Hacker News new | ask | show | jobs
by galeforcewinds 3130 days ago
Having technical knowledge and entering a room of less technical policy-makers, it can be particularly important to leverage existing industry messaging rather than winging-it.

I would focus on the CIA triad + Accountability + Assurance. It's helpful to use standard terminology that is understood by existing privacy practitioners.

Personal information should be Confidential from unwanted disclosure.

Personal information should have Integrity with the creation, modification, and deletion of personal information only as authorized and intended.

Personal information should be accessible readily by authorized parties.

Personal information should have Accountability, with traceable ownership to a party responsible for Confidentiality, Integrity and Access.

Personal information should have Assurance, with appropriate audit of Confidentiality, Integrity, Access and Accountability; including the right to inspect.

Just as the Amendments to the Constitution form a latticework of protection for each other -- e.g. that freedom of press helps ensure other rights are not eroded -- the elements of CIA+A+A do the same.

Recommendations can then be framed for direct implementation:

* Confidentiality: Requirements for timely breach notice

* Access: The right of the consumer to be aware of and to have access to access data about them

* Integrity: The right of the consumer to repudiate data about them and demand removal

* Accountability: Direct ownership and legal teeth (fines, jail, and barring of eligibility from data or business management roles, etc.) to compel the presence and adherence of an appropriate privacy management program

* Assurance: Standardized audit reporting, guaranteed consumer right to inspect, etc.

Folks noting "accountability" often mean the entire CIA Triad + A + A, not the technical term "Accountability". This is likely the gap to bridge -- turning a sentiment that businesses are not operating appropriate privacy management programs in to an actionable path to compel existence, adherence, reporting and audit of such programs.