Tuesday, 15 December 2009

ISTPA Privacy Management Reference Model 2.0 released - for privacy management systems

The International Security, Trust & Privacy Alliance have just (December 2009) released their Privacy Management Reference Model 2.0 (formerly known as the Privacy Framework version 1.1, originally published in May 2002).

What's it about? Privacy laws and regulations still differ across the world, often significantly. It's not easy to comply with all of them - and in fact complying fully with one country's set of requirements may technically require breaching another's! IT systems and services could help in this regard, indeed without using technological means it would probably be impossible for a cross-border business of any size to check that it was properly compliant with data protection and privacy laws. (Although technology is of course not the be all and end all; people, processes and practices matter too.)

So the ITSPA Reference Model, as the paper puts it, is intended to be:

"A framework for resolving privacy policy requirements into operational privacy services and functions" from an information technology viewpoint

or, from the old ISTPA FAQs:

"to provide analytical starting point and basis for developing products and services that support current and evolving privacy regulations and business policies, both international and domestic… As legislative, regulatory and market requirements for privacy protection progress, it is essential that trusted and reliable solutions be developed and deployed that meet those requirements", and the Framework was intended as a "resource for constructing trusted and reliable solutions for privacy protection".

The original aims and their evolution are best summarised by quoting from the preface:

"privacy requirements (typically expressed as fair information practices or privacy principles) provide little insight into how to actually implement them, presenting frustrations for policymakers who expect business systems to manage privacy rules and design challenges for IT architects and solution developers who have few models to guide their work.

The ISTPA Privacy Management Reference Model was developed to aid in the design and implementation of operational privacy management systems. When we vetted the original Reference Model, we confirmed that its 10 privacy Services represented a robust set of operational functions capable of supporting any set of privacy requirements…

Today we see accelerated attention to systemic privacy risk and increased expectations of auditable privacy compliance, stemming not only from legislative and regulatory mandates, but also reflecting the business realities of our information-rich IT environment. Today, increased cross-border information flows, networked information processing, use of federated systems, application outsourcing, social networks, ubiquitous devices and cloud computing bring greater challenges and management complexity to privacy risk management.

To address these issues, the ISTPA has completed a series of studies and in-depth exercises aimed at producing an updated revision of the Reference Model. As a starting point and with the understanding that privacy requirements are expressed in different forms (practices, principles, legislation, regulations, and policies), the ISTPA undertook a research project in 2005-2007, analyzing representative global privacy requirements and testing the Reference Model against those requirements.

The results of this analysis were captured in the ISTPA “Analysis of Privacy Principles: An Operational Study,” published in 2007. Twelve representative international privacy instruments (law, regulations, major statements of privacy principles) were reviewed and core privacy requirements were derived from each instrument. We learned through this process that, while similar words are often used (e.g., notice, consent, etc.), there are significant and subtle differences in their intended meaning and application. Finally, these requirements were grouped together to create a composite set, (shown below in section “Operationally-Focused Privacy Requirements”)…

The findings of this Analysis were then applied to the revision process for the ISTPA Reference Model Services and underlying Functions. As a result of this assessment, we determined that the original Services do provide a robust and comprehensive set of privacy functions to support privacy requirements. Furthermore, this assessment provided a deeper visibility into each Service and its applicability to the nuances of international privacy legislation. This led us to make a number of changes and updates to the Reference Model document.

The ISTPA Privacy Management Reference Model v2.0 is the culmination of this work and has been versioned v2.0 to reflect the fact that the original “framework” has been re-formulated into a “Reference Model” for the implementation of privacy management systems."

The Analysis of Privacy Principles, for anyone who's not come across the report yet, looked at a broad spectrum of instruments and legislation from across the world including the OECD Privacy Guidelines, the EU Data Protection Directive, various US laws & regulations and the APEC Privacy Framework. Trying to comply with this patchwork of rules is of course a longstanding difficulty for multinational enterprises. Nevertheless ISTPA has managed to derive requirements from their study of the disparate instruments, tried to reconcile and distil them, and translated them into practical operational requirements - a commendable effort.

I gather from John Sabo of CA (and president of ITSPA), who kindly told me about the release of the new reference model, that the ITSPA site is being worked on currently, so the links to members of ITSPA, FAQs etc are not yet back up. But when it is, for anyone who's not read them yet, it's worth checking out the other documents on the site too.

Adoption of the Reference Model is another matter. It would be good to see it being increasingly used and built on, but that will take time - and, probably, more legislation. But that's the subject of a whole other blog post…

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.