Automating the Enforcement of Privacy Policies

Technology can enable the consistent enforcement of privacy policies, even across diverse organizations.  What is needed is a standard way of describing users, data resources, access rules, conditions, and obligations. 

Diana Graski
Principal Court Management Consultant, National Center for State Courts

Thomas M. Clarke
Vice President, Research Division, National Center for State Courts

Why a Technical Solution for Privacy Policy Enforcement Is Needed

Traditional methods of enforcing privacy policies include interagency agreements, memoranda of understanding, and employees’ signatures on nondisclosure agreements. Controlling access to information systems typically involves a unique user identification and password or token for each log-on screen. The definitions of the types of users who have access to certain types of records are usually hard-coded into each application.

These approaches to privacy-policy enforcement might have been sufficient for a tight-knit, stable group of trusted local partners, but state and local courts are more frequently encountering situations in which their potential information-sharing partners are geographically distant and increasingly diverse. Family, juvenile, and problem-solving courts are at the forefront of these changes, but all courts and case types will be affected. As quickly as the composition of information-sharing partnerships is evolving, so, too, is the pace of change in federal and state privacy protections. In this new normal, the traditional “user id and password” mechanism is too slow, too brittle, and too expensive to maintain.

The good news is that the technologies supporting the enforcement of privacy policies are quickly evolving to meet your court’s business needs. The Global Standards Council (GSC), with support from the federal Bureau of Justice Assistance, has adapted and tested these new technologies in the justice environment, and the judiciary’s partners in human services and health are adopting very similar standards. This article introduces you to Global’s Technical Privacy Framework and encourages you and your court’s data-exchange partners to pursue these solutions.

What Is the Technical Privacy Framework?

Three business capabilities are involved in enforcing privacy policies:

  • Authenticating the identityof the user who is requesting access to protected information Determining whether the user’s request complies with the requirements of the privacy policy governing the protected information
  • Logging the request and the response for auditing purposes

The major components are described in more detail below. Enforcement of Privacy Policy

 

1. Identity Providers: User Authentication

Real-world scenario: To support its paper-on-demand strategy, the court wants to provide electronic access to dependency-case files, but only caseworkers, parents’ attorneys, guardians ad litem, and CASA volunteers are approved users. How will the court ensure that the user “Jane Montoya” is really the Jane Montoya who is employed today as a foster-care caseworker by Washington County’s Department of Human Services, assigned to Baby Renee Z’s case?

Understandably, the court does not wish to manage and maintain an ever-changing list of approved users. The preferred option is to develop an “identity provider” service. The members of the information-sharing enterprise execute an agreement about the user-authentication methods that provide sufficient security for the target data and adopt a standard for describing their users’ identities, roles, organizational affiliations, certifications, contact information, and other characteristics. The governance structure and metadata standards create a trusted network that can add new members who agree to abide by the same terms.

In the scenario above, Washington County’s child welfare agency would agree to maintain an up-to-date directory of caseworkers and would pass Jane Montoya’s credentials to the court when Jane requested access to the case files. In return, the court would agree to trust Washington County’s assertion that Jane Montoya is the current caseworker assigned to the case she is requesting to view.The technical requirement for federated identity is a standard for expressing attributes about users, such as roles. The Global Federated Identity and Privilege Management (GFIPM) team has completed all of the metadata attributes for the highest-priority criminal-justice data exchanges. Even though the values will be different for dependency and neglect cases, the GFIPM attributes can readily be adapted for family and juvenile cases. The Orange County Juvenile Information Content Exchange program (OC JUICE) provides an excellent example of how courts can collaborate with county agencies to implement a trusted network for user authentication (see sidebar).

2. Policy Decisions and Enforcement: Automated Access Control

Real-world scenario: Your court and child welfare agency agree to implement a Web service that automatically updates the court’s case management system with the name and contact information of a new caseworker when the agency reassigns a dependency case.

Coarse-grained access control refers to a system that authenticates and authorizes a user, and then permits the user to access any of the records. Fine-grained access control refers to a system that determines the specific records a user is entitled to access based upon the user’s credentials, the nature of the requested records, and other conditions. Those conditions are as varied as the privacy policies that organizations write, but some typical examples are the user’s asserted business purpose, the day and time of the request, the IP address of the computer from which the request originated, and whether the subject of the record has consented to the disclosure. As courts and their partners develop and implement privacy policies, they are discovering that the “all in or all out” logic of coarse-grained authorization does not fully reflect the desired or required privacy and access policies.

In our scenario, the data-exchange environment needs to evaluate several key characteristics:

  • the identity of the requester (is the request accompanied by the security certificate we granted our county’s child welfare information system?) the type of information that is the target of the request (a child welfare case record, and specifically the data elements containing the caseworker’s name and contact information) the privacy rule that governs “write” access to the court’s case management system for the target data
  • the condition provided in the content of the request that a supervisor with the child welfare agency has approved the new assignment

A national data-markup standard, XACML, can express all of these characteristics in a machine-readable format. Equally important, several commercial and open-source software components are now available that can evaluate and enforce XACML rules. The XACML standard is being adopted by the health-care and justice communities with which courts need to share information, so its use should become more common.

3. Audit Logging

Real-world scenario: A party involved in a past child abuse case successfully petitions your court to correct a factual error in the final judgment. The court wishes to notify anyone who has viewed the final judgment that they, too, should correct their records.

The concept of creating a log of system actions is not new, but the traditional approach is to embed audit logs inside each application, which has had the unintended consequence of making the appropriateness of access control practically impossible to analyze. In Global’s Technical Privacy Framework, the audit log is placed outside the individual applications, and it collects information about requests and responses for the entire information-sharing enterprise. Using standard markup and centrally collecting audit data offers the potential for exposing the enterprise’s logs for the purposes of generating automatic notifications, as in the scenario described above, and using business analytics software to monitor access control proactively. Enforcement of Privacy Policy

Next Steps: Training Resources

The Global Standards Council’s Federated Identity and Technical Privacy Work Group is charged with further developing the technologies that enable the automation of access control in justice-information-sharing enterprises. In parallel, federal and state health-and-human-services agencies are pursuing automated privacy-policy-enforcement capabilities, spurred primarily by their development of electronic health records and the privacy protections required by the Health Insurance Portability and Accountability Act (HIPAA). Family and juvenile courts have information-sharing partners in both the justice and HHS realms, so encouraging the adoption of a consistent standard will be important to achieving interoperability.

With the support of the Bureau of Justice Assistance, the National Center for State Courts has developed a complete technical privacy curriculum:

  • Executive Summary: a ten-minute video introducing the business need for technical privacy enforcement Technical Privacy Primer: a series of seven 15-minute modules that present the technical privacy framework and its components Readiness Assessment: an online tool designed to help your court determine its technological readiness to automate access control and to recommend practical next steps
  • Detailed Implementation Guide: a deep dive into the technologies that enable automated access control, including a test environment with a sample implementation

These training resources will be available online, on-demand by the end of 2012. During your next information-sharing governance meeting, you could propose a plan for working through these training materials together, using them as a launching pad for discussions of how to automate access control.