By Design: Integrating Privacy into Information SystemsOctober 2011
Topics: Information Privacy, Information Security Risk Management, Computer Security
In June 2006, the Denver Election Commission revealed that in the course of moving to new offices they lost track of a 500-pound cabinet containing microfilmed voter registration files. A month later, authorities in Hampton, Va., discovered that users of a public computer in a city government building could access taxpayers' Social Security numbers. A month after that, a botched software upgrade exposed the names, birthdates, SSNs, addresses, and phone numbers of 21,000 students on the U.S. Department of Education's student-loan website.
Incidents such as these, by exposing personally identifiable information, can lead to a loss of privacy and even identity theft. So MITRE is using a concept called "Privacy by Design" to help our sponsors design information systems to better avoid privacy incidents.
Right from the Start
For Julie McEwen, one of the founders and leaders of MITRE's privacy community of practice, privacy is more than a matter of designing effective policies and practices. The key is to integrate those policies and practices into information collection systems right from the start, rather than tack on privacy safeguards at the end of the design process.
"We want to make sure our sponsors integrate privacy into their entire systems development process," says McEwen. System designers at MITRE help assess their customer's privacy needs from the very beginning of IT-related programs. "We ask them to determine if the sponsor is collecting or using personally identifiable information and, if so, to sit down with us, the privacy experts, to discuss possible privacy issues."
Privacy experts such as McEwen and her colleagues learned this lesson from the evolution of information security. "Privacy right now is where security was maybe ten, 15 years ago," says McEwen, who began her career as a security professional. "When I first started out, system designers were just starting to pay attention to the need to protect systems from intrusion. At first that need for security was an afterthought. But now it's integral to the design process."
Many people might assume that information security and privacy protection are two ways of saying the same thing: keeping data out of the hands of those who would exploit it. But McEwen explains that there is more to privacy protection than keeping personally identifiable information secure.
"Security is focused on protecting data once you've collected it," she says. "In the privacy world, we're concerned about the collection itself. We want to make sure that agencies only collect the information they need. If you need somebody's name and address, you shouldn't also collect their Social Security number, their income, and their phone number. The more information you collect about individuals, the more risk there is that something could happen to that information.
"We also worry about limiting the use of information to the reason it was collected in the first place. An agency may collect personally identifiable information for a specific use, but then later say, 'You know, we could use this data for something else.' Agencies should not implement new uses of personally identifiable information without first providing notice to the public.
"A third concern is limiting how long data is retained, so agencies don't keep information about individuals longer than they're authorized to. Agencies sometimes assume that they should simply keep information about people for their entire lifetime. But the longer the information hangs around, the more temptation there is to use it in unauthorized ways.
"We want to help sponsors understand what personally identifiable information collections they absolutely need, collect only what they absolutely have to, and retain it for only as long as they absolutely need to. We encourage them to think long and hard about what makes sense for their mission."
Privacy Is a Priority
MITRE's sponsors are eager to take advantage of the expertise of McEwen and other members of MITRE's privacy team. Privacy issues are an especially pressing concern for the Department of Defense, as many DoD systems store personally identifiable information about military personnel and their dependents.
"Because military personnel are often overseas," McEwan says, "if their identity gets stolen, there's no easy way for them to address the problem. It's a distraction for them at a time when it's vital they be focused on their duties."
Privacy is also an obvious concern for MITRE's healthcare sponsors. Medical identity theft is rising along with healthcare costs. "When someone steals a person's identity to get access to health services, the medical information of the thief and the victim can get comingled, causing confusion and medical risk."
Passing the Test
Once a new system is up and running, agencies will conduct security testing to make sure the system meets all the sponsor's security requirements. MITRE is helping sponsors also incorporate privacy testing into their system review process.
McEwen offers some examples of privacy tests. "Say a system is only authorized to collect certain types of personally identifiable information. We would conduct a privacy test that would go in and determine exactly what information is on the system. Then we would look at that and compare it to the list of what the system is supposed to collect."
A Broad View
At any given time, MITRE has around 30 people working full- or part-time on privacy issues. These privacy professionals by necessity have broad career backgrounds.
"Besides having security and systems engineering knowledge," says McEwen, "it's useful to have knowledge of such things as organizational change management. Because much of what we do is to help our sponsors make changes to their culture and their organization to address some of these privacy issues. Strategic planning knowledge is also useful, as we spend a lot of time helping our sponsors consider how privacy issues will affect their interagency relationships and how different systems work together."
McEwen's own job has evolved over the past decade. "At first, we spent our time helping sponsors design and implement their privacy programs. When our sponsors had their programs in place, the focus of our work shifted to using our systems engineering background to help them integrate their privacy policies into their system architectures.
"Now we find ourselves tackling broader policy and strategy issues, helping sponsors think not just about how privacy policies affect their systems, but looking ahead at how they want their systems to shape the privacy policies to come."
by Christopher Lockheardt