PET and adequate protection what is this all about?
The first article of this series described the legal situation around the world and also introduced the different categories of Privacy related data elements which need special protection. Very often these data elements get called PII which stands for Personally Identifiable Information. The exact meaning of PII is usually defined by local law and can (who wonders) vary by country.
Privacy related data should all be protected by the strongest means possible in a sense that it is protected based on its sensitivity. It is important to notice, that in most privacy legislation 'sensitive data' and 'personal data' have specific and different meanings. There is an obligation to protect personal data even when it is not sensitive personal data. Whenever the topic protection of PII comes up the term “adequate protection” get used sooner or later. But what does this mean and what is adequate?
Adequate protection is not a series of compliance check boxes you can check off easily and you are done. To define “adequate” a well defined process is needed. Adequate for one data element may not be adequate for another piece of PII information. There are a couple of issues going along with the process of defining adequate protection. The NIST institute prepared a special list for there agencies explaining the risks they see. This list is public and can be reached at http://csrc.nist.gov/pcig/document/Common-Risks-Impeding-Adequate-Protection-Govt-Info.pdf
However adequate protection is defined, at the end the goal is to illustrate clearly how to protect sensitive information. Today the term PET is used to mark information technologies allowing the customer to reach this goal of protection. PET stands for Privacy Enhancing Technologies. There is a variety of definitions out there about PET and I only want to mention a few of them.
In short words – the PET should technically secure the PII in a way that a changed local legislation can not violate the former ideas for using / protecting the personal data. PET stands for a range of different technologies to protect personal data within information systems. They provide many functions, including:
The Europe’s Information Society (Thematic Portal) offers a dedicated portal where you can keep track what is going on in this space. You can reach the portal via:
http://ec.europa.eu/information_society/activities/privtech/index_en.htm
Also KPMG has produced some time ago a document for the Dutch parliament about their view of PET. This document is available on-line and can be found at: http://www.dutchdpa.nl/downloads_overig/PET_whitebook.pdf?refer=true
Even if PET is out there since some time already it’s still far away from being a clear and easy to understand standard. The PETs of the early years are all point solutions and are all very user centric. There is no big service provider out there which I’m aware off offering PET services today. Academia and industry is still actively involved in research in this space.
Actual PET architectural models are trying to combine the user centric approach with a service provider solution. The future will classify, select and protect sensitive information and not necessarily anonymise them anymore. Growing technologies like “Cloud” based services will support this trend. The whole PET approach is maturing and approaches as P3P (http://www.w3.org/P3P/) do proof the positive trend.
One question which is open for me at the moment and where I’m not really sure about is around the financials. From all what I have seen so far I’m not convinced that there is a real business case for PET technologies. It goes without saying that we need to do everything possible to protect our sensitive information but without an incentive and in days of tough economical climate I wouldn’t be surprised if …
As in many areas of security the real issue of Privacy is only partly a technology one. Most of the issues I have seen so far were about people and there mostly on education and about processes. The lack of universal standards and also the fact of missing certifications make it even harder to do the right things sometimes.
In the next article I will focus on the possible consequences when a breach occurs. I will also talk then about the new tendency to enforce penalties and the impact that may have on your job as a CISO. Stay tuned. As usual feel free to send us feedback and comments. Either directly on the blog or via mail at
-Andreas
Privacy related data should all be protected by the strongest means possible in a sense that it is protected based on its sensitivity. It is important to notice, that in most privacy legislation 'sensitive data' and 'personal data' have specific and different meanings. There is an obligation to protect personal data even when it is not sensitive personal data. Whenever the topic protection of PII comes up the term “adequate protection” get used sooner or later. But what does this mean and what is adequate?
Adequate protection is not a series of compliance check boxes you can check off easily and you are done. To define “adequate” a well defined process is needed. Adequate for one data element may not be adequate for another piece of PII information. There are a couple of issues going along with the process of defining adequate protection. The NIST institute prepared a special list for there agencies explaining the risks they see. This list is public and can be reached at http://csrc.nist.gov/pcig/document/Common-Risks-Impeding-Adequate-Protection-Govt-Info.pdf
However adequate protection is defined, at the end the goal is to illustrate clearly how to protect sensitive information. Today the term PET is used to mark information technologies allowing the customer to reach this goal of protection. PET stands for Privacy Enhancing Technologies. There is a variety of definitions out there about PET and I only want to mention a few of them.
- ICO UK: …that exists to protect or enhance an individual's privacy, including facilitating individual's access to their rights under the Data Protection Act 1998…
- EU IC: …help to design systems in a way that minimizes the collection and use of personal data and facilitates compliance with data protection rules…
- IPC Canada: …preventing the unnecessary or unlawful collection, use and disclosure of personal data, or by offering tools to enhance the individual control over her/his personal data…
- OECD: …ranging from tools that provide anonymity to those that allow a user to choose if, when and under what circumstances personal information is disclosed…
In short words – the PET should technically secure the PII in a way that a changed local legislation can not violate the former ideas for using / protecting the personal data. PET stands for a range of different technologies to protect personal data within information systems. They provide many functions, including:
- preventing unauthorized access to communications and stored files
- automating the retrieval of information about data collectors' privacy practices and automating users' decision making on the basis of these practices
- automating audits of data collectors' privacy practices; filtering unwanted messages
- preventing automated data capture through cookies, HTTP headers, web bugs, spyware, etc.
- preventing communications from being linked to a specific individual
- facilitating transactions that reveal minimal personal information
The Europe’s Information Society (Thematic Portal) offers a dedicated portal where you can keep track what is going on in this space. You can reach the portal via:
http://ec.europa.eu/information_society/activities/privtech/index_en.htm
Also KPMG has produced some time ago a document for the Dutch parliament about their view of PET. This document is available on-line and can be found at: http://www.dutchdpa.nl/downloads_overig/PET_whitebook.pdf?refer=true
Even if PET is out there since some time already it’s still far away from being a clear and easy to understand standard. The PETs of the early years are all point solutions and are all very user centric. There is no big service provider out there which I’m aware off offering PET services today. Academia and industry is still actively involved in research in this space.
Actual PET architectural models are trying to combine the user centric approach with a service provider solution. The future will classify, select and protect sensitive information and not necessarily anonymise them anymore. Growing technologies like “Cloud” based services will support this trend. The whole PET approach is maturing and approaches as P3P (http://www.w3.org/P3P/) do proof the positive trend.
One question which is open for me at the moment and where I’m not really sure about is around the financials. From all what I have seen so far I’m not convinced that there is a real business case for PET technologies. It goes without saying that we need to do everything possible to protect our sensitive information but without an incentive and in days of tough economical climate I wouldn’t be surprised if …
As in many areas of security the real issue of Privacy is only partly a technology one. Most of the issues I have seen so far were about people and there mostly on education and about processes. The lack of universal standards and also the fact of missing certifications make it even harder to do the right things sometimes.
In the next article I will focus on the possible consequences when a breach occurs. I will also talk then about the new tendency to enforce penalties and the impact that may have on your job as a CISO. Stay tuned. As usual feel free to send us feedback and comments. Either directly on the blog or via mail at
-Andreas