Ministry of the Interior and Kingdom Relations, the Netherlands Privacy-Enhancing Technologies White Paper for Decision-Makers December 2004 White Paper Privacy-Enhancing Technologies Privacy-Enhancing Technologies White Paper for Decision-Makers Written for the Dutch Ministry of the Interior and Kingdom Relations Directorate of Public Sector Innovation and Information Policy (DIIOS) Authors: KPMG Information Risk Management · drs. ing. Ronald Koorn RE (editor) · Drs. Herman van Gils RE RA · Drs. Joris ter Hart · Dr. ir. Paul Overbeek · Drs. Raśl Tellegen In collaboration with John Borking White Paper Privacy-Enhancing Technologies Contents Table of Contents 1 Management summary 1 2 Why PET? 5 2.1 PET as a means for data processing that would otherwise be impossible 5 2.2 Technical realisation of legal requirements 6 2.3 Privacy-Enhancing Technologies 8 2.4 What do I get from PET? 10 2.5 Why now? 12 3 Application in information systems 15 3.1 Decision factors when selecting a PET option 15 3.2 Information system classification 17 4 PET options 21 4.1 General PET controls 21 4.2 Separation of data 25 4.3 Privacy management systems 29 4.4 Anonymisation 31 4.5 The PET staircase 33 4.6 Connection of PET options to the information system structure 34 4.7 Points of attention 35 5 The business case for PET 38 5.1 Desirability of PET 38 5.2 Business case elements 39 5.3 How do I arrive at a positive business case? 44 6 Organisational and legal aspects 46 6.1 Management awareness and commitment 46 6.2 PET as part of the management cycle 46 6.3 The wicked triangle 48 6.4 PET strategies 48 6.5 The normative face of PET 50 6.6 Review and supervision 51 7 PET plan 52 7.1 PET as design choice 52 7.2 PET in existing systems 53 7.3 The phases 55 8 Actions 63 White Paper Privacy-Enhancing Technologies A Bibliography 65 A.1 PET in general 65 A.2 PET case studies 65 A.3 PET in depth 65 A.4 Websites 65 B PET technologies 66 C List of definitions 67 D Case Studies included with PET application 71 1 White Paper Privacy-Enhancing Technologies 1 Management summary This White Paper on Privacy-Enhancing Technologies (PET) is written as a stimulus to apply PET for the secure processing of personal data. PET is the common name for a range of different technologies to protect sensitive personal data within information systems. PET offers the following advantages: PET enables processes that would otherwise be impossible; Privacy controls incorporated in information systems can be more effective and efficient than organisational procedures and manual actions. Processes can therefore be optimised by the application of PET; Utilisation of PET signals trustworthiness, and creates public confidence in the processing of their personal data in government information systems; The costs associated with the application of PET technology in information systems can be minimised when privacy aspects are already taken into account during the design phase of the system. Both the quantitative and the qualitative benefits of PET are considerable, for the organisations involved, for the public and for society in general. Is PET suitable for all types of public service information systems? Provision of public services is unthinkable without far-reaching computerisation, both within and between organisations (information supply chain). Clearly, more and more key registers are connected via back-office systems ­ whether or not accessible via a single front-office ­ to enhance customer-centric services, to reduce fraud and to improve the quality of personal data. PET is a suitable tool for achieving advanced types of information exchange within privacy constraints. There appear to be PET solutions for all types of information systems. The different PET types discussed in this White Paper are: centralised database, connected back-offices, clearinghouse, information supply chains and local databases. We note that not all PET options are suitable for all types of systems. PET can be applied within all types of information systems. Which PET options can be applied? Encryption and logical access security controls are two familiar and widely used basic PET options. In the context of logical access controls, adequate management of uniquely identifying personal data and the corresponding authorisation data are particularly important. 2 White Paper Privacy-Enhancing Technologies An important PET technique concerns the separation of data in several domains. One domain contains the identifying personal data and another the other personal data. As a result, for example financial, legal or medical information is then contained in one or more domains ­ separate from the domain containing information on the person's identity. The data contained in each separate domain is not sensitive as it cannot be attributed to a single natural person. In this PET option, software is used to ensure that only authorised system users are able to link data from the different information domains. A different form of data separation is the introduction of a system function that only verifies the information detail that is stored in the database, but does not release the information. For example, the function only responds positively or negatively to a prompt. A higher degree of integration of data and software is achieved by a PET option in which the personal data can only be accessed via specific software ­ the so-called privacy management system. This software enforces the privacy regulations which apply to the information system. An immediate check is performed on each data element and every system function to ensure whether a specific action complies with the privacy regulations. The ultimate PET option concerns the anonymisation of personal data. This involves software that does not register the identifying personal data at all, or destroys it as soon as the data is no longer required ­ preferably immediately after collection and verification. Ideally, personal data is not stored at all. This is the maximum form of personal data protection, thus instantly complying with legal data protection requirements. Of course, it is not always possible to apply anonymisation; in situations where registration of personal data is essential, one of the aforementioned PET options would be better suited. The figure below illustrates the PET "staircase" indicating that the effectiveness of the protection of personal data depends on the type of PET applied. The suitability of the different PET options primarily depends on the characteristics of the information system, the required level of protection and the sensitivity of the personal data concerned. Figure 1: PET staircase All PET options have successfully been applied in operational systems. 3 White Paper Privacy-Enhancing Technologies What are the costs and benefits of PET? Three important aspects need to be considered in order to ascertain whether there is a positive business case in your organisation for applying PET: the one-off and on-going costs associated with the use of PET; cost reduction and quality improvement; the contribution to the business and system objectives. In most projects, the costs of the PET application represent only a minor percentage of the overall budget and can therefore be recovered rapidly. How can PET be applied? An important lesson learnt from earlier PET projects is that already in the initial project stages one should consider the necessity for storing personal data, the method of data protection and the corresponding costs and benefits. This ensures that data protection is taken into account as one of the system requirements and thus naturally included in the development and implementation process. Different privacy considerations can be addressed, of which the three most important ones are: prevention against identification; protection against unlawful processing of personal data; the application of specific technologies to enhance privacy. The later addition of PET to an information system is certainly possible, given some experiences in practice, but sometimes it can have further-reaching consequences for the information system. As a rule, this particularly applies to the advanced PET options and controls. PET requirements should ideally be included at the start of a project or, in case of a major system modification, in the specification and design phase. Privacy by design is an important basis for the successful application of PET. Are there any organisational implications? With PET the safeguards for data protection are embedded in the system design, and therefore the requirements for organisational safeguards and accountability are easier to fulfil. PET has to claim its place in the product lifecycle management of information systems. This implies that, in addition to the design and implementation, attention should also be focused on privacy-related aspects, such as privacy governance, risk analysis, testing and maintaining PET controls. 4 White Paper Privacy-Enhancing Technologies An essential prerequisite for successfully implementing PET in an information system and in an organisation is that process owners, policy advisors, Privacy Officers and project managers will take PET into account as early as the initiation phase of each project. To summarise: PET is more than simply a means of protecting personal data: PET is attractive! PET enhances the quality of information. The dependence on proper compliance of processes and procedures is reduced by the automatic enforcement of privacy regulations. The application of PET can offer the public better insight into and control over their personal data. PET is imperative! PET simplifies compliance with data protection legislation. PET provides the conditions for public confidence. PET enables working with sensitive personal data in new ways. PET is possible! PET has been successfully implemented on numerous occasions, which is illustrated in this White Paper. PET has only a limited effect on the cost of developing new information systems, since the technologies are available and only need to be applied. The `cost' mainly involves thinking and designing. Implementing PET in your information architecture enables the efficient application of PET in different information systems. Figure 2: Reasons for using PET 5 White Paper Privacy-Enhancing Technologies 2 Why PET? This section focuses on the reasons for applying PET right away, and is divided into the following paragraphs: PET as an opportunity for data processing which would otherwise be impossible (§ 2.1); Technical realisation of legal requirements (§ 2.2); Privacy-Enhancing Technologies (§ 2.3); What do I get from PET? (§ 2.4); Why now? (§ 2.5). 2.1 PET as a means for data processing that would otherwise be impossible Everything points in the irreversible direction of more, more efficient and user-friendly public service provision. Examples include the `one-to-one' approach in marketing and the `collect once, use many times' approach practiced in government organisations, agencies and independent governing bodies. Various proposals have so far been formulated in different policy documents and programmes, such as Streamlining Key Data, Citizen and Business Service Numbers, Government Transaction Port, National Public Key Infrastructure for digital signatures and Electronic Government for Municipalities. Soon, it will no longer be possible to continue along the old lines of data processing without streamlining, integration and coordination with other government departments. Efficiency improvement and cost control will soon become important driving forces for renewal. The government has to be prepared for this. Since maintaining a high level of public confidence in the government is the key to the success of new initiatives, such as chain computerisation and e-government, a number of essential precautionary controls are essential. After all, confidence enables communication and cooperation with one another. In our tangible world, we have gradually learned, which signals inspire confidence. Often, it is a question of non-verbal body language. There are no tangible signals in the virtual world. Protecting the public's personal data is an absolutely vital cornerstone of the policy aimed at achieving and maintaining public confidence in the government. Without that confidence, resistance to efficient and individually tailored services will grow and services will be approached with suspicion. Frequently Asked Question (FAQ) 1: Does data protection have a stifling effect? Organisations often experience data protection as something stifling. The reason for this is that the practical implications of personal data protection are only taken into consideration at a late stage. It then appears extremely inconvenient and inefficient to still implement PET controls at that point or even afterwards. If data protection is considered early on in a project and is included as part of the system design, it goes hand-in-hand with the functionality of the information system without any one aspect having to make concessions to another. 6 White Paper Privacy-Enhancing Technologies The ever-increasing technological possibilities mean that more and more data will be collected and stored, including detailed personal data. In most cases, data registration has a direct link with the primary process that has to be performed; however, sometimes it has a different or no clear objective at all. For instance, the amount of information people are required to fill in on the Internet if they simply want to download a document. Sometimes, name and address have to be provided, as well as additional information, such as profession or employer. Yet, this information is not required for downloading the document, but is used to create a profile of the website visitor. The government also frequently registers personal data; indeed, not with the aim of developing commercial marketing activities, but of providing a better service to the public, or simply out of habit. Especially with the rise of e- government and the reduction of the administrative burden, there is an increasing tendency to collect data electronically, whereby it is possible to obtain a particular profile of people. Studies into the protection of personal data reveal that there are potentially many unintentional risks of privacy being infringed. The easiest way around this is to compile and process only the data that are strictly necessary for the purpose for which they have to be processed; no more, and no less. Personal data protection, therefore, is in our own interest. Domestic and international directives and legislation have been enacted in order to protect personal data, of which the European Directive on Data Protection (95/46/EU) is the most important in the context of data protection. This Directive took effect across the entire EU on 24 October 1998. It means that virtually every organisation has to satisfy the relevant statutory privacy requirements1 . Experience shows that full compliance is no simple task as it affects large parts of most organisations. 2.2 Technical realisation of legal requirements At present, data protection is very much centred around the legal and administrative areas, with management having to spend a lot of time on the (policy) development and monitoring. Under a lot of pressure already, management can better devote this time to other activities. Suppose that the protection of personal data could be automated more than has been the case so far: this would free-up time for the primary processes for which you are responsible. Plus, it would better enforce personal data protection. Is it possible? During the passage of the Personal Data Protection Act through the Dutch Parliament, it became clear that Information and communication Technology (IT) could play a significant role in guaranteeing the protection of personal data of citizens. Besides organisational controls such as separation of duties and data handling procedures, technology can also be deployed to protect personal data. The term `Privacy-Enhancing Technologies' (PET) is used to define all the technical controls that can be used to protect personal data (see list of definitions in Appendix C for a definition of the PET concept). This concept also includes the design of the information systems architecture. PET increases the public's confidence, and makes it possible for the government to apply new technology to expand and improve public services. 1 To be absolutely clear: the Data Protection Directive defines personal data as `every fact concerning an identified or identifiable natural person.' 7 White Paper Privacy-Enhancing Technologies FAQ 2: Is PET a topic for the IT organisation? No. First of all, PET requires a policy on personal data protection; after the appropriate PET option has been selected, it is a question of correct implementation. The PET option is usually supplemented with organisational and procedural controls, such that the privacy risks are properly covered. IT staff can provide an indication of the available technical possibilities and can further design, develop and implement these after a business decision has been made. It is not essential to aim for a 100% PET solution; the crux of the matter is to protect personal data effectively and efficiently. The Personal Data Protection Act defines the rights and duties of all the relevant organisations and people with respect to the processing of personal data. `Processing' includes the entire lifecycle from collection and storage through to destruction. The Personal Data Protection Act also defines a number of basic privacy principles. The relevant principles are described in Figure 3. Figure 3: The essential principles of privacy The principles of privacy listed in the figure above provide the necessary guarantees for protecting personal data. Everyone processing personal data has to bear these principles in mind and comply with the Personal Data Protection Act. However, it is not the only reason for respecting the privacy of people's personal information. Society also expects that personal data will be protected. In this context, the government has an exemplary role in complying with the legislation it has introduced itself. 1. Transparency Prior to the first registration of data, the person concerned must be informed about the organisation's identity and the reason for processing the data in order to consent to that processing. 2. Justification The collected personal data are only processed if the purpose for which they were collected can be justified and if the data will not be further processed in any manner incompatible with that purpose. 3. Legitimate ground The Personal Data Protection Act restricts the instances in which personal data may be processed. The processing of sensitive data (religion, race, health, sex life, trade union membership, etc.) is unlawful unless specific conditions have been satisfied. 4. Quality For the purpose for which they are intended, personal data should be relevant, not excessive but proportional to the processing purposes, adequate, accurate and not kept longer than necessary. 5. Rights of the individual The individual concerned (data subject) has the right of access, rectification, erasure, blocking and objection to processing of his or her personal data. 6. Security The responsible party must take the necessary technical and organisational precautions to safeguard personal data from loss or against any form of unlawful processing. 7. Transfer to non-EU countries The transfer of personal data to countries outside the EU is not permitted unless similar, `adequate' privacy rules apply. 8 White Paper Privacy-Enhancing Technologies 2.3 Privacy-Enhancing Technologies From a functional perspective, it is not difficult to implement PET. With the aid of PET, it is possible to protect information about a person, such as identity and personal details. PET comprises all the technological controls for guaranteeing privacy. For instance, PET can be used to detach identification details from the other data stored about the person. The link between the identification details and the other personal details can only be restored with the use of specific tooling. Another option offered by PET is to prevent the registration of personal details altogether, for instance, once the identity has been verified. Software can also be used to enforce the condition that personal data are always disclosed to third parties in compliance with the prevailing privacy policies. The different PET options are further elaborated in section 4. The following case study describes an example of a type of PET applied in the Higher Educations sector2 . Case study 1: Higher Education Clearinghouse The Higher Education Virtual Clearinghouse (named StudieLink) will service the data exchange within the higher education sector. The higher education and research partnership organisation, SURF, developed StudieLink, with the student number and another sector number being used as a unique identifier for students. The aim of StudieLink is to bring about a simple IT infrastructure, shared data definitions and streamlining of the data exchange. Thus, it is possible to realise improved and faster data exchange and ease the administrative burden. This means that administrative data can be efficiently exchanged between educational institutes, the student grants organisation, the Dutch Statistics Bureau, the Ministry of Education, Culture and Science and others. PET application restrict the use of the student number that, in most cases, is identical to the tax and social security number, to the legally prescribed exchange between StudieLink (on behalf of the relevant institute) and the student grants organisation. As soon as a student enters higher education, StudieLink assigns a new sector identification number. The sector number is further used within the institute and by StudieLink. It is therefore not possible to use the student number in all kinds of administrative processes. The connection between the student number and the sector identification number is stored in a secure table; directly verify entered data via a secure connection with the local authorities administration system to ensure reliable data registration; 2 This White Paper includes several case studies to illustrate the possible applications of PET. In view of the fact that the first applications of PET were in the healthcare sector, there are more case studies from this sector than from other sectors. However, the case studies from the healthcare sector illustrate PET applications that can also be used, or already have been used, in other sectors. 9 White Paper Privacy-Enhancing Technologies apply standard and formal agreements concerning personal data processing and the protection of identifying numbers within educational institutes; use authentication on the basis of knowledge (personal data, student number) and ownership (code forwarded by mail), supplemented with other means, if applicable (e.g. bank card); divide data into three domains: student data, institutional data and grants administrative data. These domains also determine the ownership and the protection of the data (role- based access control); let students access and change their own personal data online. Benefits Such a clearinghouse can hardly function reliably and securely without the use of PET. The PET controls increase transparency and the quality of the data, and combat fraud with diplomas and study results. In addition to the deployment of PET, it is also essential that everyone involved in data processing recognise the importance of data protection. The organisation must realise that having more personal data is not necessarily always better. Before applying PET, it is recommended to first analyse which personal data are essential for providing the service. Data minimisation is an important principle. The advantage of this principle is that personal data that are not collected and stored logically eliminate the need to be protected. Prevention is better than cure. Another advantage is that personal data that are not stored do not need to be managed. This reduces the management and maintenance effort. The organisation's awareness of data protection and the appropriate technological controls precedes the development and implementation of PET. Taking the time to properly consider PET improves the application of PET. PET is an aspect of dealing with personal data protection in a more effective and efficient manner. Even if PET is not strictly required from a legal perspective, the organisation can benefit from it. The introduction of PET requires critical thinking about personal data and its protection. This approach already enhances the integrity and confidentiality of the data. PET is therefore also a tool for ensuring the `hygiene' of your information system and improving the quality of the information. The use of PET enhances the hygiene of your information systems. 10 White Paper Privacy-Enhancing Technologies 2.4 What do I get from PET? In the previous paragraph, we demonstrated that you can use PET to guarantee the protection of people's personal data. The use of PET can also enable your organisation to better prevent and manage the risks of personal data security being breached. Of course, there are also `ordinary' privacy solutions, but they are often highly dependent on organisational and procedural controls. This means that personal data protection is only as strong as the weakest link. Numerous security and privacy audits have revealed that people often forget to apply and continue to apply the prevailing security controls consistently, or are negligent in doing so. General information security controls do not always function, leading to privacy risks. People erect thick and expensive walls around data; however, they do not prevent personal data from leaking without organisational compliance with policies and procedures. It does not exclude the risk of unauthorised access to personal data, with all the ensuing consequences. PET can help an organisation to implement technological controls at the source, for instance a key register, and to limit the identification details to an absolute minimum. Where it is not required, identification information is not stored or it is detached from the other personal data. Case study 2: National Central Medication Registration The National Central Medication Registration (LCMR system) run by Prismant and IVZ is an information system that supports healthcare workers in supplying the correct dose of prescription medication to people with a drug addiction (for example, methadone). The secondary objectives of the commissioning authorities, the Dutch Ministry of Public Health, Welfare & Sport and the Ministry of Justice, include preventing theft and incorrect use of addictive substances, as well as making policy-supporting information available. The central LCMR system is fed with information about the patients, their medication and healthcare provided from the different local registration systems. PET application The following PET controls have been implemented in the LCMR system: minimise data stored centrally; limiting it to a centrally maintained reference index; restrict access to personal and medical information to authorised healthcare workers by means of biometrically protected smart cards and a sophisticated and granular authorisation structure. The preferred biometric type is the use of fingerprints, with four finger scans being made of each person. Thanks to the technique chosen, it is no longer possible to make a visual fingerprint of the finger scans; 11 White Paper Privacy-Enhancing Technologies register prescriptions on the patient's smart card, thus enabling them to obtain their medication at their chosen chemist; anonymise the data for research purposes and for the adjustment of medicinal prescriptions. Benefits Through the use of the PET application, the LCMR system offers solid guarantees concerning the identity of the patient receiving the medication and of the healthcare worker using sensitive personal data. Moreover, up-to-date information can be obtained at any given time instead of only during the opening hours of the healthcare institution. Furthermore, the smart card enables patient mobility. The biggest advantages of a structural application of PET in information systems include: Thanks to PET, certain types of personal data processing are allowed that would have been impossible or unlawful without PET. Without the use of PET, the personal data protection would have been inadequate, and the processing would breach the Personal Data Protection Act. The use of PET creates a positive image, as a result of which both your staff and your clients can be confident that your organisation treats personal data with due care. Privacy certification can further enhance that confidence. And the advantage is that the government can perform its duties and tasks with the greatest efficiency and effectiveness. The application of PET, together with the data minimisation principle, raises the quality of the information. This is because fewer data are processed than normal, and users only have access to information they require. In turn, it reduces the chances of personal data becoming corrupted in your organisation. Generally, the management and maintenance effort also diminishes as personal data are not processed or are processed with more care. You can spend less effort thinking about the protection of personal data. At the moment you stop collecting personal data, you no longer need to ask yourself continually whether you comply with the Personal Data Protection Act3 . The advantage is that you are not required to implement various procedural controls and do not run the risk of fines or sanctions by the Personal Data Protection Authority. In instances where you have to process personal data, the process can be made `privacy-proof'. PET not only ensures the protection of personal data, it also provides the tools that are required if a person wishes to gain better insight into the data kept on him or her. This in turn, improves the quality of the stored data. It is an important privacy principle and is in keeping with the desired transparency. 3 This depends on the location of the PET solution in the information system. This will be discussed in more detail in section 4. 12 White Paper Privacy-Enhancing Technologies FAQ 3: Is PET too expensive for my organisation? No. There are different types of PET that can be used, each with its own cost level. It is important to ensure whether the costs associated with the solution are in proportion to the risks. Even simple, but effective PET controls can substantially improve the data protection at limited costs. In section 5, we describe how you can prepare a business case for a specific PET option, looking at both qualitative and quantitative aspects. 2.5 Why now? In times of cutbacks and in the context of the reduction of the administrative burden, the government is looking for ways to provide services as efficiently as possible. This is reflected, for instance, in the `collect once, use many times' concept around key registers, such as the registers of natural persons, benefit claimants or students. The government is also digitising its services to a considerable extent, and more and more electronic registers are being deployed. Figure 4 contains an excerpt from the 2003 Dutch Queen's speech at the opening of the parliamentary year, showing that key registers and electronic government are strongly on the rise. It is the government's aim that approximately half the existing publicly available information will also be available on the Internet in 2004, thus making the government more accessible. In addition, the public will no longer be required in the future to provide personal data to the government time and time again, but only once. Figure 4: Excerpt from the Dutch Queen's Speech in 2003 As a result of this increasing digitisation and centrally key data storage, the government processes more and more personal data electronically, and databases are connected, making personal data more accessible. This may be at odds with the aforementioned privacy principles. It is therefore important to strike a good balance between personal data protection and efficient and effective data processing. Providing guarantees for personal data protection should not form an obstacle to efficient and effective public services. PET can guarantee personal data protection without making excessive demands on the processing of the data. By applying PET and streamlining personal data processing, the authorities can continue to meet the high public expectations with respect to services and dealing with personal data. With PET, you are prepared for new types of processing data. 13 White Paper Privacy-Enhancing Technologies Case study 3: RINIS Clearinghouse RINIS facilitates the exchange of data between government organisations and the social security sector via a closed EDI network. This exchange avoids the need to inform all the individual parties of changes in personal data and organisations. Organisations such as the employee insurance administrator, the Social Insurance Bank, tax authorities, various government ministries (Justice, Interior, Finance), healthcare insurance companies, the student grants administrator and other benefit agencies exchange structured (bulk) data exchange between back-office systems, for example, informing the Social Insurance Bank of new job-seeker registrations. RINIS provides the connection between numerous sectors, with the `sector access points' being supplied with an onsite RINIS server. PET application Personal data are exchanged via a closed network, with the connected parties being non- repudiatable with the use of digital certificates. The following PET controls have been applied in RINIS: minimisation of personal data through the exclusive exchange of tax and social security numbers and message codes only; high degree of security through encryption of the exchanged messages, which are authorised at message level prior to dispatch and digitally signed. Unauthorised people or IT administrators do not have access to the content of the message. The encryption keys are issued and managed by a Trusted Third Party (the so-called Certification Service Provider); improvement of the data quality by validating the messages on the central server, thus ensuring that only authorised codes are processed. Moreover, the messages are stored for a few minutes only ­ to be available for resending in the event of disruptions; logging at message level and not of the message content, so that retrospective verification remains possible. Benefits The PET application in RINIS has ensured the safe exchange of messages between parties that are certain about each other's identities and about the reliability of the personal data processing. The minimisation of personal data and the central role of RINIS increase the success of the RINIS solution. 14 White Paper Privacy-Enhancing Technologies It is clear from this section that PET offers several advantages. To avoid any misunderstanding: PET is not a separate, ready-to-use component from an information system that can be added at any time (as a `Plug & Play' solution), and it cannot always be implemented in a jiffy. To guarantee the best results, PET should be included as an integral part of both the development and the information system itself. It is therefore recommended to include the implementation of PET as part of the regular system development. The following sections explain how PET can be applied in your organisation, list the most widely used PET options, and offer a framework for preparing a business case. This is followed by a phased plan for the actual implementation of PET. 15 White Paper Privacy-Enhancing Technologies 3 Application in information systems This section sets out how to choose a suitable PET option, and distinguishes between the different types of information systems. It is divided into the following paragraphs: Decision factors when selecting a PET option (§ 3.1); Information system classification (§ 3.2). 3.1 Decision factors when selecting a PET option First of all, when you are going to implement a new information system, functional requirements need to be specified. These requirements or specifications naturally also include the requirements for the level of personal data protection. The specifications ultimately lead to a choice for a particular architecture or structure of the information system, for example, a centrally managed database or using databases of other organisations. An important aspect in this respect is ascertaining whether the processing of personal data: is essential: `identity-rich'; is essential to a limited extent: `identity-low'; is avoidable (anonymous service): `identity-free'. The structure of the information system and the personal data processing requirements make functional demands on the application of PET. Using these functional demands as a basis, a PET option can be selected that best fulfils the requirements and expectations of both the authorities and the public. The procedural and organisational controls required can also be determined in this phase. Section 4 describes the PET options, and section 6 focuses on the balance between PET and organisational and procedural controls. Figure 5 illustrates the aforementioned process in a diagram. It concerns a critical part of the system development process. A number of steps still have to be taken before coming to the functional specifications. A number of subsequent steps are then required in order to proceed from the choice for the PET option to the implementation and becoming operational of the information system. In section 7, the phased plan focuses in more detail on selecting, designing and implementing the different PET options. 16 White Paper Privacy-Enhancing Technologies Figure 5: Decision factors when selecting a PET type To support you in selecting the suitable PET option, the next paragraph, first of all, gives a brief description of the information system classification used in this White Paper. Subsequently, section 4 describes the different PET options, and makes the link between the PET options described and the different structures of information systems. To ensure the success of PET, the development and implementation of PET must form an integral part of the system development process and must be included in the project right from the start. 17 White Paper Privacy-Enhancing Technologies 3.2 Information system classification The following information system structures are used for the purpose of this white paper: 3.2.1 Central database In a `central database' system, a single database is used for data processing. The centralised database is accessible to different people from different locations and potentially different organisations. Examples of central databases are the key registers of natural persons, companies/proprietors of the Association of Chambers of Commerce, healthcare professionals of the Ministry of Health, Welfare and Sport, student grants, benefit claimants, etc. No data are stored or processed locally, other than directly in the central database. The processing done in the central database is initiated from one or more locations. Figure 6 illustrates the structure of the central database. Figure 6: Central database The case studies in this White Paper that use a central database are the LCMR system (case study 2), the LADIS system (case study 9), the X/Mcare system (case study 12) and the digital medical history file (case study 14). 3.2.2 Connected back-offices In the structure of connected back-offices, the databases of a number of back-offices are accessed through a single front-office. A person uses a single portal to access data from different organisations. The back-offices are also connected to one another to enable access to data in numerous databases. An example is the connection between the key registers of student grants and of natural persons at a municipal level. Using this connection, the student grants organisation can validate if students are indeed registered in the place of residence they reported in order to determine whether they are eligible to receive a grant for a student living on his own or with his parents. 18 White Paper Privacy-Enhancing Technologies The connections between the back-offices can be temporary. For example, a central database can be connected to a back-office of another organisation temporarily. In addition, one of the back-offices can also serve as key register. Figure 7 illustrates the structure of the connected back-offices. Figure 7: Connected back-offices The case studies in this White Paper that refer to back-offices are the NTIS system (case study 4), the Suwinet (case study 5) and the Alberta system (case study 11). 3.2.3 Clearinghouse A clearinghouse or routing organisation is the central point in the communication between and with the connected organisations. The information exchange between the connected organisations also takes place via the clearinghouse. Other institutions can only exchange information with the connected organisations via the clearinghouse. The public generally has no direct contact with the clearinghouse, but only with the other agencies connected to it. The clearinghouse usually does not store any critical information on a permanent basis; it merely serves as an intermediary. In order to ensure effective and efficient information exchange, reference indices in the databases of the connected organisations are used for a cross-reference or routing database. Another possibility is to work with central or sector reference indices or identification numbers, such as the Citizen Service Number and and Business Service Number. Figure 8 illustrates the structure of a clearinghouse. Figure 8: Clearinghouse 19 White Paper Privacy-Enhancing Technologies The case studies in this White Paper that use a clearinghouse are the Higher Education Clearinghouse (case study 1), the RINIS system (case study 3) and Suwinet system (case study 5). 3.2.4 Information supply chain In a `public service chain', information are exchanged or forwarded between a minimum of two organisations. One feature of a chain is that the supply chain organisations have their own databases for storing data. An example is the motor vehicle registration chain. Here, the connected organisations in the chain (often garage owners or motor vehicle testing centres) communicate with the Motor Vehicle agency via a communication provider. The providers collect part of the information, which the connected organisations send via them to this agency. Other examples of chains with a high level of information exchange can be found in the healthcare sector, the transport sector (e.g. data exchange in Rotterdam port) and in the (criminal) investigation process within the Police ­ Justice relationship (e.g. electronic reporting, charges and files). Figure 9 represents a simplified structure of the chain. Figure 9: Chain The case study in this White Paper that involve a system chain is the NTIS system, in combination with the information systems to be connected in the future (case study 4). 3.2.5 Local databases In this structure, the information are spread across different decentralised databases, with the possibility of the central front-office/back-office having its own database. The local databases do not contain the same information, and the front-office/back-office does not contain the same data as the local databases. The local databases only contain the same type of information; databases from different organisations are not connected. Another example of local databases is the use of electronic smart cards, with individuals managing their own information. Examples of local databases include the key register of natural persons at municipal level, the public transport smart card, the digital tachograph (with each lorry being fitted with a local register for tracking driving and resting times; see also § 4.4), and the solution for road pricing (kilometre charge; see also § 4.4). Figure 10 illustrates the structure of a system with local databases. 20 White Paper Privacy-Enhancing Technologies Figure 10: Local databases The case studies in this White Paper that use local databases are the digital tachograph (case study 7), the AgeKey (case study 8), electronic voting (case study 10) and the public transport smart card (case study 13). 21 White Paper Privacy-Enhancing Technologies 4 PET options The paragraphs below describe the functioning of the different possibilities offered by PET4 , which concern the following four main types: general PET controls (§ 4.1); separation of data (§ 4.2); privacy management systems (§ 4.3); anonymisation (§ 4.4). We then look at how an organisation can use logging and control to confirm that the implemented PET controls function properly. In addition, this section includes a PET staircase, in which the different PET options are compared to one another from the perspective of effectiveness. Finally, a link is made between the PET options described and the information system structures discussed in section 3. 4.1 General PET controls Advantages: General PET controls are relatively simple to implement. The correct combination of general PET controls can achieve an effective basic level of personal data protection. Many organisations apply general security controls, such as encryption and logical access security. When correctly applied, these general security controls also have a privacy- enhancing function. An example is a user gaining access to a specific data set on the basis of his/her job or tasks in the organisation. It is not necessary for every user to see the entire database. For instance, someone processing address changes does not have to see the rest of the personal data. Based on his/her tasks, the person in question is only authorised to process the address information. The task is therefore linked to the type of actions the person is authorised to perform. 4 The reading list in Appendix A includes documentation with additional information about the different PET options. 22 White Paper Privacy-Enhancing Technologies Data minimisation In addition, there are a number of techniques that can be used to transform data such that the identity cannot be derived. When a user does require personal data, but not necessarily the identifying details, some of these details can be removed. Another option is to remove part of the data from a database field, for example, the last three digits from the postal code, leaving the unique address unidentified, but with the receiver still having an indication of the geographical area. When, however, the entire collection of data is required, but not the exact value of a database field, it will suffice to categorise the data. For instance, if a user needs to know whether someone has attained the age of majority, the application does not reveal the age or the date of birth, but merely responds with yes or no. The user's question is thus answered, but the system user does not know the exact age of the person in question. If the user does not need to know the exact value of a field, the bandwidth of the recorded data can be expanded. For example, a random figure can be added to the age. In a chain structure, data minimisation can also be used in the form of data filtering, with successive parties in the chain receiving less and less personal data, or with different degrees of filtering being applied to the different types of parties. In this way, only one party, or no party at all, can compile a complete profile of a person. A practical application is described in the public transport smart card case study (nr. 13). The combination of a number of these data minimisation techniques appears to achieve fully anonymous data processing; however, this is not the case. Full anonymisation is dealt with in § 4.5. Case study 4 concerns an example of the PET application used by the National Trauma Information System (NTIS). In addition to the general PET controls, NTIS also separates the data within the organisation. This second type of PET is dealt with in § 4.4. Case study 4: National Trauma Information System (NTIS) NTIS is an electronic register for emergency patients with critical injuries who are treated in the accident and emergency department. Doctors, nurses and assistants have access to this system. Electronic registration and exchange of medical information can offer the patient more efficient and effective cure and care. Highly sensitive medical information and treatment methods are also analysed anonymously so that treatment methods can be improved, the patients can be treated better and the chances of survival can be improved. PET application strong security by means of a sophisticated authorisation structure, with the role of the user determining which part of the system and database the user has access to. Authorised healthcare workers use digital certificates stored on smart cards (for the most sensitive functions containing biometric information as their unique identification). Other users use software certificates, which do not provide access to the medical information; 23 White Paper Privacy-Enhancing Technologies data separation, with the medical information and the name and address details being stored in different database tables. The name and address details are encrypted, so that unauthorised users (such as system administrators) cannot reduce the medical information to an individual natural person. The database is stored at a so-called Trusted Third Party (TTP), with stringent physical and logical access security controls. These security controls are audited on a periodic basis; minimisation of information that are exchanged with other information systems. Information from NTIS is transferred to a system, from which the regional medical officer can see who in his/her district has been involved in a disaster. Only a classification code is supplied in addition to the name and address details. The classification code provides information about the nature of the injury, but the regional medical officer does not gain insight into the medical information. This system has a temporary database, and the name and address details are not stored permanently in the system. However, in the current version the officer can export the data to his/her personal computer. Benefits The application of PET has finally made it possible to develop this system, without which the quality of the treatment offered by the accident and emergency centres will be less. Following its regional success, NTIS is currently being rolled out throughout the Netherlands and forms the basis for the nation-wide key register of trauma patients. Authentication and authorisation A prerequisite for most of the different PET options is that the authentication and authorisation procedures function reliably. The different PET options rely strongly on authentication and authorisation management (a.k.a. Identity Management). If due care is not taken when granting and issuing authentication means (e.g. password, token, digital certificate), unauthorised users can gain unlawful access to personal data. This would completely counteract the advantages offered by PET. Quality-Enhancing Technology Part of PET is a similar concept, Quality-Enhancing Technology (QET). With the aid of QET, it is possible to monitor and improve the quality (complete, accurate and up-to-date) of the data registered. The quality of the personal data strongly affects the quality of the services the government provides. What's more, it also serves the privacy principle concerning quality (see section 2), because correct decisions can be taken when the personal data is reliable. These techniques can also be applied to remove redundant information from databases and to improve the quality of the data. 24 White Paper Privacy-Enhancing Technologies Case study 5: Suwinet Suwinet was set-up to improve cooperation in the work and income domain of social security. For this cooperation, the social security partners, the employee insurance administrator, the Social Insurance Bank, the Centres for Work and Income and the municipal social services departments must have access to their respective data. At present, more than 18,000 employees of these agencies are connected to Suwinet. By using the information already available at these agencies, it is not necessary to ask the public or the organisations to provide information anew. Strong security and privacy conditions apply to the information exchange among the parties connected. This is specifically laid down in the relevant legislation. Suwinet is usually used in the front-office (e.g. service desk), in contrast to RINIS (case study 3), which is used in the back-office. PET application In addition to general security controls, such as the use of a closed, virtual private network, the following privacy safeguards were added: minimisation of the set of personal data exchanged for the relevant purpose. When information is required about the status of a passport, the only information that is fed back is whether the passport is (in)valid, and not the reasons for it (e.g. theft). There is also no central data storage or processing, so that administrators have no insight; detailed authorisation of users through the application of organisational roles even a direct connection between the type of question and the personal data to be requested (and the order of showing). The parties have no additional authorisations on the back-office systems of the other parties, and the connected parties can apply further filtering and restricting requests for sensitive personal data. Free search options are not allowed; improvement of the information quality by means of online enquiries and by `confronting' the public at the service desk with information from other institutions in order to remove inconsistencies and maintain reliable information. This information quality is further guaranteed by the user surveys and the IT and privacy audits carried out on an annual basis both centrally and at the connected agencies; the requested data are logged for each staff member by tax and social security number, and not the content of the messages. This log is only accessible to authorised IT or forensic auditors. Advance statistics are also kept for each role and profile with the use of heuristic technology in order to reveal any irregularities in the data processing. Benefits The on-line exchange of personal data was subject to stringent privacy rules in the design of the Suwinet, where it is clear that restrictions apply to the exchange of someone's personal data between government organisations. One-off registration, structured information exchange and the individual right to check this information all improve the quality of the personal data. 25 White Paper Privacy-Enhancing Technologies General PET controls remarks: Personal data are still processed. General PET controls mainly concern identification, authentication, authorisation and encryption. General PET controls are very suitable for use in combination with specific PET controls. 4.2 Separation of data Advantages: Identifying data are detached from the other personal data. The effect does not depend on general security controls. It is possible to exchange personal data between organisations with due consideration for data protection. Separation of data means that personal data are processed, but that identifying personal data are detached from the other personal data. At least two domains are created: one identity domain in which, for example, the name and address details are processed, and one or more pseudo-identity domains in which other information, such as membership or other sensitive data, is processed. The separation between the two domains is achieved and managed by an identity protector. In practice, an identity protector is a software component that can be placed on the server. A smart card can also serve as identity protector, but this is not essential. The identity protector converts the real identity into a pseudo-identity, usually by applying identification codes that cannot be reduced. The connection between the two identities can only be re-established with the aid of the identity protector. People with authorisation to use the identity protector can gain access to both domains and see the relationship between them. People who do not require access to all the personal data to perform their tasks only have access to the pseudo- identity domains to which they are entitled. To summarise, the identity protector has the following functions: · generating a pseudo-identity on the basis of a real identity; · connecting the pseudo-identity with the real identity. The two domains can be connected if the processing requires it; · converting one pseudo-identity into another pseudo-identity. Through frequent use of one and the same identity, it is possible to discover the real identity. When different pseudo-identities are used, it is impossible to identify a pattern in the activities performed on the basis of the pseudo-identity 26 White Paper Privacy-Enhancing Technologies Given the important functions of the identity protector, it is absolutely essential that it be used with due care. Therefore, the authentication and authorisation of people is a critical process for guaranteeing the functioning of the identity protector. Authentication, for instance, can be based on a digital certificate. In many instances, different types of users use an information system, and every user is only allowed to access a limited amount of personal data. In such a case, different pseudo-identity domains can be created, with part of the information about a person being processed in each domain. Figure 11 illustrates the above-mentioned identity protector in a simple diagram. Figure 11: Separation of data Case study 6: Identity protector in a hospital information system To guarantee patient privacy, the patient data can be divided into two domains. The personal data, including the patient number, are stored in the identity domain. The diagnostic and treatment details are stored in the pseudo-identity domain, in which a patient number is used. The patient numbers in the two domains are not allowed to be identical, as everyone could then make the connection. To resolve this problem, the patient number from the identity domain is encrypted. The encrypted number is used as patient number in the pseudo-identity domain. The encrypted patient number can be decrypted with the aid of the identity protector and the connection can be made with the identity domain. This means that only people who are authorised to use the identity protector can make the connection between the two domains. If an organisation wishes to conduct a statistical investigation, there is usually no need to register the identity of the individual citizens, even though the organisation wants to use data related to individual citizens. In that case, it will suffice to process the data from the pseudo- identity domain. Individuals personally control the identity protector and, thus, the connection between the two domains. This form of data separation can be used if the government requires certainty about someone's identity, but does not wish or is not allowed to record the data. This is the case, for instance, with electronic voting (see case study 10). If people wish to vote electronically, the government has to ascertain that the person in question is entitled to vote and votes only once; however, it is absolutely essential that the identity of the voter in relation to the vote is not registered in order to safeguard the required anonymity of the vote. 27 White Paper Privacy-Enhancing Technologies This PET application can also be used the other way round. The government only registers the identity domain and only the individual has access to the pseudo-domain. In this instance, too, the individual in question decides whether the government can and is allowed to make the connection between the two domains. It should be noted, though, that for instance, a smart card has limited storage capacity and cannot store an entire collection of data (besides other risks of local storage). In many instances, the smart card will include a reference to the location where the collection of data is stored or the organisation that has stored the data. An example of this is that an individual does not personally carry an electronic patient record, but the name of the GP is stored on the smart card. In the event of an accident, the doctor in charge can contact the GP to obtain information on a person's medical history. As a rule, the successful PET implementation usually depends on a reliable authentication and authorisation process. It is clear, for instance, that the identity protector can only function properly if the required authentication tool (e.g. a smart card) is issued to the relevant users with due care. Furthermore, correct authentication and authorisation management also offers the organisation advantages in the field of general information security and efficiency, and helps the organisation to be in control of data processing. Personal data under personal control Maximum data protection is achieved if the person whose data are registered controls the identity protector. That person alone determines when and to whom his/her real identity is revealed. The situation where the individual concerned controls the identity protector is known as `personal data under personal control' and is, in fact, a specific form of separation of data. Examples include a personal smart card and an online data safe. In the aforementioned case study, the doctor in the hospital can ask for the patient's smart card to gain access to the patient's electronic medical file. It offers a high level of security, but is impractical in its implementation, because the doctor in question can only consult a patient's medical records in the presence of the ­ conscious ­ patient. The doctor, therefore, will also need to have a smart card to gain access to the medical file. Ideally, the smart card is not issued by the hospital itself; it is not specialised to do so, and there is a risk that an unauthorised person does get hold of a smart card. It is therefore advisable that a trusted third party issues the smart cards. This party is specialised to do so and identifies the system user in accordance with the prevailing authentication requirements. Case study 7: Road Pricing & Digital Tachograph When road pricing is used, the government registers personal data to charge for road use. The government does not need to know where and when the road user drove; it only wants to know how much to charge the user. To this end, the user has a smart card in his/her vehicle that automatically keeps a detailed register of the journeys travelled. When the road user passes a read-out post, the cumulative information on the card is registered. The authorities now know how much to charge, but only the road user has access to the details of the journeys. 28 White Paper Privacy-Enhancing Technologies A similar PET application ­ soon to be used on an EU-wide scale ­ is found in the digital tachograph, with the driving and resting times in a lorry being registered on a smart card. Additional options have been created so that the driver can have the database on the smart card signed electronically, and to offer supervisory bodies special access possibilities. FAQ 4: What is the difference between data protection by means of logical access security and the identify protector? Although logical access security is an important tool to prevent unauthorised access to personal data, its use does have restrictions. A disadvantage of regular logical access security is that the data are still identifiable and are stored together, usually in a single database. Other limitations are that the data can also be accessed by circumventing the application, and the fact that, often, insufficient user profiles are defined in the applications. The latter means that people often have extensive access privileges. With the identity protector, the personal data are detached from the remaining data. Only the identity protector can make the connection between the different domains. The big difference is that the data are not processed and stored in a form that is immediately identifiable. The advantage is that if the general controls are breached and someone gains access to the different domains, it is not possible to make the connection between the personal and the remaining data. The identity protector, therefore, offers better privacy protection than the general logical access security controls. A common difference between information security and the application of PET lies in the different points of departure. Information security primarily focuses on the increasing protection of an ever-increasing collection of data. PET, on the other hand, focuses specifically on collecting fewer data, thus requiring fewer impenetrable walls to protect the data. An application such as electronic voting, for instance, is not possible using general information security, whereas it is possible with the application of PET. Points of attention: Security of the identity protector is vitally important. The separation of data in an existing information system often requires a thorough review of the data model. 29 White Paper Privacy-Enhancing Technologies 4.3 Privacy management systems Advantages: Transparency is increased for the public. Compliance with the privacy regulations is technically enforced. Privacy management systems that ensure automated enforcement of the privacy policy represent a special form of PET. It concerns software that, in fact, forms a shell around the personal data and that automatically tests all transactions involving these data against the privacy regulations. This test is based on electronic privacy policies derived from the privacy regulations for the database or information system. The privacy policies are entered in the PET software by means of a privacy code or privacy language. An operational example is the Platform for Privacy Preferences Project (P3P), designed by the World Wide Web Consortium (W3C). P3P5 is a tool for communicating the privacy preferences of the Internet user in a simple and standardised way and in a format that the information system can read. P3P contains the following information: who collects, processes and stores the data; what data are collected and the reason for their processing; whether there are opt-in and opt-out alternatives; whom the data are supplied to; which data the responsible person has access to; the default storage period for the relevant personal data; how conflicts about the privacy policies of the processing organisation are resolved or settled; where the privacy policy can be found on the website. 5 See http://www.w3.org/P3P/ en P3P and Privacy ­ Centre for Democracy & Technology / IPC Ontario ­ see http://www.cdt.org/privacy/pet/p3pprivacy.shtml. 30 White Paper Privacy-Enhancing Technologies This significantly increases the transparency of data processing for the user. The Internet user completes an online questionnaire, indicating his/her preferences concerning data protection. With every subsequent visit to the website, the user can automatically ascertain whether the organisation's privacy regulations respect his/her preferences and decide, on the basis of this knowledge, whether or not to visit the website. Incidentally, a similar application can be used for applications that do not run via the Internet, but that use Internet technology6 . Practical tools are now available for defining electronic privacy language (or `privacy ontologies'), such as the Enterprise Privacy Authorisation Language (EPAL). Various suppliers have now also developed privacy management systems or are in the process of doing so. These systems enforce compliance with the defined privacy policies during processing. First of all, the organisation's agreed privacy policies are entered in the privacy management system; then, they are integrated into the processes. When a new process and data are entered, an automatic analysis takes place to ascertain whether the process is covered by an agreed standard or rule derived from the privacy policies. An assessment is also made to ascertain whether the processes of the different organisational units are consistent. The functionalities can also be expanded to include the external processors7 , opt- in management and automated compliance. Experience abroad (see also case study 11 from Canada) shows that privacy management systems substantially increase public confidence, as well as management's insight into the processing and controlling of data processing. Automated compliance in particular is a major plus and avoids costly privacy audits on organisational compliance. Privacy management system remarks: The applicable technologies are recent developments and are not yet widely applied. One can also implement similar PET controls oneself at database level by using current products. 6 For example, the use of the Internet TCP/IP protocol within the organisation or via virtual private networks between organisations. 7 A third party to whom the data processing or part thereof is outsourced by the organisation responsible for the personal data registration. 31 White Paper Privacy-Enhancing Technologies 4.4 Anonymisation Advantages: After full anonymisation, personal data are no longer processed and no security controls are required any longer for privacy reasons. Less data are registered and need to be managed and maintained. Anonymisation can be applied in two phases of data processing. In the first instance, the need for governmental agencies to register personal data of the public can be prevented, in which case no personal data are processed at all. This solution is only possible if the processing of personal data is not required for the purpose of the public service provided. Secondly, if personal data are required temporarily, the data can first be processed and then destroyed or detached from the other data. The destruction and/or detachment of the data must be irreversible. If that does not happen, the personal and the other data can be linked again, which means that full anonymity has not been achieved. If the data have also been stripped of indirect identification features, no personal data are left whatsoever. The advantage of anonymisation is that data that are not stored do not require management and protection. This reduces the management and maintenance effort. Furthermore, the Data Protection Act no longer applies because no personal data are being processed. Destruction and/or detachment is an option if, for example, statistical analyses have to be performed where identification data are not required or are not allowed to be processed. An anonymiser is a technical tool, for example a software program that is used to filter away the personal information of someone using IT services. Case study 8: Anonymous services: AgeKey The government wants to discourage smoking and has prohibited the sale of tobacco to young people under the age of sixteen. However, enforcing this prohibition proved to be a problem, for which the AgeKey was developed. The AgeKey can be stored on a bank card or smart card. Cigarette vending machines only operate if someone has such an AgeKey. To get hold of an AgeKey, a person has to go to the post office and prove that he/she is over sixteen years of age. The AgeKey is then activated on the card, and the person can buy cigarettes from the vending machine. All the vending machine does is to check whether the card contains the AgeKey; the purchase transaction is totally anonymous. No register is kept of activated Age Keys, No one knows who has an activated AgeKey or how the AgeKey is used. See www.agekey.nl for additional information. 32 White Paper Privacy-Enhancing Technologies Case study 9: National Alcohol and Drugs Information system The National Alcohol and Drugs Information System (LADIS) is a register which keeps track of the scale and content of support provided to people with an addiction throughout the Netherlands. All the organisations in the Netherlands that provide care to people with addictions forward information to the LADIS system via a diskette or secure e-mail, on the basis of which policy information is prepared and epidemiological research conducted. Since 1994, 150,000 individuals have been registered anonymously in LADIS. There are countless users of the LADIS data; in addition to the institutions themselves, the users vary from government agencies to pharmaceutical companies, media companies, manufacturers of gambling machines, casinos and embassies. PET application use of unique codes based on the personal data, with the name, gender and date of birth, among other things, being encrypted. The software used by the providing organisation produces the code, and is certified to do so. After the data transfer, the unique code is converted into a second anonymous code (by means of so-called hashing), with the original data no longer being reducible; safe delivery of the data through the use of encryption and password security; immediate destruction of the data provided by the institution. Benefits As a result of the over 10 years of application, LADIS has created an anonymous client tracing system. Because of the privacy controls that have been implemented, LADIS is, in fact, no longer a personal data register, making it possible to provide data to a broad target group for policy and research purposes. Despite a certain error margin (client code more than 90% unique) caused by the unsophisticated structure of the privacy-enhancing technology developed in 1994, the data can still be used for research by means of an automated correction function. It is actually possible to correct the unsophisticated structure. Anonymisation remark: Anonymisation can only be applied in identity-low and identity-free processes. 33 White Paper Privacy-Enhancing Technologies 4.5 The PET staircase The description of the four PET options shows that each has specific functions related to data protection. The one option offers better protection than the other. In figure 12, the different PET options are positioned in relation to the effectiveness of the data protection. The diagram also shows the most important features of the different PET options. The PET staircase is not a growth model and does not have to be followed to the top. Once an organisation has applied general PET controls, it does not mean that it has to go on to `higher' levels of PET. The suitability of the different PET options depends on the specific situation. Figure 12: PET staircase: the effectiveness of the different PET options 34 White Paper Privacy-Enhancing Technologies 4.6 Connection of PET options to the information system structure Figure 13 illustrates which PET controls can be used in which structure. It also focuses on the features of each combination at a high level. The description of the different PET options in this section and the features listed in the table provide sufficient insight into how the different PET options can be applied in the different structures. The application of the general PET controls and the privacy management systems are not dealt with in this table, because these options can be generically applied to the different information system structures. Subsequently, the `Personal data under personal control' sub- category is discussed separately. Anonymisation Separation of data Central database Anonymisation before data are registered in database if no personal data are required; or Register data temporarily and anonymise data after processing in database. Both the identity domain and the pseudo- identity domain in the central database; Authorised user gains access to personal data through authentication to identity protector in central database. Connected back-offices Anonymisation to front-office if connected back-office requires no personal data; or Anonymisation after processing in back-office if some back-offices temporarily require personal data. Connected organisations are responsible for anonymisation. Both the identity domain and the pseudo- identity domain(s) in each back-office; Authorised user gains access to personal data through authentication to identity protector in back-office database. Clearing- house Anonymisation by routing organisation if connected organisations require no personal data; or Anonymisation after processing by connected organisations if the latter temporarily require personal data. Connected organisations are responsible for anonymisation. Both the identity domain and the pseudo- identity domain(s) at every connected organisation; Authorised user gains access to personal data through authentication to routing organisation. Information Supply Chain Anonymisation by first organisation in the chain if other organisations in the supply chain do not require personal data; or Anonymisation after processing by one of the chain organisations if this and following organisations do not require personal data. The supply chain organisations are responsible for anonymisation. Both the identity domain and the pseudo- identity domain(s) at every supply chain organisation; Identity domain at one organisation and pseudo-identity domains at other supply chain organisations; Authorised user gains access to personal data through authentication to identity protector in the database of each supply chain organisation to which access is required. Local databases Not applicable since individuals personally control the data. Already achieved in the central database since the individual personally controls the data. Figure 13: Connection of PET options with the information system structure 35 White Paper Privacy-Enhancing Technologies The `Personal data under personal control' PET option is a sub-category of `Separation of data' and has therefore not been included in the table separately. However, there are a number of differences in the applicability of both options. These are: The `Personal data under personal control' option is not easily applicable in connected back-offices, clearinghouses and supply chains. Due to the nature of the data processing, it is currently not yet possible, for example, to give the public control over their personal data in the entire services chain. This would actually require a software solution that protects the personal data against unauthorised processing in several registration locations at the same time and thus, in fact, travels along with the personal data. To this end, all the systems in the relevant chain have to deal in exactly the same way with the personal data controlled by the individual personally. In the central database, the identity domain is controlled by the individual in question, and the pseudo-identity domain is located in the central database (or vice versa). An authorised user gains access through authentication to the identity protector of the individual. In the local databases, the individual controls the identity domain and the pseudo-identity domain. An authorised user gains access through authentication to the identity protector of the individual. FAQ 5: Is PET only suitable for processes in which no identity is used? No. It is a misunderstanding that PET can only be applied in identity-low processes. It would severely hamper the applicability of PET. An identity protector, for instance, can be located at the data entry and processing end of the information system. If it is essential for the identity to be known at the start and the end of the process, it is often not the case for the intermediate internal processes. PET can be used to protect the data in these intermediate processes. 4.7 Points of attention 4.7.1 Logging and monitoring With the aid of logging and monitoring, it is possible to confirm retrospectively that the PET controls have functioned properly. To this end, it is important to log and verify every action or every set of actions with respect to personal data that take place under the responsibility of the competent person. One example is to log at individual level the organisations to which data have been provided (including why, what and when). This creates an audit-trail (who did what and when), which means that it is possible to verify the actions and ascertain whether the PET controls function properly. 36 White Paper Privacy-Enhancing Technologies Since logging and monitoring is a means for checking whether data protection controls are complied with, it is always applied in combination with one of the other PET options. The analysis of the log files could lead to `leaks' in the PET option being discovered and remedied. Thus, logging and monitoring also contributes to preventing unlawful processing of personal data. A further advantage of logging and monitoring is that the rights of the individual registered can be met. An individual is entitled to ask an organisation to provide the information that is registered about him/her and to whom this information has been disclosed. With the aid of the log files, the organisation can demonstrate that the information has not been passed on at all, or that the information has only been transferred to authorised agencies or individuals. Obviously, it is essential that the log files cannot be manipulated, thus enabling unauthorised users to delete evidence. In addition, the security officer or the data protection officer, for instance, has to review the log files on a regular basis, and regularly has to prepare reports for management (see also § 6.2). An important point for attention with respect to logging and monitoring is that the log files obviously also have to be PET-proof. One should be careful that the log files do not contain personal data, the processing of which is exactly what one tries to prevent with the use of PET. Case study 10: Electronic voting Politically, it has been decided that it should be possible to vote remotely and electronically. This makes it possible for Dutch citizens to cast their vote at a random polling station in the Netherlands or even abroad. Electronic voting concerns voting by telephone or via the Internet, with the public having the flexibility to make that choice at the last minute. PET application The law makes stringent demands on electronic voting; in response, the following PET controls have been taken: detach the possibility to vote from the actual voting. To this end, a separation was made between voter registration (at the municipality), enabling voting by means of the polling card (at the electronic voting organisation) and the cast vote (at the voting service of a trusted third party). A division was also made in the printing process between the production of the list of candidates and that of the personalised access codes; strict security of the access and voting codes used. With the aid of one-way encryption, the voter's access code is converted into a non-reducible code (`hash') that can be used to ensure that someone votes only once. The cast vote is not stored on the voter's computer. In addition, the database of the `electronic ballot box' is encrypted with cryptographic technology such that only officials authorised by the mayor can decrypt it. A large number of candidate codes are linked to a single candidate to prevent a vote from becoming known through monitoring or tapping the connection; 37 White Paper Privacy-Enhancing Technologies guarantee the integrity of the data. Here, transaction mechanisms are applied that ensure that a voting action can only be carried out as an entire action; during the voting process, actions and events are logged to enable the supervisor to monitor the voting progress retrospectively; destruction of voting codes and cast votes some days after the voting (once the election result becomes irrevocable); in-depth audits of the entire process, printers, electoral service and the software code of the electoral service prior to and around the election day/period. Benefits With the application of the PET controls, a cast vote is completely anonymous and cannot be reduced to the individual voter. Moreover, the voter is unambiguously and uniquely identified before casting his/her vote. The voting process is also transparent to the public, the polling station and the organisation in charge, without too many concessions having to be made to the security and the reliability of the process. FAQ 6: Is it still possible to detect fraud after PET has been applied? It remains possible to detect fraud after the application of PET. As shown by the description of the different PET options, there is only one option in which the data processing is completely anonymous. In that case, it is more difficult to detect fraud. When applying general PET controls and electronically enforcing compliance with the privacy policies, a person's identity is processed and relatively simple to retrieve. The basic principle in separating data is that the identity is detached from the other data. Fraud detection, therefore, is basically not possible. When fraud is suspected, the identity protector can be used to retrieve someone's real identity. The use of the identity protector in fraud investigations, however, must happen under strict conditions and supervision, otherwise data protection is jeopardised and public confidence will rapidly decline. 38 White Paper Privacy-Enhancing Technologies 5 The business case for PET Insight into the costs and the quantitative and qualitative benefits is essential for the decision-making process concerning the application of PET. This section focuses on: Desirability of PET (§ 5.1); Business case elements (§ 5.2); How do I arrive at a positive business case? (§ 5.3). 5.1 Desirability of PET The sections above presented an operational qualification of the different PET options. A number of possibilities for the application of PET in an organisation were also presented on the basis of the different information system structures. Three key questions have to be answered to determine whether there is a positive business case for applying PET in your organisation. These questions are: 1. Does PET make an essential contribution to the objectives of the organisation? 2. What quantitative and qualitative benefits can PET achieve in our organisation? 3. Which investment and structural costs does PET involve? If the responses to these questions lead to the conclusion that the application of PET in your organisation is desirable and rational from a cost-benefit perspective, then the business case for applying PET is positive. The positive business case serves as the commercial justification for applying PET. The term `business case' also refers to its elaboration in a decision-making document, which will serve as the primary justification and reason for including PET activities in the overall project. During the implementation, the business case will also serve as a communication means concerning the reasons for the project and as confirmation of the agreement about the net benefits to stakeholders. In this context, it is also important to describe the assumptions in reasonable detail. Developing the business case is not an on-off task; it has to be monitored during the implementation phase (`benefits realisation management'). During the course of the project, more insight will be gained into the benefits to be realised and the costs to be incurred. The business case has to be assessed periodically to see whether it is still positive and to adjust the project where needed. This section offers support for preparing the business case for PET and provides building blocks for further elaboration during the execution of the project. 39 White Paper Privacy-Enhancing Technologies 5.2 Business case elements 5.2.1 Policy The most important consideration when preparing the business case is the extent to which a contribution will be made to the organisation's policy objectives. In practice, this consideration will often be decisive and, as such, forms the cornerstone of the business case. The most important advantages described in section 2 can serve as the starting point for determining whether PET contributes towards the organisation's policy objectives. If such a contribution is identified, the cost-benefit analysis can proceed. The key question is whether these contributions offset the costs involved. If no real contribution is made, the preparation of the business case can be stopped. If the protection of personal data is absolutely essential ­ for example, electronic voting in parliamentary elections ­ excessive costs can even ruin the entire project. 5.2.2 Benefits The benefits offered by PET can be quantitative or qualitative. If the application of PET leads to a reduction in costs, then the benefits can be controlled and, therefore, are quantitative. Qualitative benefits are tricky to control and ­ by definition ­ hard to express in monetary terms; however, they can surpass the quantitative benefits. One example is the positive image resulting from the application of PET. Another qualitative benefit is that PET enables collaboration and data exchange between different organisations that would otherwise not be possible without the use of PET. This increases the quality of the public service, which is very difficult to express in monetary terms. Figure 14 presents a summary of the potential benefits. Qualitative benefits Quantitative benefits PET enables applications that would otherwise be impossible; Creates a positive image as perceived by the public. As a result, public confidence in the government and its electronic services is increased, which is essential for the success of this service channel; Complies with the Data Protection Act; Increases personal control over personal data; Improves the quality of the information; Strengthens the innovative image of the organisation that uses PET; PET and the associated privacy management system ensure that risks of privacy breaches remain manageable. Increases client satisfaction; PET makes it possible to connect databases, streamline the data processing and guarantee privacy. Public services and the corresponding data processing therefore become more efficient and the administrative burden can be reduced; Requires fewer personal data to be entered, corrected and processed; The use of PET means less reliance upon procedural/organisational controls. This reduces the burden on the organisation and provides more certainty on data protection; Makes it possible that the Internet can be used for communication purposes instead of more costly fixed connections (leased lines) and networks; Reduces audit, supervisory and management costs and possible fines by Data Protection Authorities and other supervisory bodies; Reduces the costs for providing information to individuals registered. Figure 14: The benefits of PET 40 White Paper Privacy-Enhancing Technologies Not being able to quantify the benefits should not stand in the way of a positive business case. The qualitative benefits can, in fact, be very important for the success of the services and, thus, be decisive. Business case for the National Trauma Information System The present trauma system would not have been possible without the implementation of PET. In order to keep the costs low and manageable, the Internet had to be used. The use of the Internet automatically means that stringent data protection controls had to be applied. 5.2.3 Costs This paragraph contains a summary of the cost items that can be used when preparing the business case. Firstly, figure 15 presents an overview of the percentage PET costs in relation to the total project costs of developing a system. Interviews with people who have been involved in the development of a PET-enabled system reveal that PET costs represent between 1 and 10% of the total project costs. Figure 15: Percentage PET costs in relation to total project costs The fluctuation is caused by the fact that the costs depend on the selected PET option. The accent in data anonymisation lies on the one-off investments and less on the structural costs. For example, there is no need for rolling out costly authentication tools, and the costs of the general security controls are also reduced. Personal data are no longer processed, which means that the data protection requirements can be less stringent8 . 8 From the perspective of availability, for instance, it could very well be necessary to maintain a higher level of security. Minimum % PET costs of total project costs 100% 1% 10% Maximum % PET costs of total project costs PET costs Total project costs 41 White Paper Privacy-Enhancing Technologies When data are separated, different domains are created, the data model usually has to be modified, and there is more often a need for customisation to implement the PET option. When data are anonymised, the data model and the implementation are simpler, precisely because no personal data are processed. There are also more standard solutions available for anonymisation. The costs of the general PET controls vary because of the wide range of possible controls. Encryption, for instance, is less expensive than the application of PKI-based smart cards protected with biometrics. To get a picture of the breakdown of the specific PET costs, the costs are divided into the categories of development, rollout and management & maintenance. Development and rollout are one-off categories, and management & maintenance is a structural category. Figure 16 illustrates an estimate of the relationship between the three categories. Together, the three categories represent the total PET costs, where it should be noted that the precise ratios can differ for the different PET options and application. Figure16: Breakdown of the total PET costs Figure 17 gives an indication of the cost items comprised by the aforementioned categories. This overview does not include general costs for each IT project, such as a feasibility study and functional design of the information system; it only shows PET-specific costs. In addition, a scale of low/medium/high is used to indicate the weight of each cost item in relation to the overall PET-specific costs. 42 White Paper Privacy-Enhancing Technologies Cost category Weight in total PET costs9 Development Assessment personal data processing need Medium Design data model High Functional design PET option Medium Technical design PET option Medium Possible modifications to (technical) infrastructure Low Development PET option or purchase of PET product10 Low ­ High Development or purchase of logging & monitoring tool Low Rollout Training users / administrators Low Rollout of authentication tools (if applicable) Low ­ Medium One-off Communication11 Low ­ Medium Management & maintenance Management any authentication tools (if applicable) Low Structural Maintenance specific PET option Low ­ Medium Figure 17: Overview of the specific PET costs 9 It is not possible to provide an exact estimate of the different cost items on the basis of the interviews and our limited research. 10 The PET option can vary from simple to complex; e.g. the application of tokens or biometrics involve relatively high costs compared to a solution at the database level or with role-based access controls. 11 In this instance, communication is seen as PET-specific as PET may change the precise way of working for the system users. It is therefore also vital to create sufficient support within the user community. 43 White Paper Privacy-Enhancing Technologies When using this overview, please bear in mind that it is a generic overview that needs to be adapted to the specific features of your organisation and the structure of the information system (see section 3). Professor Boasson (University of Amsterdam, Road Pricing): `The most time and investment are taken up by the design of the data model. It is one of the most important steps in the entire development process.' Suwinet Director Kinkhorst: `To achieve safe information exchange in the social welfare sector, we used a closed network and a sophisticated role-based access control structure. Based on the current size of the user group, the costs for this application amount to some 10% of the total costs'. Van Blarkom, the system architect in charge of the development of one of the first-ever PET applications (for a psychiatric hospital): `The cost of a new PET-proof hospital information system with electronic patient files only adds a small percentage to the total costs, provided proper attention is paid to PET when the system is built.' The fact whether PET is applied to existing systems or systems in development also affects the costs. When PET is implemented in existing systems, the costs are higher than they would be in new systems. The reason is that most PET cost items are one-off costs, and the one-off activities form part of the overall system development project. When the PET- specific activities are carried out afterwards, the existing system may have to be modified. As a result, certain activities have to be repeated, which leads to an increase in the PET implementation costs. Section 7 focuses in greater detail on PET applications in existing systems. Stor, Director of RINIS: `During the development of RINIS, the PET costs mainly concerned the brainwork that went into the architecture. The costs of the different PET controls applied came to some 2 to 3% of the total development costs.' Taal, Project manager at NTIS: `The costs of the PET-specific parts for NTIS come to some 8 to 10% of the total costs, mainly because of the use of stringent authentication based on digital certificates that are protected with a pin code or with biometrically protected smart cards.' The interviews with people in organisations where PET is used reveal that it is always possible to give a high-level estimate of the additional costs of PET. An accurate estimate is more problematic as the PET-related activities form a central part of the entire system development project from the design phase. 44 White Paper Privacy-Enhancing Technologies 5.3 How do I arrive at a positive business case? The knowledge required for preparing a business case can often be found within your organisation, albeit scattered, probably also with different visions being held of the costs and benefits. External information can often be useful too, for example from suppliers and government organisations using similar information systems and with longer experience with using PET. It may therefore be useful to organise a workshop around determining the business case. This is also desirable from the project management perspective because, in this way, a shared vision can be developed of the nature of the challenges, the precise objectives of the project, the anticipated costs and benefits and the positioning in relation to the organisation's objectives. To ensure the effectiveness of the workshop, in advance should be identified which questions need to be answered, what kind of information and documentation is available in the own organisation and which PET options need to be evaluated. This inventory should be distributed to the participants in order to prepare for the workshop. Aspects to be dealt with in the workshop include: the need for data protection controls for achieving the organisation's policy objectives and targets; the target group of the public service developed; the potential benefits and the potential quantifying of the benefits; the possible PET options that can be applied and the corresponding one-off investment costs and structural costs (maintenance, management, licences) for each alternative; the application of existing resources; the impact on the processes and the working methods of the staff involved; the creation of support within the organisation for the application of PET; the presence and availability of the required knowledge and expertise; the agreement about the desirability of PET and the follow-up actions to be taken. Based on the outcomes of the workshop, the final business case can then be prepared and the `go / no go' decision taken concerning the application of PET in the information system involved. 45 White Paper Privacy-Enhancing Technologies Figure 18 shows an example of the costs and benefits of the implementation of a privacy management system (PMS). Figure 18: Return on Investment from a Privacy Management System (PMS) Suppose an organisation decides to implement a PMS. A sample business case could be substantiated as follows: If PMS were not implemented, the minimum annual costs for an organisation employing 1,000 staff to comply with privacy policies are estimated as follows: Annual costs Salary costs Privacy Officer (100% time allocation) 100,000 Management and secretarial salary costs 40,000 Costs privacy audit 30,000 Security costs with respect to privacy compliance (excluding generic information security required) 20,000 Report maintenance, regulations, settling registered people's rights, information, image and other damage, etc. 20,000 TOTAL 210,000 When using PMS: Development & implementation Annual costs Acquisition of PMS 150,000 Consultancy for PMS implementation (60 days) 80,000 Start-up costs after implementation 20,000 PMS operational costs 30,000 Maintenance 15% of acquisition cost per annum 22,000 Costs privacy audit 10,000 Salary costs Privacy Officer (50% time allocation) 50,000 50,000 TOTAL 300,000 112,000 This table shows that the extra development costs for PET are already fully recovered after three years. 46 White Paper Privacy-Enhancing Technologies 6 Organisational and legal aspects PET concerns technology for the compliance with legislation; however, it relies upon legal and, in particular, organisational prerequisites for its proper application. This section focuses on: Management awareness and commitment (§ 6.1); PET as part of the management cycle (§ 6.2); The wicked triangle (§ 6.3); PET strategies (§ 6.4); The normative face of PET (§ 6.5); Verification and supervision (§ 6.6). 6.1 Management awareness and commitment The PET application requires a effective implementation and an awareness-raising process with respect to data protection and PET itself. The system of controls and procedures implemented for the management, processing and security of personal data have to be tested against the objectives of implementing PET and, if required, be revised. The implementation of PET is not only a question of technology, but especially one of organisation and, as such, is also a primary responsibility of the organisation's management. Besides, it is important that the implementation of PET is not a separate component or a separate project, but that it is integrated as part of the system development and maintenance projects. Director Kok (Trans Link Systems/public transport smart card): "We thought about the privacy requirements from the moment we invited tenders for the system design. We also chose the option of anonymous cards for the highest possible level of acceptance." The implementation of PET is not something that happens overnight. An organisation needs time to get the awareness-raising process going. There is actually a difference between becoming aware of and thinking about data protection and the development and implementation of PET. It is advisable that the management responsible for the implementation of PET appoint one or more contact persons whose responsibilities include the coordination of the PET implementation and the evaluation thereof. Apart from the IT manager and the project manager, there is an important role for the Privacy Officer and the Security Officer. 6.2 PET as part of the management cycle The implementation of PET puts demands on the processing of personal data and has consequences for the procedures and controls deployed by an organisation to properly manage and protect its data processing (reliable, efficient, effective, exclusive, accurate, continuously available and verifiable). An important precondition for the implementation of PET is an adequate system of general processing and IT controls, taking into account the specific safeguards required for the processing of personal data. 47 White Paper Privacy-Enhancing Technologies PET needs a prominent place in the management cycle if one wishes to implement and maintain a well-balanced policy for the processing of personal data, with PET forming a cornerstone of that policy. Using the management cycle to achieve the business objectives and targets usually involves the following three phases: the organisation of the processes (including the policy-making), the processes themselves, and the evaluation and adjustment of the processes. It is important, in this context, to identify the administrative organisation insofar as it has not yet been done. PET is part of the management cycle; therefore, a review should take place once a year to verify whether the PET solution(s) achieve the desired effect. This review can be performed as part of a privacy audit, which is carried out to see if the organisation has observed its privacy policies. The privacy audit is essential to examine whether PET achieves the desired effect and to provide feedback to the designers of PET-enabled systems. The need for a risk analysis The basic principle is to analyse and evaluate the processing of personal data from the privacy policy perspective, and then to set out how a PET implementation satisfies the requirements of the Data Protection Act. A risk analysis in advance is essential and useful for taking the correct controls, based on the relevant privacy threats and vulnerabilities. Several risk analysis methods can be used for this purpose, for example CRAMM, COBRA or SPRINT. PET can only be successfully implemented after a thorough risk analysis that highlights the threats posed to the processing of personal data. The strengths and weaknesses of the data processing are also identified in this context. Specifically, this means that it must be clear, which personal data an organisation collects and processes, who has access to the data, who is responsible for the processing and whether the organisation has implemented sufficient controls to monitor compliance with the privacy policies. Based on the privacy policies defined, the relevant risks, together with the strengths and weaknesses of the processing organisation and a cost-benefit analysis, lead to a well- considered choice for the required organisational and technical provisions. The management should then see to it that the chosen PET provisions are properly implemented. Using a system of logging and monitoring (see § 4.8.1), the management should assess the extent to which the controls taken achieve the objectives of the prevailing privacy policies. The management should make clear in what way and with what frequency it wishes to receive information about the handling of personal data ­ based on the logging and monitoring. The results of the logging and monitoring activities form the basis for any corrective actions, adjustment of the technical controls and procedures or even amendment of the prevailing policies. 48 White Paper Privacy-Enhancing Technologies 6.3 The wicked triangle One particular problem in the development of information systems with sensitive data is the different perspectives the parties involved have on privacy. When sensitive information is processed, the Privacy Officer will specify requirements with respect to the protection of personal data. The Privacy Officer often has a legal background, and is less familiar with technological solutions. That is why the project needs IT staff that usually have little knowledge about legal issues in general, and privacy protection in particular. The Privacy Officer, in fact, will be primarily skilled in `PET thinking', and far less in PET as technology or IT solution. And exactly the opposite applies with respect to IT staff. It therefore boils down to the fact that policy staff or process owners, for instance, have to fulfil a bridging role between `PET thinking' and PET technology to enable both types of staff involved to make an effective and efficient contribution to the project. Without this bridging role, there can be a lot of misunderstandings and missed PET opportunities. Hopefully, this White Paper offers policy staff and process owners sufficient support to fulfil this bridging role for both disciplines with success. 6.4 PET strategies Once the risk analysis has been carried out and the privacy threats identified, the management should make a choice between the different PET strategies to deploy PET for data protection. The following strategies can be chosen: The organisation focuses on preventing or reducing a person becoming identifiable. The organisation aims to prevent the unlawful processing of personal data. The organisation uses specific technologies that support data protection. Of course, a combination of these strategies is also possible. The following paragraphs elaborate these three strategies in more detail. The PET strategies are allocated a place in the phased plan discussed in section 7. 6.4.1 The first PET strategy: the prevention of identification It is important for the first strategy to determine whether there are identifiable data. A natural person can be identified directly or indirectly. A person is directly identifiable on the basis of a name and address, an identity number, a pseudo-identity that is widely known or a biometric characteristic (such as a fingerprint). Someone can be indirectly identified on the basis of other unique characteristics or attributes or a combination of both of these, from which sufficient information can be derived for identification. With the aid of PET, the direct identification data in an information system can be anonymised. If the data have also been stripped of indirect identification features, no personal data are left whatsoever. In that case, the Personal Data Protection Act no longer applies as no personal data need to be protected. 49 White Paper Privacy-Enhancing Technologies 6.4.2 The second PET strategy: to guarantee against unlawful processing of personal data PET can be used to protect personal data against different forms of unlawful processing. It prevents personal data from being unnecessarily and unlawfully collected, registered, stored, distributed or consolidated internally or externally and linked (connected) to each other. It is a basic privacy principle that no more data be collected and processed than strictly necessary for the agreed purpose. Should an analysis show that fewer data can be used with PET, and that this principle can thus be satisfied, PET will actually have to be implemented. Moreover, PET contributes to observing the legitimacy of the purpose for which data are collected, because the technology can also block data if someone wants to use the data for a different purpose. PET is also ideally suited for use in the context of information security and not only vice versa. 6.4.3 The third PET strategy: the application of specific technologies to enhance privacy Because the PET strategies discussed above cannot be applied in every situation, other technologies can be used to contribute to realising better privacy protection. For example, the use of privacy management systems provided by a range of IT suppliers. In these systems, the agreed privacy policy is consistently applied to all data processing. An example of such a privacy rule could be:[Organisation] [may] [pass on] [client address] [by telephone] to [external contact] for [purpose] if [the client has given permission] In the processing request, a specific name or condition is filled in every time between the square brackets on the basis of which the privacy management system decides whether the request is granted or not. The Privacy Officer fills in the possible conditions in advance; the privacy management systems provides practical support to specify these conditions. Together, a sandwich of technologies can achieve privacy-safe data processing. 50 White Paper Privacy-Enhancing Technologies Privacy-enhancing technologies Below are some examples of the use of technologies to boost privacy: Transparency is increased by the use of P3P (a technology for testing the privacy policies of websites). A statistical or linguistic analysis to verify the name or address inside an address files can improve the quality of the data. The rights of the individual (data subject) can be monitored more effectively through feedback and verification. These design principles ensure that information systems can at any moment provide feedback to an individual about the personal data the individual concerned has provided to the information system, with the option to consult, supplement, correct or erasure of personal data. The automatic deletion of data can also be used. Storage periods can be set in the software, and when that period expires, the specific personal data are automatically deleted. As far as manual processing and data transfer outside the EU are concerned, it is also possible to take technical controls to counteract actions in the meaning of the Data Protection Act. For example, by scanning IP addresses on the validity of the destination address. If the destination is outside the EU, the privacy management system blocks the dispatch. The system then asks permission from the management, and the dispatch is obviously logged if it goes ahead. Figure 19: PET technologies 6.5 The normative face of PET Section 13 of the Dutch Data Protection Act forms the legal basis for the use of PET. It stipulates that the person responsible for processing personal data take appropriate technical controls to protect personal data against loss and any form of unlawful processing. In addition, the controls must also prevent the unnecessary collection and unnecessary further processing of personal data. These controls are weighted on the basis of the following criteria: the status of the technology; the costs; the risks of both the processing and nature and scope of the data. The requirement to apply PET is enforced in Section 11 of the Data Protection Act, which stipulates that no more, but also no less personal data may be collected and processed than are essential for the purpose. The responsible person is also responsible for taking the necessary controls to ensure that the data in question are collected and processed correctly and accurately as intended for the purpose. 51 White Paper Privacy-Enhancing Technologies The use of the slogan `PET INSIDE' with information systems can have a positive effect on the awareness about PET. PET is about the translation of `soft' legal standards into `hard' system specifications. This means that the installation of PET in systems is not only a technical exercise, but also a normative one. Before `PET INSIDE'12 is incorporated in information systems, it must be clear what the requirements of the Data Protection Act for an information system are. Technologists and lawyers will have to translate the standards into technical system requirements. 6.6 Review and supervision The Data Protection Authority (DPA) can call the responsible person or the third party processor to account for the organisation's privacy policy, the protection and the processing of personal data and the way in which the system of controls taken is implemented and complied with. The DPA is authorised, by virtue of its office or at the request of an interested legal entity or natural person, to examine the way in which the Data Protection Act is complied with. The auditors of the DPA will then perform a privacy audit on the design, the implementation and the effective operations of the procedures and controls to guarantee the data protection in accordance with the legal requirements. The implementation of PET prevents the organisation from being confronted with unexpected and unpleasant surprises and creates the necessary public confidence in the authorities. Apart from the audit by the DPA or other external parties, internal reviews and audits can also be carried out. This can be used to identify any further improvement of the prevailing privacy controls that may be desirable or even essential in order to comply with legal and internal requirements. Standard approaches and checklists are available for this purpose (see Appendix A.1). 12 Phrase is borrowed from the `INTEL INSIDE' advertising campaign. 52 White Paper Privacy-Enhancing Technologies 7 PET plan This section includes a phased plan for the implementation of PET. It focuses on both new and existing information systems, and deals with the following issues: PET as design choice (§ 7.1); PET in existing systems (§ 7.2); The phases (§ 7.3). 7.1 PET as design choice The step-by-step PET plan only deals with aspects that are specific to PET and not with the general steps concerning the development and implementation of information systems. Before executing the phased plan, the organisation must recognise the importance of data protection. During discussions with project leaders involved in major projects where the application of PET was considered and/or implemented, the following rule was always prominent: `Privacy by design' Data protection, including PET, should be part of the architecture of the information system, right from the start. Before discussing the PET plan, § 7.2 first explains why it is important to include the implementation of PET as an integral part of the system development. Case study 11: `Privacy by design' in Canada: IT not only causes privacy problems, it also resolves them! A survey conducted by the Alberta authorities revealed that some 57% of the content of their databanks consisted of directly or indirectly identifiable personal data. As a result, the design of a privacy structure within the Central Government of the Alberta Province in Canada was seen as a logical development. It would be an extension of the existing IT infrastructure and the Government of Alberta Enterprise Architecture (GAEA). The government of Alberta could use this privacy architecture to achieve its privacy policies with the aid of IT and ensure that the use of advance technologies comply with the legal privacy requirements. The detailed requirements for the privacy architecture were agreed in October 2002 in a series of workshops organised across the authority with the relevant policy officials, the officials responsible for the IT infrastructure and representatives from the business community. These workshops resulted in a list of twelve requirements that were elaborated in detail in the GAEA Privacy Architecture Requirements policy document. Not only was an agreement reached about the shared privacy terminology, the essential user interfaces and the use of technology to enforce compliance, but also about an identity system based on meaningless but unique numbers (MBUNs)13 . These numbers serve as reference to 13 The MBUNs are not based on existing identification numbers. 53 White Paper Privacy-Enhancing Technologies deliberately fragmented and, as such, only partially accessible personal data domains. The concept of identification reference numbers is based on the use of identity protectors and layered identity domains. Following the specification of the requirements for the privacy architecture, a test model was developed, which was subsequently discussed and commented upon in the same working groups. Finally, the information obtained was used to set up the privacy management system, which received the HP Privacy Innovation Award in 2003. 7.2 PET in existing systems PET is not a black box that one can buy and simply add to an existing system afterwards. In practice, the implementation of PET in existing systems is usually a tricky exercise. If, for example, a change is made to recording data across different domains, the data model must be modified to meet the requirements of the domains and the new data flow. Both the application software and the database architecture of an existing information system have to be adapted accordingly. It may involve a substantial system modification, and therefore may become relatively costly. The user will actually notice very little as it mainly concerns technical modifications to the system. Case study 12: Meerkanten Psychiatric Hospital An in-depth privacy audit revealed that a psychiatric hospital complied with the prevailing privacy legislation on almost all fronts, except that the logical access security offered too many access and update opportunities. To guarantee proper protection of the information about people's mental health, the hospital in question wanted to enforce access controls automatically for the care relationship between healthcare workers and patients. However, a hospital information system and a data model were already in use (X/Mcare system). PET application separate identification data and medical information by using pseudo-identities. Thus only authorised people are able to combine certain data groups; other people can only access the identification data or the anonymous medical information. The medical information, in turn, is also registered in different domains to allow specific access for each type of healthcare worker. This PET application is known as the Privacy- Incorporated Database. As the data is anonymous, useful detailed information is available for scientific research; differentiated security for system access by staff. IT administrators do not have access to patients' medical information. Access by external staff is controlled by stringent access controls with a mobile telephone and through encryption of the data traffic; registration of personal data provided to third parties for each patient concerned. 54 White Paper Privacy-Enhancing Technologies Benefits The use of PET in the information system offers better possibilities to protect personal data. This not only complies with the Data Protection Act, but also with other healthcare-specific legislation with detailed privacy requirements. The users do not notice the existence of PET, unless they make an unauthorised attempt to access certain personal data. The PET application means the system can be connected to a future countrywide client tracking system; to this end, a trusted third party will have to be in charge of user authentication. Conversely, anonymisation is easier to use in existing systems. In some cases, anonymisation tools can be added to the information system as `accessory'. This can be done relatively easily with front-end systems, such as the organisation's website. The fact that anonymised data are now used does have consequences for the information system and the processes to be carried out. The processes will probably have to adapted since one no longer works with personal data. It is also quite possible to add a data warehouse to an existing information system for queries, selections, reports and other processes. This data warehouse will then periodically receive a selection of data from the production database, and thus contains anonymised data for statistical purposes. It is expected that the introduction of a privacy management system that enforces privacy policies will require some investment, a significant part of which concerns the acquisition of supporting software. The software packages currently available do, however, contain functionalities to identify and reveal files and processes, which will make the implementation of privacy policies easier. There is limited practical experience in Europe yet, so little can be said about efforts in practice and the expected costs involved in existing information systems. General PET controls can mostly be implemented effectively and efficiently after an information system has become operational. This then concerns, for example, the introduction of stricter authentication means, such as the use of smart cards, biometrical technology or digital certificates to gain access to a system. The further sophistication of the authorisation structure based on roles or the restricted access to particular data can be added to a system at a later stage because these aspects mainly affect the system perimeter. However, the effort required strongly depends on the way in which the functionality is included in the existing information system. Dynamic responsibilities and access control for a particular file (`rule-based'), as used in the healthcare sector and by the police and judiciary, can also be implemented as an element in an existing system with some effort. 55 White Paper Privacy-Enhancing Technologies PET controls that modify the system internally are possible, provided the control can be implemented in relative isolation. For instance, encrypting data in the database. This is technically possible without affecting the application system. Selective encryption, as referred to in the NTIS case study, requires more effort because it requires functional changes. Ter Avest, Financial Director and Supervisor at Meerkanten Hospital: `The success of the PET application is that you do not notice the PET technology in practice as a user until you attempt to access personal data that do not fall within your area of authority. As such, PET does exactly what we want it to do.' The table in figure 20 illustrates whether it is possible to add the specific PET option to an information system afterwards. Before Afterwards General PET controls Easily possible Strongly depend on control and situation Privacy management system Possible Possible Anonymisation Possible Relatively easily Separation of data Easily possible Tricky/expensive to do Figure 20: Applicability of PET in existing systems 7.3 The phases 7.3.1 Justification & need analysis The detailed elaboration of the privacy controls in the software and technical infrastructure is particularly prominent in the functional and technical design phases14 . In practice, however, it is preceded by an essential phase in which the need and the intensity of the data protection have to be analysed. First of all, it must be ascertained, which personal data are essential to provide the service. When determining the need for processing personal data, you should apply the principle `the less personal data we process, the better'. All things considered, data that are not collected cannot be misused, and less effort is required for the management and protection of the personal data. Numerous projects have revealed that, after a proper analysis, a significant amount of personal data did not have to be processed centrally or otherwise. 14 Also known as: conceptual and system (architecture) design. 56 White Paper Privacy-Enhancing Technologies During this phase, you should bear in mind that several organisations and organisational units may be involved in the data processing. Every interested unit will want a say in determining, which personal data must be collected. This phase produces a listing of personal data elements to be collected and the reasons for doing so. Professor Boasson (University of Amsterdam): `This analysis often requires determination; there is still a lot of resistance against not collecting or storing certain personal data, with the argument that you may as well have the data in case it is useful in the future.' 7.3.2 Data analysis & classification: is PET useful? Before an information system is actually designed, there is first a broad identification and specification of the essential features of the desired information system. The degree to which protection of personal data is required is one such feature. Based on this step, the organisation can carry out an analysis to identify the threats and risks relevant for the data processing. The level of protection of the personal data for processing can be determined on the basis of the results from the risk analysis and data classification available in the organisation. The Data Protection Authority's classification of risk categories can be used as a guideline. Case study 13: Public transport smart card It was decided in the Netherlands to replace the use of the national bus and tram card with the public transport smart card for several reasons: users: it increases user-friendliness and safety (no need to use cash); transport companies: it improves efficiency, it makes available reliable and up-to-date management information, it reduces the percentage of fare dodgers and increases staff safety. This electronic payment system will be set up and managed by the Dutch organisation Trans Link Systems, and comprises the complete back-office settlement for its shareholders, the public transport companies. Where possible, the train, bus and metro stations will also be equipped with entrance gates for the public transport smart card. The smart card is suitable for all types of public transport and can be extended to associated (commercial) services in the future. Name and address details of the public transport users are required for the financial settlement of the use of personalised cards ­ by means of a direct debit or charging the card in advance via a specially designed machine. In the other option, travelling with anonymous cards, the only possibility is to charge the card using such a special machine. 57 White Paper Privacy-Enhancing Technologies The system in the Netherlands is based on that in Hong Kong where so far more than nine million public transport smart cards have been issued, involving a few million transactions a day. The privacy legislation in Hong Kong is similar to that in the Netherlands since both are derived from the European Directive, and the system has proved successful in practice. Here, the same as in the Netherlands, one organisation is responsible for clearly formulating the privacy and security policies and for monitoring implementation and compliance. PET application designing a layered architecture of the entire information system (smart card, entry gates, local processing, transport company processing and a central clearinghouse), with a distinction being made between the personal data that have to be registered at the different levels. On many levels, only the smart card and journey information are registered and no further personal data. Through the use of a data filter, only limited personal data are stored; encryption of sensitive personal data, such as journey and financial information. In addition, a closed network is used where possible; the use of anonymous smart cards that are charged manually with a cash value as travel credit; application of fraud and error detection functions on all the aforementioned levels. For tracing purposes, all a person's journey and transaction data from the different transport companies have to be combined; regular privacy audit in order to demonstrate that all the privacy requirements in the policy and the contract are continuously complied with. On the basis of the outcomes of the privacy audits, numerous improvements have been made to the security and privacy controls. Benefits Thanks to the use of PET, no single party can construct a complete profile of an individual person, and the system offers a basis for third parties to offer commercial services with sufficient guarantees for privacy (through a so-called opt-in scheme). All in all, the use of PET controls increases the confidence of public transport users, politicians, supervisory bodies, the media and other stakeholders. The lack of confidence in one of these groups would substantially lower the chance of success of such a complex project. Moreover, there have been no substantiated complaints about the protection of personal data in Hong Kong. 58 White Paper Privacy-Enhancing Technologies Now that a decision has been made about the desired level of data protection, it can be determined, partly on the basis of the privacy and security controls already taken, whether the application of PET is desired and how PET can contribute towards the data protection. A balance must be achieved between the organisational and procedural controls on the one hand and, the application of PET on the other. To this end, you can refer to the PET staircase in § 4.6 to determine which PET controls are required in view of the risk profile of the data processing, and to determine the level of ambition with respect to the application of PET. Here a distinction can be made between: identity-rich: identifying personal data required; identity-low: identification required once, but a single characteristic suffices, such as age or profession; identity-free: no identity required) processes. With respect to identity-rich processes, general PET controls and privacy management systems in particular are applicable. For identity-low processes, the separation of data into domains, general PET controls and privacy management systems are well-suited. For identity-free processes, separation of data and anonymisation are the ideal PET options. The business case must also be elaborated in this phase (see section 5). In addition, the objectives of the application of PET must be clearly defined and communicated within the project and the user organisation. 7.3.3 Functional design In this phase, the system is described in functional terms and the process model is developed. The process model references to the data flows in the information system, including connections/exchanges with other organisations. The data model for every data flow in the process from compilation, registration, storage through to destruction must also be reproduced. The most important aspects involved in the creation of the process and data model for the processing of personal data are: the origin of the personal data (the use of authentic registers and connections with other databases, where applicable); the type of personal data (special information, if applicable); the type of processes (electronic decision-making, if applicable); users and user groups to whom the data is supplied (external recipients and recipients outside the EU, if applicable); the required level of self-determination by the individual, and duties to inform the public; the party in control of and responsible for the data (outsourcing, if applicable); storage period (mandatory destruction, if applicable); parties involved in the data processing (representatives and administrators, if applicable). It will be clear that the chosen PET option will have a significant effect on these aspects. For instance, the separation of domains, one of the PET options, will have direct consequences for the data model and connections between the domains and any other information systems that derive information from the data in the relevant application. Anonymisation will influence both the data model (fewer data to register) and the processes. The application of a 59 White Paper Privacy-Enhancing Technologies range of separate PET controls will also have to take place at this stage in order to avoid system modifications at a later stage. And the application of privacy management systems may well have little influence on the data model or the functional processes, the influence on the technical architecture of the information system will be greater (see next phase). 7.3.4 Technical design In this phase, the functional design is further elaborated and detailed in a more technical sense. An important aspect is that the technical design of the PET option must be integrated in the complete technical design of the information system. The PET option is, after all, not a separate component that can be added; therefore, the technical design of PET cannot be separated from the technical architecture of the entire information system. Appendix B contains a list of PET techniques to be used in the different PET options. A combination of PET options and techniques is also possible, as well as the use of individual PET controls, such as encryption or role-based access controls. 7.3.5 Development It should be decided during the development phase whether the organisation will design the selected PET options and the corresponding techniques itself, or whether a standard software package will be bought. There is already a fair amount of standard solutions on the market for anonymisation and for logging and monitoring. If the `separation of data' option is used and different domains are created, it is likely that quite a bit of component customisation will have to be performed. Some standard software is available on the market for applying privacy management systems. Account should be taken, however, of the effort required to translate privacy policies into specific privacy rules that, in turn, have to be programmed into the chosen privacy management system. Besides the list of PET options and techniques, Appendix B also lists the techniques that are already available and those that have to be developed by the organisation. 60 White Paper Privacy-Enhancing Technologies 7.3.6 Testing Once the information system has been developed, an assessment must be made to ascertain whether the system operates properly and whether the users accept the new system. The tests should also include the PET functionality and its user-friendliness. In view of the maturity of PET, it is advisable to start off with a small-scale pilot project. Based on the results of the pilot project, the PET-proof information system can then be adapted, if applicable, and rolled out in the entire organisation. During the tests, account should also be taken of the degree that the system lends itself to scaling. For instance, a particular implementation project revealed that the system did not function entirely correctly in a large-scale implementation, whereas it did in an environment with small-scale use. When the chosen solution is one with a privacy management system, the test will certainly have to focus attention on the privacy rules installed in this system. Little experience has been gained with using the particular syntax (often resembling XML), and the Privacy Officer will most probably have prepared the syntax, also with little experience with it. 7.3.7 Implementation In this phase, the information system, together with the PET option, will be implemented and the organisation will start using the PET-proof system. Over and above the normal implementation activities, it is essential to ascertain what needs to be done for PET to work. For example, in the case of data being separated, authentication tools have to be issued for users to use the identity protector. The issuance and, in particular, the granting of authentication tools must not be underestimated. It forms the basis for the proper functioning of the PET option. Of course, communication regarding the new system and the implementation of PET play an important part during the implementation process ­ at least when PET has any effect on the usability of the system. Part of the communication includes the training of the users and the administrators in the use of PET. When preparing for the implementation, it is advisable to find out whether the chosen PET tools, for example a smart card, can be provided to all users within the agreed timeframe. 7.3.8 Management & maintenance In addition to the standard management and maintenance tasks involved in an information system, and thus also in the PET option, there are also PET-specific management and maintenance tasks. For example, authentication tools and access controls also have to be managed. People may lose the smart card or token, forget the relevant PIN code, change position, etc. A management process should therefore be set up around the authentication tool and the authorisation of people. 61 White Paper Privacy-Enhancing Technologies 7.3.9 Evaluation The project must be evaluated, to which end an evaluation plan and evaluation criteria can be drawn up. The effectiveness of the PET controls can be assessed on the basis of this post- implementation evaluation, among other things. Where needed, adjustments can be made to the information system and the PET option on the basis of this evaluation. A privacy audit can provide the necessary support if it also addresses technical aspects and the PET options. An organisation can also decide to have its information system or its business process handling personal data certified in the context of the Data Protection Act. Case study 14: Online medical history file Together with the Dutch Applied Scientific Research organisation (TNO) and a trusted third party (Diginotar), the Dutch Council for Chronically Ill and Disabled People (CG Council) developed an online medical history file. This so-called `digital experience file' enables all members of 140 organisations affiliated to the CR Council to keep their medical information up-to-date. PET application independent issuance of authentication tool by the trusted third party. It offers the choice of authentication by means of user-ID and password, mobile telephone or a bankcard, depending on the requirements of the Internet application. An ownership feature (such as mobile telephone or bankcard) is the minimum requirement for access to the online medical history file. use of pseudo-identities for anonymous access to the digital history file. The same trusted third party is responsible for managing the pseudo-identities. The CG Council and TNO are unable to make a connection between the real identity and the pseudo- identity. No identification data are required for many service applications, such and healthcare and prevention sites of insurance companies; certification of the reliability of the third party and the Internet applications that process the medical information. Certification is achieved with the aid of the QMIC system; users indicate which medically-related historical data they wish to make available to third parties and in which research projects they wish to take part. Benefits Chronically ill and disabled people can use this system to keep their own medical history up- to-date in a safe and flexible way. They are also ensured that their medical history and their personal data will be properly looked after by the research organisation and trusted third party respectively. Moreover, their personal medical history file is connected exclusively to QMIC-certified information services. 62 White Paper Privacy-Enhancing Technologies Of course, the users' experiences are also relevant and should form part of the evaluation. It is also vital to use the evaluation to identify learning opportunities for the development project, for example, in the field of efficiency, project approach and the integration of PET therein. These learning opportunities are useful for the organisation itself, but can also support other organisations wishing to implement PET. During the evaluation, the costs incurred and benefits realised (the added value of PET) can also be compared to the prepared budget and business case. 7.3.10 Product categories Figure 21 includes a table showing which product categories with specific PET elements should be prepared in which phase. Project phase Project categories with PET-specific elements Justification & need analysis Summary of which data are processed and why. Data analysis & classification Data classification; Risk analysis concerning data protection; Report of the definition study, including the business case for PET. Functional design System design in which PET is integrated; Data and process model. Technical design Detailed design of the system architecture. Development Decision regarding the purchase of a preferred solution (which package to buy) or custom development. Testing Test plan for specific PET aspects. This plan must form part of standard test plan. Implementation Communication and training plan; Rollout plan for authentication tools if applicable. Management & maintenance Manual for the management and maintenance of specific PET components. Incorporate manual and activities in standard manual and activities. Evaluation Evaluation and/or auditor's report. Figure 21: PET-specific product categories to be implemented in each phase 63 White Paper Privacy-Enhancing Technologies 8 Actions You intend to seriously evaluate the possibilities for the use of PET in the information systems falling under your responsibility. What can you do in the short term to ensure the successful application of PET in your organisation? The summary below briefly presents the success factors based on our experience in these projects and suggestions offered by the people interviewed from their practical experiences. Identify the most important running or forthcoming projects concerning information systems processing personal data. Organise a PET awareness-raising session for the responsible process owners, policy staff, programme and project leaders and privacy and security officers, and promptly clear any misunderstandings concerning data protection and the required PET controls. Supplement this with awareness-raising materials for all the stakeholders involved, consisting of this White Paper, a flyer and information about best practices. Make sure that `PET thinking' is embedded in the organisation, with PET being a serious option for all new and existing information systems that process personal data. Argue from the perspective of the organisation strategy and the management model when it comes to data protection and the application of PET. Strike a good balance between the anonymity of the person concerned on the one hand and, on the other, knowing the client, enabling tracking and combating fraud. In some instances, there is no need to know someone's identity, simply the fact that it concerns one unique person, and sometimes there is a need to know the client. Using a number as protection against using the name is an option in this respect. To find the right balance, the processes can be divided into identity-rich, identity-low and identity-free processes. Determine and properly substantiate in advance the minimum set of data required in a specific situation, and what additional information may be required. Make a proper distinction between the demands and wishes concerning data protection and the corresponding PET controls. At the same time, improve the quality of the personal data (the so-called 11-test on tax and social security numbers is a good example). Reliable data form a solid basis for the acceptance of authentic registers and data protecting controls and the countering of duplicate administration. To achieve optimum effectiveness of the PET controls, it is essential to refine the organisation's authorisation structure step-by-step. For example, defining the functions and the roles and introducing role-based access controls. Use the results of privacy audits and the pattern of any privacy-related complaints to substantiate the need for PET. Perform a regular privacy audit or evaluation to further improve the PET controls. In the case of inter-organisational connections and data exchange, discuss the need and desirability of a possible PET application with partners in the chain. Also agree upon clear guidelines with all the parties involved to strengthen the effectiveness of the PET application. Maintain the flexibility of other organisations with which data are exchanged. Choose a basic central model for retaining local autonomy and responsibilities. There should be no or only very limited central interference with the chosen method of data exchange and very restricted or no central access into the message content. 64 White Paper Privacy-Enhancing Technologies Select a suitable information system for a pilot project involving application of PET, and choose a phased approach that is not too ambitious or too rigid in interpreting privacy right from the start. Pay particular attention to including the transparency principle right from the start in the design of the PET application. Position PET solutions as an infrastructural `utility' that benefits numerous projects and not merely a drain on the budget of the pilot project. After the pilot project, incorporate the PET application method in the system development method and incorporate PET components in the information and system architecture. Ensure that the users experience little hindrance and mainly benefits from the PET application. Concentrate on and explore possible financial support from subsidy schemes. Finally: To summarise PET is more than simply a means of protecting personal data: PET is attractive! PET enhances the quality of information. The dependence on proper compliance of processes and procedures is reduced by the automatic enforcement of privacy regulations. The application of PET can offer the public better insight into and control over their personal data. PET is imperative! With PET, it is easier to comply with the Data Protection Act. PET provides the conditions for public confidence. PET enables working with sensitive personal data. PET is possible! PET has been successfully implemented on numerous occasions, which is evident in this White Paper PET has only a limited effect on the costs of developing a new information system, since the technologies are available and it mainly concerns the application. The `cost' mainly involves thinking and designing. Implementing PET in your information architecture offers the basis for efficiently applying PET in different information systems efficiently. Figure 22: Reasons for using PET 65 White Paper Privacy-Enhancing Technologies A Bibliography The terms added in square brackets refer to a number of references concern the PET techniques mentioned in Appendix B. A.1 PET in general Borking, J.J., Raab, C., Laws, PETS and other technologies for privacy protection, Journal of Information, Law and Technology, no. 1, February 2001. Dutch Data Protection Authority, Studies and Investigations 11: Privacy Enhancing Technologies: the path to anonymity, September 1998. [Blind elektronic signatures, Privacy Incorporated Database, Biometrics] A.2 PET case studies Campbell, A., Privacy architecture, Government of Alberta, November 2003. [Privacy Incorporated Database, EPAL, Privacy policy management, Cryptography-based IDs] IBM Global Services, Privacy architecture overview of the government of Alberta, May 2003. [Privacy Incorporated Database, EPAL, Privacy policy management] A.3 PET in depth Borking, J.J., The status of privacy enhancing technologies, Certification and security in E-services: From e-government to e-business, ISBN 1-4020-7493-X, Kluwer Acadamic Publishers group, 2003. [P3P, PISA] Borking, J.J., Kenny, S., The value of privacy engineering, Journal of Information, Law and Technology, no. 1, March 2003. Borking, J.J., Privacy rules for intelligent software agents, Tilt, no. 15, 2003. [PISA] Escudero-Pascual, A., To be or not to be in the next generation Internet, Tilt, no. 15, 2003. [Cryptography-based IDs] Karjoth, G., Schunter, M., Waidner, M., Privacy-enabled services for enterprises, Tilt, no. 15, 2003. [EPAL] Kenny, S., Korba, L., Applying digital rights management systems to privacy rights management, Computers & Security, no. 7, 2002. [Privacy rights management] PISA consortium, Handbook of Privacy and Privacy-Enhancing Technologies: the case of Intelligent Software Agents, 2003. [PISA] A.4 Websites www.cbpweb.nl/en www.pet-pisa.nl [PISA] www.w3.org/P3P/ [P3P] www.cdt.org/privacy/pet/p3pprivacy.shtml [P3P] 66 White Paper Privacy-Enhancing Technologies B PET technologies This appendix includes a summary of possible technologies that can be used to apply the PET options dealt with in this White Paper. A distinction has been made between standard solutions, custom-built solutions and future solutions. A further explanation and information about the technologies described in the table can be found in literature listed in Appendix A. The technologies discussed in the relevant document/website are also listed at a number of articles in Appendix A. Available Custom-made The future General Encryption (storage & communication) Logical access controls (authentication and authorisation) Biometrics Quality-Enhancing Technologies Cryptography-based IDs Government access facility (e.g. portals) Separation of data Profile management Privacy incorporated database Blind electronic signature Personal data safe Anonymisation MIX routers Onion routers Cookie management tools File management tools Smart cards Biometrics Privacy management systems P3P (Platform for Privacy Preference Project) Privacy Rights Management (based on Digital Rights Management) Automatic data destruction (retention management) PISA (Privacy- Incorporated Software Agent) Privacy ontologies EPAL (Enterprise Privacy Authorisation Language) Privacy policy management software Figure 23: PET technologies 67 White Paper Privacy-Enhancing Technologies C List of definitions Authentication tool An authentication tool is a means used to confirm that a person in fact is who he/she claims to be. This could, for example, be a digital certificate, but also a token or username/password combination is a form of authentication. Citizen Service Number The Citizen Service Number is a user number that the Dutch central government will issue to all citizens. With the implementation of the citizen service number, persons can utilize a single number for all contacts with the authorities. Authorities, in turn, can perform their tasks more effectively with the use of the citizen service number because it enables faster, more efficient and more reliable data exchange. The use of personal numbers serves three purposes: it improves the service to clients, combats identity fraud and increases the government's transparency with the aim of improving privacy. Special categories of personal data Pursuant to the Dutch Personal Data Protection Act, it is prohibited to process personal data concerning someone's religion or philosophy of life, race, political persuasion, health, sexual life, as well as personal data concerning membership of a professional association, criminal record and personal details about unlawful or objectionable behaviour with respect to a sanction imposed because of that behaviour. This prohibition can only be lifted if certain stringent conditions are satisfied. Digital signature A signature consisting of electronic data that are attached to or logically associated with other electronic data and that are used as means of authentication. An electronic signature based on a qualified certificate satisfies the legal requirements in the same manner as a handwritten signature. The national digital signature legislation is based on the European Directive 1999/93/EC, further elaborated in the technical standard ETSI 101 456. EPAL Enterprise Privacy Authorisation Language (developed by IBM and ZeroKnowledge) is a language for describing the relationship between objects (see privacy ontology) for use in privacy management systems in order to automatically realise the processing of personal data within the legal frameworks. 68 White Paper Privacy-Enhancing Technologies Identity protector An element in an information system that protects the identity of the user, the citizen and the consumer, and that controls the exchange of the identity between the various other elements in the information system. The identity protector converts the identity of the individual concerned into one or more pseudo-identities. The use of an identity protector creates a minimum of two types of domains; these are domains in which the identity is known or accessible and domains in which this is not the case (see also PID). Personal fact Every fact concerning an identified or identifiable natural person (also referred to as `personally identifiable information'). Personal Data Protection Act The Dutch Data Protection Act took effect on 1 September 2001, and it represents the implementation of European Directive for the protection of personal data (95/46/EC) and replaces the old Personal Data Registration Protection Act. The Directive took effect on 24 October 1998. PET Privacy Enhancing Technologies (PET) is a collection of information and communication technologies that strengthens the protection of individuals' private life in an information system by preventing unnecessary or unlawful processing of personal data or by offering tools and controls to enhance the individual's control over his/her personal data (Source: TNO). PID The data in a Privacy Incorporated Database are separated in an identity domain and a pseudo-identity domain. The so-called identity protector creates the connection between the different domains. If a person has no access to the identity protector, he/she cannot make the link between the data in the different domains (see also Identity protector). PISA The Privacy Incorporated Software Agent project is a research project subsidised by the EU in which software agents (digital agents) are built to protect the privacy of users of personal digital assistants on the internet. See further: www.pet-pisa.nl. 69 White Paper Privacy-Enhancing Technologies PKI A Public Key Infrastructure uses public key cryptography to make a reliable connection between the identity and other attributes of the holder of the private key and certificate. A PKI uses digital certificates issued by a Certification Service Provider (CSP). Privacy An internationally recognised basic human right: Respect for and protection of privacy, including the lawful processing of personal data, and, in the Netherlands, laid down in the Constitution, the Data Protection Act and numerous other laws. Privacy ontology Ontology is a formal machine language understood by an information system and that describes certain knowledge elements and their mutual relationships in a particular knowledge field. Privacy ontology describes the knowledge about the data protection knowledge domain in a standard, unambiguous manner with the aim of converting privacy legislation into a language that is understood by an information system so that the system in question automatically applies the prevailing privacy legislation to the processing of personal data, thus preventing unlawful processing. Privacy Rights Management Privacy Rights Management concerns the protection of personal data by means of a method based on digital technology to protect copyrights registered on data carriers (Digital Right Management). The aim is to provide personal data with an inextricable digital label containing the privacy preferences. P3P The Privacy Preferences Protocol is a tool that enables easy communication about the privacy preferences of internet users in standardised form that can be read by the information system. Quality Enhancing Technologies Quality-Enhancing Technologies is a collective name given to technologies that improve the quality of data processing and data itself. These technologies form a subset of PET. Smart card A digital data carrier fitted with a microprocessor with the capacity of a small computer, which can be used for numerous purposes, including a debit card, identification and authentication (see authentication tool), access control, reference index for medical information, loyalty card, etc. 70 White Paper Privacy-Enhancing Technologies TTP A Trusted Third Party that delivers reliable and confidential services, such as reliable hosting services or the issuing of digital certificates (at present, the party issuing digital certificates is indicated with the term CSP). W3C The World Wide Web Consortium is a consortium concerned with the development of interoperable technologies (standards, software and tools) for the internet. Among other things, W3C developed and improved P3P (see P3P). The JRC (Joint Research Centre of the EU situated in Ispra, Italy) developed a version of P3P in accordance with the EU Directive. 71 White Paper Privacy-Enhancing Technologies D Case Studies included with PET application Case Study 1 Higher Education Clearinghouse 8 Case Study 2 National Central Medication Registration 10 Case Study 3 RINIS Clearinghouse 12 Case Study 4 National Trauma Information System (NTIS) 22 Case Study 5 Suwinet 23 Case Study 6 Identity Protector in a hospital information system 26 Case Study 7 Road Pricing & Digital Tachograph 27 Case Study 8 Anonymous services (Agekey) 31 Case Study 9 National Alcohol and Drugs Information system 31 Case Study 10 Electronic Voting 35 Case Study 11 "Privacy by Design" in Canada; IT not only causes privacy problems, it also resolves them! 52 Case Study 12 Meerkanten Psychiatric Hospital 53 Case Study 13 Public transport smart card 56 Case Study 14 Online medical History file 61