Top 5 Mistakes of Privacy Awareness Programs?

Jay Cline, in an interesting article called “Opinion: Top 5 Mistakes of Privacy Awareness Programs”, lists the top five shortcuts that many large corporations take when dealing with privacy awareness programs:

• Doing separate training for privacy, security, records management and code of ethics
• Equating "campaign" with "program"
• Equating "awareness" with "training"
• Using one or two communications channels
• No measurement

Have a look.

--- NOTE: my original HP blog can be found here ---

Part II: TSB EnCoRe Project – Ensuring Consent and Revocation

In a previous post of mine, I announced the UK TSB EnCoRe project, focusing on research on Consent and Revocation.

A new version of the EnCoRe web site is now available online.

I would be interested in getting your views and input on two aspects:

• Prior art and work in the space of consent and revocation. In a first analysis, very little work is available in terms of automation of revocation of consent, in a wide sense. Any known work/solution in this space?
• Your (user) requirements in the space of consent and revocation

--- NOTE: my original HP blog can be found here ---

PrivacyOS: Thematic Network for Privacy Protection

PrivacyOS (Privacy Open Space) is “a thematic network for privacy protection infrastructure within the current European Commission´s ICT Policy Support Programme. The Project has started at the beginning of June 2008 and brings together industry, SMEs, Government, Academia and Civil Society to foster development and deployment of privacy infrastructures for Europe.”

More details can be found here.

Last week I attended the first PrivacyOS Conference (Strasbourg, 13-15 October 2008). It has been very interesting and stimulating, considering the heterogeneous background of the audience, their presentations and subsequent discussions. I would encourage the members of this community to attend in the future (the next conference is going to happen in April 2009).

In this context, I gave a presentation on "Enabling Privacy-aware Information Lifecycle Management in Enterprises", describing work done at HP Labs and in the EU PRIME project (Framework VI), in the space of “Management of Parametric Privacy Obligation Policies”.

--- NOTE: my original HP blog can be found here ---

Online Dialog on Health Information Technology and Privacy

As highlighted by this article, called “OMB sponsors online discussion of privacy issues”:

“The Office of Management and Budget has asked the National Academy of Public Administration to hold a public discussion this month of health care privacy issues through an interactive Web site.”

This online dialog will take place the week of October, 27, at: http://www.thenationaldialogue.org/.

--- NOTE: my original HP blog can be found here ---

Identity Management in the Cloud

This article, called “ID Management In the World of Cloud Services” (and a related podcast) is quite interesting, as it is thought provoking.

The advent of cloud services and services on demand is indeed likely to change the identity management landscape: most of current identity management solutions are focused on the enterprise and/or a very controlled, static environment. User-centric identity management solutions (such as various federated identity management) also make some assumptions on the involved parties (e.g. SP, IdP parties) and their related services.

In a world where services are offered on demand, in the cloud and they can continuously evolve, some of these models are going to be challenged, for example, in terms of trust assumptions, privacy implications and operational aspects of authentication and authorization.

Is anybody aware of studies in this space? What is your view?

--- NOTE: my original HP blog can be found here ---