Thursday, 30 April 2015

Automating Privacy Compliance

I was at the 2015 meeting of the UK Ontology Network in Leeds earlier this month where, amongst many, there was a presentation about a tool called Sparqlycode - which if you get the chance you must check out!

Anyway, Paul Worral of Interition Ltd wrote a very nice summary of my work:

Ian Oliver [Nokia Networks, Espoo, Finland] presented Ontologies for Privacy.  The whole idea behind Sparqlycode is to provide an information tier for software that enables it to be linked to knowledge about the business.  Ian's work is a perfect example of this. He demonstrates how high-level policies on Personally Identifiable Information should and can be directly related to the code responsible for adhering to them. Ian has authored a book on the subject, Privacy Engineering. I bought it and hope to have some examples of how it can be applied to Sparqlycode soon.

I look forward to seeing how this works out, but it certainly is in the direction of where I hoped. It'll be very interesting to see how this particular approach matches with a more data-flow based modelling approach.

At UKON2015 there was also an extremely interesting presentation about a tool called TawnyOWL for programmatically generating ontologies. Given that Clojure is my current language of choice this seems a perfect fit for the privacy ontologies themselves.

Tuesday, 28 April 2015

Modelling Privacy

Here's a teaser from the next book on privacy. ETA late 2015, December - just in time for Christmas - if I work really hard!

It will compliment the existing book Privacy Engineering and build upon more of the data flow modelling, use of taxonomies and techniques for analysing models such as those from safety critical engineering, eg: FMEA, RCA etc.

In the meantime, Privacy Engineering is available from,, CreateSpace as well as Barnes and Noble and even book stores such as here in Finland.

Monday, 27 April 2015

Privacy Awareness Training (more thoughts)

I had the pleasure of presenting at the IAPP's DPIntensive workshop in London this month. After my session I got to talk with many about how to move privacy forward beyond an insular group discussion properly towards the engineers whose job it is to build the systems that implement these privacy rules.

One thing that came up was the need for training and that privacy awareness training hasn't had the effect hoped for. Given that awareness training is exactly that, is it no surprise that once the, usually, one hour presentation on how we should all care about privacy is made nothing happens?

Primarily this is because awareness training is by its very nature very abstract at best and irrelevant at worst. Awareness training is also rarely followed up by more context relevant training, for example, for the software architects or programmers or marketers and so on.

There are various reasons for this, mainly, that to continue training in such a manner takes a great deal of effort to set up and comes with an interesting catch-22 problem: the privacy department/group/... probably doesn't have any engineers; which makes generating relevant training for engineers remarkably difficult.

Worse is that because of the current nature of privacy - it is primarily a legal discipline, albeit one trying to break through to engineering - very few engineers move towards or even into privacy.

One member of the audience at the DPIntensive workshop remarked on this stating that this was one of their biggest problems, especially as they had so much to learn from engineering.

The other major difficulty is that the structures that need to be put in place in order to translate between a legal discipline and an engineering one are undoubtedly complex. Consider a linguist trying to create a translation into an as yet not understood language: first one must understand the script, the syntactic structure and then the semantic ones - not to mention the whole problem of the pragmatic structures and idioms that exist before a degree of fluency is reached that makes translation or even basic conversation possible.

So, the problem with privacy awareness training is that it becomes almost impossible to follow up and continue beyond anything more than a broad, common denominator.

Such training however are fantastic for metrics ... make the training compulsory and you'll get 99% of the company taking the training - which normally lasts an hour, can be delivered by webcast or similar. Working with metrics and a delivery mechanism like that makes it an amazing vehicle for improving 'management' metrics. Which in this case are exactly the wrong metrics, at least from the point of view of the good of the company.

So next time you create a privacy awareness training consider :

  • whether that training is aimed at a particular audience, or it is broad and generic
  • how that training is to be followed up
  • what effects do you expect to see
  • measurement of must be made on what effects of the training actually went into practice
We can go further and ask what cultural changes happened due to the training, from the point of view of:
  • the programmers
  • the engineers
  • the overall R&D
  • the management
  • the marketing department
  • the legal department
  • the privacy group

Unless all of the above can be answered then the privacy awareness training will have no overall or lasting effect.

Monday, 6 April 2015

Quote of the Day about Truth

Emile Zola:

 “If you shut up truth and bury it under the ground, it will but grow, and gather to itself such explosive power that the day it bursts through it will blow up everything in its way.”

Saturday, 4 April 2015

2015 UK Election Leader TV Debate

Whether leadership debates are a good thing or not is itself a debate, however ITV's UK Leadership Debate with seven party leaders was held with the result that Miliband (Lab) "beat" Cameron (Con) by a small margin. YouGov made a survey of who do you think won the debate with the results as shown below (source: Guardian)

One thing however is not explained, and that is who was asked. Obviously if you'd polled in Ceredigion or Gwynedd then Wood (PC) would have won, if in Brighton then Bennet (Greens) and so on. However I assume that we could say that this was a representative sample from across the UK, but still it is going to be heavily weighted in favour of the national parties and then especially the two leading parties.

This got me thinking, as you can tell whatever you want with statistics - think of it as accountancy with more leeway - could the above figures be weighted according to the uk electorate, especially as two of the parties involved do not campaign outside of Wales or Scotland.

The electorate figures for England, Scotland and Wales for 2013 according to the Electoral Commission are 40,100,00, 4,100,00 and 2,300,00 (to nearest 100,000). Given this I think it is obvious that the above results are going to be skewed towards the established parties.

Furthermore the SNP are fairly well known and have a more 'national' or UK-wide agenda than Plaid Cymru who are much more focussed on Wales. Leanne Wood (PC) for example is standing as a member of the Welsh Parliament rather than Westminster. Welsh politics rarely feature outside of Wales, except for a strange incident back in 1997 (one, certainly for the conspiracy theorists). Ironically given the current constitutional issues since the Scottish independence vote, it has been Rhodri Morgan, leader of the Welsh Government who has been proposing ideas (even at EU level) of how the UK and Northern Ireland should be governed.

That given, the above figures on who "won" really should be taken much more in context of the audiences to which they are most relevant. The above is so much biased towards an English view - not that there's a problem with that - it does give a false impression to voters in Wales and Scotland. Furthermore, given the size of England and its electorate even the above figure does not truly represent England - how would it look in the context of Thanet versus Toxteth?

So getting back to how the leaders actually did in the debate, it would be best to take each individually, especially as each has very different leadership goals. Probably the best overview of each of the party leaders' performances was given by the Telegraph. Or as another put it, four out of touch public school boys taken to task by three women :-)