IAM – Privacy Law

When we are talking about Identity Management we are talking about information an organization collects that falls under privacy legislation.  Names, addresses, e-mail address, gender, height/weight, etc.

There are four main laws an Albertan should be aware of:

  1. PIPEDA – The Federal statute concerning how private companies must deal with your personal information.  It also has a section providing the law on electronic signatures.
  2. The Privacy Act – The federal statute on how federal organizations must deal with your personal information.
  3. PIPA – The Albertan equivalent to PIPEDA
  4. FOIP – The Albertan equivalent to the Privacy Act.

PIPEDA and PIPA are fairly new laws.  Introduced within the last 10 years.  There is other privacy legislation too.  In general, the more specific legislation overrides the acts above.  However, these acts also provide the minimum privacy controls that can be enacted.

So let’s look at the private personal information an organization may collect from you are store in the identity management solution.

  1. Information used for identity proofing – names, witness statements, criminal record checks, other credentials and scans and numbers from other ID.  Highly personal!  The amount and detail of this information may depend on the level of identity proofing required.
  2. Information used for registration and enrollment – often similar to the above.  The nature of this data will depend on what the credentials will be used for.  For a web e-mail account it will be minimal.  For a health records systems it will be substantial.
  3. Personal information created through the IAM system – most notably your credentials.
  4. Personal information created through your relationship with the organization – your account number maybe.  Or if it is a credit card company your credit card number.  Etc.  This information may in turn be used in other IAM systems for registration, enrollment or identity proofing.
  5. Other personal information that may be stored in the IAM directory – While not strictly necessary for Identity management, the directory is a good place to store this information.  Billing information, emergency contact information, etc.

Depending on the nature of the organization, a breach of your personal information in an IAM system could be sufficient to steal your identity.  So the privacy of the information you provide is of paramount importance to both you and the organization.

So your should know your rights and any designer/maintainer of an IAM system should know what their responsibilities should be.  Your rights and their responsibilities may drive several design and support decisions for an IAM solution.

This is not legal advice!  Consult with the actual acts and/or a lawyer on privacy matters.  🙂

Lets use PIPEDA as our example.  Here are your rights:

  1. An organization must ask for your consent before collecting personal information from you. There are two big exceptions.  If the personal information is obtained from a public source (like the phone book) there is no need for consent or to inform you.  Secondly if you are an employee of an organization some of your personal information belongs to the organization not you.  They can do with it as they please.   Namely your work phone number, work e-mail*, and title (and similar pieces of information).
  2. The organization must tell you why they need the information and exactly how it will be used before you give consent.  They must inform you and re-obain consent if those purposes should ever change.  This includes if the organization should ever disclose your information to another organization.**
  3. The organization should not collect information it doesn’t need.  If it no longer needs that information it should be destroyed or anonymized.
  4. You can always ask to see the personal information the organization has on you.  You can ask for corrections.  The organization must comply in a reasonable time (30 days with 30 days extension) or provide justification for not doing so.
  5. The organization must take appropriate means to secure your personal information from unauthorized disclosure.
  6. You can complain to the feds if you think an organization if not adhering to the act.

*Work e-mail is currently personal info not business personal.  But there is a proposed amendment to change that this parliamentary session.

**The big exceptions here are disclosure because you are under legal investigation, disclosure for the purposes of debt collection and if informing you of the disclosure would put you at risk of harm.

PIPA is very similar.  The biggest missing hole at the moment is that an organization does not need to inform you of an accidental or malicious disclosure of your information.  This is also in the amendments proposed for this session.

For someone designing an IAM solution meeting many of these requirements may seem like common sense.  But you should be aware of them nonetheless.  And some might be less obvious.  What will your process be to correct information on request?  Or to provide information on request?  How will you audit to determine if information is no longer needed?  Should you delete it then or anonymize it?

You also need to know how it is being used.  If a new application starts to make use of your directory, you may first need to obtain consent from all the users in the directory for the new purpose!  You are the custodian of the information so you need to make sure the consent is obtained.

And storing it securely.  Most directories are designed so that it is easy to extract information from them.  That is their purpose!  If information is of a highly confidential, personal nature than another database other than your IAM directory might be the appropriate place to store it despite how easy it would be (and cost-effective) to have it in your IAM directory.

Finally, these laws are new and under constant scrutiny.  They are also still changing (as all laws are).  There is also significant controversy as to whether they are strong enough, too strong and have the appropriate safeguards.  This note may become obsolete as soon as I hit Publish!

Take some time and learn the laws in addition to your technology.  Get expert advice on your IAM system from your organization’s legal team.


One thought on “IAM – Privacy Law

  1. […] the IAM post on Privacy.  Collect the information required and only the information […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s