An Introduction to Privacy Engineering and Risk Management in Federal Systems published by the National Institute of Standards and Technology (NIST 8062) provides the basis for the establishment of a common vocabulary to facilitate better understanding of and communication about privacy risks and the effective implementation of privacy principles in information systems.
Privacy engineering objectives
PREDICTABILITY
Enabling of reliable assumptions by individuals, owners, and operators about personal information and its processing by an information system
MANAGEABILITY
Providing the capability for granular administration of personal information including alteration, deletion, and selective disclosure
DISASSOCIABILITY
Enabling the processing of personal information or events without association to individuals or devices beyond the operational requirements of the system
Problematic Data Actions and Problems for Individuals
An earlier draft of the publication (NISTIR 8062) also included an appendix of Problematic Data Actions which was not included in the final version of the report.
Problematic data actions
APPROPRIATION
Personal information is used in ways that exceed an individual’s expectation or authorization. Appropriation occurs when personal information is used in ways that an individual would object to or would have expected additional value for, absent an information asymmetry or other marketplace failure. Privacy harms that Appropriation can lead to include loss of trust, economic loss or power imbalance.
DISTORTION
The use or dissemination of inaccurate or misleadingly incomplete personal information. Distortion can present users in an inaccurate, unflattering or disparaging manner, opening the door for discrimination harms or loss of liberty.
INDUCED DISCLOSURE
Pressure to divulge personal information. Induced disclosure can occur when users feel compelled to provide information disproportionate to the purpose or outcome of the transaction. Induced disclosure can include leveraging access or privilege to an essential (or perceived essential) service. It can lead to harms such as power imbalance or loss of autonomy.
INSECURITY
Lapses in data security. Lapses in data security can result in a loss of trust, as well as exposing individuals to economic loss, and stigmatization.
SURVEILLANCE
Tracking or monitoring of personal information that is disproportionate to the purpose or outcome of the service. The difference between the data action of monitoring and the problematic data action of surveillance can be very narrow. Tracking user behavior, transactions or personal information may be conducted for operational purposes such as protection from cyber threats or to provide better services, but it becomes surveillance when it leads to harms such as power imbalance, loss of trust or loss of autonomy or liberty.
UNANTICIPATED REVELATION
Non-contextual use of data reveals or exposes an individual or facets of an individual in unexpected ways. Unanticipated revelation can arise from aggregation and analysis of large and/or diverse data sets. Unanticipated revelation can give rise to stigmatization, power imbalance and loss of trust and autonomy.
UNWARRANTED RESTRICTION
Unwarranted restriction to personal information includes not only blocking tangible access to personal information, but also limiting awareness of the existence of the information within the system or the uses of such information. Such restriction of access to systems or personal information stored within that system can result in harms such as exclusion, economic loss and loss of trust.
Problems for Individuals
LOSS OF SELF DETERMINATION
- Loss of autonomy: Loss of autonomy includes needless changes in behavior, including self-imposed restrictions on freedom of expression or assembly.
- Exclusion: Exclusion is the lack of knowledge about or access to personal information. When individuals do not know what information an entity collects or can make use of, or they do not have the opportunity to participate in such decision-making, it diminishes accountability as to whether the information is appropriate for the entity to possess or the information will be used in a fair or equitable manner.
- Loss of Liberty: Improper exposure to arrest or detainment. Even in democratic societies, incomplete or inaccurate information can lead to arrest, or improper exposure or use of information can contribute to instances of abuse of governmental power. More life-threatening situations can arise in non-democratic societies.
- Physical Harm: Actual physical harm to a person.
DISCRIMINATION
- Stigmatization: Personal information is linked to an actual identity in such a way as to create a stigma that can cause embarrassment, emotional distress or discrimination. For example, sensitive information such as health data or criminal records or merely accessing certain services such as food stamps or unemployment benefits may attach to individuals creating inferences about them.
- Power Imbalance: Acquisition of personal information that creates an inappropriate power imbalance, or takes unfair advantage of or abuses a power imbalance between acquirer and the individual. For example, collection of attributes or analysis of behavior or transactions about individuals can lead to various forms of discrimination or disparate impact, including differential pricing or redlining.
LOSS OF TRUST
Loss of trust is the breach of implicit or explicit expectations or agreements about the handling of personal information. For example, the disclosure of personal or other sensitive data to an entity is accompanied by a number of expectations for how that data is used, secured, transmitted, shared, etc. Breaches can leave individuals leave individuals reluctant to engage in further transactions.
ECONOMIC LOSS
Economic loss can include direct financial losses as the result of identity theft to the failure to receive fair value in a transaction involving personal information.