Re: [pmrm] Privacy engineer PRIPARE references

[John Sabo <john.annapolis@comcast.net>]

Nico,

Thank you.  The summary you provided is very helpful, and I will incorporate this language into the PMRM revision.  Once the PRIPARE methodology has been published, please let the PMRM TC know.

Best regards,

John 

John Sabo, CISSP
Chair, OASIS PMRM TC

Chair, IDTrust Member Section

On Nov 11, 2015, at 4:03 AM, Notario McDonnell, Nicolas <nicolas.notario@atos.net> wrote:

Dear all

 

I’m very sorry that at this time I cannot provide you with links to the final version of the methodology where privacy engineers are referenced. I’m still finding the appropriate way to publish the methodology before the final results of the project are formally accepted by the European Commission.

 

Anyhow, I will try to summarize the references/definition related to privacy engineers:

 

Within the methodology

Privacy & security engineer role definition (as part of the Privacy and Security Management Office: “these engineers are IT experts in the design of systems, aware of privacy methodological practices and available PETs and techniques that lead to the development of privacy enhanced systems. Such engineers should have the knowledge and abilities to understand the legal framework in which the system will be deployed and to link this legal framework with the systems’ features, privacy controls and existing risks.”

 

Within the methodology, we expect this engineer to collaborate with other stakeholders in order to, i.e. build the privacy requirement catalogue, develop the privacy enhanced system architecture, identify relevant privacy strategies, techniques or PET’s that could fulfil the functional requirements while still accomplishing the privacy ones, select and provide tailoring instructions regarding specific mechanisms.

 

As part of a gap analysis

We provide a recommendation to the Industry:

·         Include privacy experts/privacy engineers in the employee base to design privacy-preserving products, the same way as big data analysts are hired when big data systems need to be developed.

·         Include privacy and privacy-engineering training as part of the organization’s training catalogue.

We provide a recommendation for Research projects and programmes:

·         Programmes should foster the development of a privacy engineering discipline that trains ICT professionals to integrate risk and design, and to use privacy-preserving tools that currently seem disjoint.

I mentioned to the PRIAPRE consortium the plans of PMRM regarding privacy engineers and one of the members of the PRIPARE consortium answered me: “we’ve submitted a paper to a top journal in the domain on the role of privacy engineers and the different topics that are included within the scope of the privacy engineering field. The paper is under review, and for confidentiality reasons I cannot distribute it, but the review period is about to finish. If it is accepted I will send it to you in case it is useful for the ongoing discussions within PMRM”.

 

Hope this helps

 

Best regards

<image001.gif>

Nicolás Notario McDonnell

Research Engineer

Identity & Privacy Laboratory

Atos

Research & Innovation

T +34 91 456 98 95

nicolas.notario@atos.net

www.atos.net

<image002.gif>

 

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.

Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.