Framework for Privacy Analysis of Programs, Technologies, and Applications

Framework for Privacy Analysis of Programs, Technologies, and Applications

The Framework for Privacy Analysis of Programs, Technologies, and Applications is a framework developed by the Department of Homeland Security Data Privacy and Integrity Advisory Committee and issued as report 2006-01 on March 7, 2006. [] It provides a multi-step analysis framework to be used for considering effects of a proposed program on privacy and other interests.

The Framework


The Scope is a description of the program and its purposes. According to the Framework, the Scope should answer the following questions:

* What is the program under review?
* What is its purpose?
* What is its history and origin?
* How has it come to be used or considered by the Department?
* Where is it used or being considered for use?

Legal Basis

The Legal Basis is an explanation of the laws relevant to the program. It should explain what the legal authority for the program is and what legal limits are placed on the program. Importantly, the Legal Basis includes consideration of any law that limits the program, including judicial rulings, other statutes, and constitutions.

According to the Framework, the Legal Basis should answer the following questions:

* What is the legal authority for the program under consideration?
* What are the pre-existing legal limits on the program under consideration?

Risk Management: Efficacy

The Risk Management assessment is an explanation of the precise purposes of the program and the problem it is trying to solve. It includes consideration of the proportionality of the response to the problem and possible additional problems created by that response. According to the Framework, the Risk Management assessment should answer the following questions:

* What are you trying to protect? The Framework notes that this should be as specific as possible, as opposed to general answers like "the American people."
* What are you trying to protect it from?
* What is the likelihood of each threat occurring and the consequence if it does?
* What kind of action does the program take in response to the threat? The Framework suggests that there are four different ways of responding to a threat: acceptance, prevention, interdiction, and mitigation.
* Does the response create new risks to the asset or others?

Effects on Privacy Interests

The Framework calls this step "the heart of the process." It notes that many programs will have some cost to privacy, and that these costs should be minimized. The Framework also suggests that different interests may be affected, including the following:


* How does the program affect individuals' ability to control how personal information about them is collected, used, or shared?
* Does the program include rules and practices that protect the confidentiality of personal information once it has been collected? ("Confidentiality")
* Does the program erode individuals' ability to control identifying information and to remain anonymous when they want to do so? ("Anonymity")
* Does the program use or foster surveillance? ("Seclusion") The Framework suggests minimizing collection of data to that needed for an explicit, limited purpose, minimizing use to only that purpose, and minimizing the length of time the data is retained.


* Does the program treat individuals fairly at every step?
* Does the program collect data directly from the subject of the information? If the program uses information from other sources, what is done to assure that the sources are reliable? How does the program ensure that it uses accurate, timely, and relevant data? Does the program allow individuals access and correction rights? Does it ensure that corrections are propagated throughout the system? ("Data Quality")
* Does the program provide adequate notice to individuals of its data collection, use, disclosure, and redress policies? ("Notice")
* Does the program provide due process through redress mechanisms wherever a person may suffer an adverse action or determination? ("Individual Participation and Accountability")
* Is the program open to public scrutiny, understanding, and participation? Is information about agreements and contracts with other government agencies, government contractors, and foreign governments available to the public? Are architectures, technologies, data flows, tests, testing criteria, and testing results published? ("Transparency")
* Is the program manager accountable for compliance with privacy laws and principles? Does the program contain appropriate control measures, such as privacy audits and review by the DHS Privacy Office or the Inspector General? ("Accountability")


* Does the program limit individual freedom in some dimension? For example, does it condition freedom of movement or action on the diminution of some privacy interest? Is interaction with the program mandatory or effectively mandatory?

Data Security

* How is personal information secured against threats to privacy and integrity? Does the program use reasonable and appropriate safeguards (including administrative, technical, and physical measures) to protect against unauthorized access, use, disclosure, modification, and destruction of data?


The final step in the Framework should answer two questions: Are there changes that could be made in the program that would reduce its privacy costs? Should the program proceed? In this step, the results of previous steps are considered and evaluated. Specifically, in determining whether the program should proceed the benefits described in step 3 should be weighed against the costs described in step 4. If the costs are not justified by the benefits, an attempt should be made to reduce the costs if possible.


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Framework Programmes for Research and Technological Development — The Framework Programmes for Research and Technological Development, also called Framework Programmes or abbreviated FP1 through FP8, are funding programmes created by the European Union in order to support and encourage research in the European… …   Wikipedia

  • Media and Publishing — ▪ 2007 Introduction The Frankfurt Book Fair enjoyed a record number of exhibitors, and the distribution of free newspapers surged. TV broadcasters experimented with ways of engaging their audience via the Internet; mobile TV grew; magazine… …   Universalium

  • Law, Crime, and Law Enforcement — ▪ 2006 Introduction Trials of former heads of state, U.S. Supreme Court rulings on eminent domain and the death penalty, and high profile cases against former executives of large corporations were leading legal and criminal issues in 2005.… …   Universalium

  • Internet privacy — involves the right or mandate of personal privacy concerning the storing, repurposing, providing to third parties, and displaying of information pertaining to oneself via the Internet. Privacy can entail both Personally Identifying Information… …   Wikipedia

  • Department of Defense Architecture Framework — DoD Architecture Framework.[1] The Department of Defense Architecture Framework (DoDAF) is an architecture framework for the United States Department of Defense, that provides structure for a specific stakeholder concern through viewpoints… …   Wikipedia

  • Firefox — For other uses, see Firefox (disambiguation). Phoenix (web browser) redirects here. For the Phoenix browser based on tkWWW, see tkWWW. Firefox …   Wikipedia

  • Biometrics — For the academic journal of statistics in biology, see Biometrics (journal). For the application of statistics to topics in biology, see Biostatistics. At Walt Disney World, biometric measurements are taken from the fingers of guests to ensure… …   Wikipedia

  • Health informatics — For the Journal, see Journal of Biomedical Informatics. . Electronic patient chart from a health information system Health informatics (also called health care informatics, healthcare informatics, medical informatics, nursing informatics,… …   Wikipedia

  • Web crawler — For the search engine of the same name, see WebCrawler. For the fictional robots called Skutters, see Red Dwarf characters#The Skutters. Not to be confused with offline reader. A Web crawler is a computer program that browses the World Wide Web… …   Wikipedia

  • Data mining — Not to be confused with analytics, information extraction, or data analysis. Data mining (the analysis step of the knowledge discovery in databases process,[1] or KDD), a relatively young and interdisciplinary field of computer science[2][3] is… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”