements into a set of interoperable services that assists architects, business process engineers and compliance professionals as a foundation to address and manage privacy as it evolves. The FIPs can be overlaid onto this example demonstrating how the legal principles are supported by the privacy services.

Almost every industry uses a data warehouse for sensitive information from consumers or personnel, and it always falls under regulatory governance. Although FIP principles are often viewed as simple concepts, implementing the FIP is not simple at all. The FIP principles have huge variation within and across regulations. To enable more systematic automation of privacy policies, at a minimum, the major requirements of each FIP should be abstracted for use in examining your policies and implementing practices. T

Privacy implementation and best practices Drivers for implementing privacy controls are compliance, data protection and meeting business objectives. Implementation of controls requires forethought and careful consideration. However, it also requires flexibility to adapt plans and best practices into a customized approach for the data warehouse to be continuously improved for ongoing success. Basic elements of consideration include: I. Discover the privacy requirements: Choose and adapt regulatory privacy principles that most apply to your business. Develop and agree on a comprehensive privacy strategy for your business or division. Develop a privacy program with clear responsibilities and obtain buy-in from your executives. II. Develop a privacy program: Translate your privacy program into published and actionable procedures for stakeholders. Develop an information classification scheme that will be governed by the privacy program. Particularly include the online environment in your information classification. Develop user and operator classification of sensitive information (roles) including partners. III. Deploy privacy implementation: Protect your sensitive information with physical, technical and procedural safeguards. Plan actions and communication before privacy incidents happen, ready to execute. IV. Audit and maintain for compliance: Audit internally and prepare for any external audits to which you will be subjected. Institute control feedback and continuous improvement of your privacy implementation.

Adriaan Veldhuisen is a board member of ISTPA and holds three patents on privacy. He is a Teradata Certified Master and member of Teradata R&D, Product Management Team. He is responsible for setting the development requirements for Privacy and Security in Teradata releases.

Teradata Magazine-June 2007