What I love about privacy work is that I constantly get asked “what if?” questions that require me to rethink things that I’ve always taken for granted. The other day’s question was: “Is a person’s signature biometric information?”

Apparently, part of the documents inadvertently sent to the wrong person were signed forms. This person asking me was in the process of determining whether the inadvertent disclosure is covered by the National Privacy Commission’s (NPC) requirement for mandatory breach notice.

The first question in making the determination is: “Is the personal data involved sensitive personal information (SPI) or other information that may enable identity fraud?”

So I thought to myself, “is a signature biometric information?” Because if it is, then a signature is SPI. And this case hurdles the first requirement for breach reporting.

A quick Google search told me that a signature is not considered SPI. However, the manner in which a person signs is biometric data and, ergo, SPI.

Why is this little nugget of information important? Well, the use of signature pads have become commonplace these days. If the signature pad used by your company records not only the signature of the customer but the manner in which the signature is done (i.e., how a person signs) then your company will be subject to the more stringent requirements of the 2012 Data Privacy Act in collecting and processing sensitive personal information. More importantly, if such biometric information is part of personal data that is subject of a data breach, then you will be required to comply with the data breach notice requirements of the NPC.

Back when I was still doing consulting, I did a lot of thinking about how to help my clients become more effective in thinking about privacy. At that time, I was reading a lot of books not only about privacy but about business and entrepreneurship.

The Business Model Canvas was quite popular online at that time and I became interested in coming up with a mental framework for privacy. Sure, I could adapt the Business Model Canvas for privacy but I didn't really see much benefit doing that because I didn't think it was really that useful as a construct for privacy. I wanted to come up with something that would be useful more often for more organizations.

So I came up with I framework I called the Data Lifecycle Mapping Canvas.

A blank canvas

How do you use the canvas? I had this printed on a big tarp. The tarp can stay on a tabletop or it could be hung on a wall. The important thing is that everybody participating in the data lifecycle mapping can see it and the canvas is within reach by at least one of the participants.

At the start of the session, I give away post-it notes where the participants can write the steps of the data lifecycle as data travels across the organization. Note that only one step should be written on one post-it note. This is so the steps can be easily rearranged based on the inputs and comments of the participants during the discussion.

Here is an example of a completed canvas:

(This is only for the purpose of demonstration and the steps depicted may not actually correspond to the processing activities of the Department of Foreign Affairs.)

You may have noticed that each step in the processing corresponds to quadrants designated as: COLLECT, USE, STORE/DISPOSE, and DISCLOSE/TRANSFER. Thus, if the activity is part of the data collection process (e.g., the applicant's photo is taken), the post-it note is attached to the COLLECT quadrant; and if the activity pertains to processing (e.g., the DFA staff encodes the data to the passport system), then the note is attached to the USE quadrant.

Why do I ask participants to do this? Take a look at Sections 19 and 20 of the Data Privacy Act Implementing Rules and Regulations (DPA-IRR). These sections lay out the general principles for each of the data processing activities: collection, processing, retention, and sharing, and these activities correspond to each of the quadrants in the canvas. By overlaying these principles for each quadrant, you come up with a shorthand/reminder of the general principles that you need to comply with for each processing activity.

Here is how the canvas looks like with the applicable general principles:

At a glance, you now have a view of what you need.

Pretty neat, yes?

(This framework is a work in progress. Let me know how I can make it better via the comments below or via email.)

digital security bingo

Today, while trawling the internet--as one does on a non-working holiday--I came across this digital security bingo from AccessNow (follow them on Twitter @accessnow).

You can use it as an ice-breaker for a privacy learning session or other related activity at your organization. It's also a useful graphic you can use as reminder (post it on you workstation for yourself, or a poster for the office) of what you should be doing to protect yourself online.


#dataprivacy #digitalsecurity #studentprivacy #game

Post Categories