Best Practices – Page 3 – Privacy Design®

The Five Safes is a framework for helping make decisions about making effective use of data which is confidential or sensitive. – The Five Safes proposes that data management decisions be considered as solving problems in five ‘dimensions’:

projects (Is this use of the data appropriate?),
people (Can the users be trusted to use it in an appropriate manner?),
settings (Does the access facility limit unauthorised use?),
data (Is there a disclosure risk in the data itself?) and
outputs (Are the statistical results non-disclosive?).

The combination of the controls leads to ‘safe use’.

June 29, 2020

Datenschutz Niedersachsen (LfD): Prozess zur Auswahl angemessener Sicherungsmaßnahmen (ZAWAS)

Process for the selection of Technical and Organisational Measures (TOM)
https://lfd.niedersachsen.de/startseite/technik_und_organisation/orientierungshilfen_und_handlungsempfehlungen/zawas/praxisnahe-hilfe-zum-technisch-organisatorischen-datenschutz-173395.html

June 25, 2020

LDA Bavaria – Cybersicherheit für medizinische Einrichtungen Best-Practice-Prüfkriterien Art. 32 DS-GVO

Security Best Practices in Hospital and Lab environment
https://www.lda.bayern.de/media/best_practice_cybersicherheit_medizin_baylda.pdf

June 23, 2020June 24, 2020

Germany: DSK position paper on email encryption

The DSK is the coordination body of the German Data Protection Authorities.
(published 13-March-2020, in German)

normal risk -> mandatory transport encryption (with specific requirements)
high risk -> qualified transport encryption and end-to-end (S/MIME, OpenPGP) – with specific requirements

https://www.datenschutzkonferenz-online.de/media/oh/20200526_orientierungshilfe_e_mail_verschluesselung.pdf

June 23, 2020June 23, 2020

Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners

https://hal.inria.fr/hal-02875447/document
by Cristiana Santos, Nataliia Bielova and Célestin Matte

includes 22 legal and technical requirements for valid cookie banners!

(e.g. see page 15)

June 18, 2020

GDPRhub – a free and open wiki on GDPR insights across Europe

From their Welcome page:
“In the decisions section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 50 webpages in each Member State. This page currently contains 300+ decisions and the goal is to reach 500+ by the end of 2020. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the GDPRtoday newsletter!

In the knowledge section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.”

https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub

May 6, 2020June 17, 2020

Data deletion concepts (Datenlöschkonzepte) – in German

Corresponding SDM-Baustein (in German):
https://www.datenschutz-mv.de/static/DS/Dateien/Datenschutzmodell/Bausteine/SDM-V1.1_60_L%C3%B6schen_V1.0_uagsdmbs_final.pdf

Context on DIN 66398
https://www.datenschutzbeauftragter-info.de/din-norm-66398-die-entwicklung-eines-loeschkonzepts/

Web site on the related German DIN 66398 standard
https://www.din-66398.de/inhalt/index.html

Link to the free preview version
https://www.secorvo.de/publikationen/din-leitlinie-loeschkonzept-hammer-schuler-2012.pdf

Article by the editor
https://www.secorvo.de/publikationen/din-66398-hammer-2016.pdf

Presentation
https://www.dfn-cert.de/dokumente/ds_workshops/Datenschutzkonferenz2017/Folien_Hammer.pdf

Example Vorlage Löschkonzept (googled..)
https://www.sage.com/de-de/-/media/files/sagedotcom/germany/documents/pdf/support-und-service/dsgvo/vorlagen/loeschkonzept_dsgvo.pdf?la=de-de&hash=7F44CEC682912EEBD950F276BA510CFD

December 7, 2019

Spain (AEPD): Cookie guidelines by the DPA in English.

The Spanish guidance is much more relaxed than the ones from UK, France, and Germany – adding to the somewhat different expectations across the EU member states.

https://www.aepd.es/media/guias/guia-cookies-en.pdf

December 7, 2019July 1, 2020

A Day in the Life of an AI project (privacy design and AI phases)

Great presentation that breaks down what needs to be considered from a privacy point of view in the different phases of an AI project.

My hope is to turn these into a “checklist” for new AI experiments that are run on pre-assessed AI platforms. (I’m very interested in comments).

Full slides from DPC19 :

https://iapp.my.salesforce.com/sfc/p/#1a000000HSGV/a/1P000000XeTO/7xOqxD1UampJRpDFr37qKWaLBKb9Ge2ZHgUUFBoiP6g

Phases of an AI project

Scoping
- Problem identification
- Impact of the AI?
- Purpose limitation
- Planning of solution & resources
Identify Data Sources
- Getting access, data transfer
- Compliance requirements for the data
- Data minimization & pseudonymization
Data Pre-Processing
- Exploratory Data Analysis
- Feature selection (data minimization)
- Feature engineering
- Anonymization/pseudonymization
Modeling
- Training, validation, testing
- Does the model generalize well? (Test for bias/variance)
- Support explanation
Deployment
- Re-identification risk: Will the analysis or model be published?
- Explanation to domain experts and/or data subjects
- Incremental learning
- Human-in-the-loop
Request of data subjects
- Rights to get an explanation
- Right to be forgotten

November 18, 2019November 19, 2019

Paper: SAP HANA goes private – From Privacy Research to Privacy Aware Enterprise Analytics

http://www.vldb.org/pvldb/vol12/p1998-kessler.pdf

Category: Best Practices

Five Safes Framework