What You Must Know About DRM

10 Step #4: Undertake a threat risk assessment by completing a Privacy Impact Assessment A Privacy Impact Assessment (PIA) provides an in-depth assessment of relevant privacy legislation, privacy implications of systems design, and consumer privacy expectations. Once privacy goals are determined and initial privacy vulnerabilities detected, the PIA should offer ongoing guidance each time a data collection process is created or modified. The Ontario government's Management Board Secretariat has created a PIA. 33 Other PIAs include the British Columbia government's Corporate PIA 34 and the Government of Canada's Treasury Board Secretariat PIA. 35 Step #5: Deploy methodology for privacy risk management at the systems level This step is crucial to the deployment of privacy-protective DRM technologies. Fair information practices must be built into the systems architecture. The methodology in Step #5 translates a company's privacy policy into technical practices. It does this by developing systems architecture rules and designing controls around the collection of personal information, linkability, access, use and accountability, as well as delineating business processes that use personal data. It is also important to ensure that the methodology rules are designed in consideration of the type of data being used (i.e., the level of sensitivity). One useful methodology for building privacy into systems architecture is Privacy Rights Management (PRM). In a paper entitled, Privacy Rights Management for Digital Rights Management, Steve Kenny and Larry Korba define PRM as "distributed management of personal information in accordance with EU data protection legislation." 36 In particular, they examine the architectural potential of DRM to manage the requirements of the EU Data Protection Directive. However, recognizing that it is difficult to integrate legal requirements into the development of new systems, they also put forward some simplified privacy principles that companies can use as a starting point for a detailed analysis of the privacy aspects of systems architecture. According to Kenny and Korba, content distribution companies must balance the need to protect digital content (i.e., fraud prevention) against potential liability that may arise if personal information has been misused. They argue that a PRM methodology can provide copy prevention for a company and protect the privacy rights of its customers through token schemes, for example.