100 Hamilton Avenue Palo Alto, California PALANTIR GOTHAM. Upholding Data Protection Regulations in the European Union

Transcription

1 100 Hamilton Avenue Palo Alto, California PALANTIR GOTHAM Upholding Data Protection Regulations in the European Union

2 Upholding Data Protection Regulations in the European Union 01 INTRODUCTION As our flagship data analytics platform, we built Palantir Gotham from the ground up to safeguard privacy and civil liberties and ensure compliance with evolving regulations. Palantir Gotham is deployed across a wide range of regimes and jurisdictions with some of the most stringent data protection regulations in the world. By implementing highlytailored data security controls and enabling comprehensive oversight of user actions, Palantir Gotham can be configured to meet internal and external requirements amid a rapidly shifting landscape of privacy norms and regulations. DATA PROTECTION Personal data may only be processed for a legitimate purpose. As data is collected and analyzed, it is often subject to mission creep or used for purposes beyond the intended scope. Palantir Gotham includes granular access controls to restrict data (including sub-components of records like sensitive personal information) to authorized users on a need-to-know basis, as determined by a system administrator or authorized data owner. If there is any indication of misuse or abuse, organizations can quickly revoke user access. In addition to role-based access controls, Palantir Gotham facilitates justificationbased access restrictions. Palantir Gotham can be configured to require an authorized justification or purpose before users are granted access to information. For example, before beginning an investigation or accessing a particular data source, analysts may be required to select from a list of authorized purposes, enter a case number, and/or submit a free-text justification. Using this functionality, each instance of processing is supported by a specific and lawful investigative purpose. Palantir Gotham also includes a robust audit framework to identify misconduct. Organizations can leverage audit logs as effective oversight mechanisms, ensuring that all data processing is consistent with authorized and legitimate purposes. All user activity in Palantir Gotham can be recorded in tamper-evident audit logs, allowing organizations to quickly determine which users viewed, modified, and/or exported information and identify any inappropriate behavior. Palantir Gotham can also provide tripwire notifications of pre-defined sensitive actions, such as accessing sensitive files or performing unusually large bulk exports. Swiss Data Protection Act (Article 4.1 and 4.3) EU Data Protection Directive (Article 6.1b) UK Data Protection Act (Schedule 1, Part I, Section 2) OECD (FIPPS) Para. 9, Purpose Specification Principle

3 Upholding Data Protection Regulations in the European Union 02 PROPORTIONALITY & MINIMIZATION Data processing must be lawful, carried out in good faith, and proportionate. Certain categories of data, such as sensitive personal information, receive special protection. Palantir Gotham supports proportionality by minimizing data processing that is outside the scope of the mission. We built Palantir Gotham based on the philosophy that intelligence augmentation (rather than artificial intelligence) is the key to solving many of our data-driven problems. This philosophy, engrained in the basic architecture of Palantir Gotham, ensures that human analysts decide what and how information is processed, as well as how to limit the use of automated processing and pattern analysis to predetermined and clearly designated contexts. One of the first steps in a Palantir deployment is customizing the data model ( Dynamic Ontology ) for the unique mission and function of each organization, determining how users interact with information. Our flexible approach to ontology construction ensures that proportionality concerns are addressed from the very beginning, minimizing user exposure to and processing of irrelevant data. To help organizations maintain control and ownership over their data assets, our engineers have developed two main federated data solutions, Raptor and Phoenix, that allow users to search data that is not stored within Palantir Gotham. Users can retrieve data through on-demand queries from external sources, such as web services. Federated data remains linked to its original source and can be updated or removed as necessary. Once data is integrated, Palantir Gotham can be configured to minimize browsing and protect anonymity. Palantir Gotham includes a full suite of visualization tools, such as Histogram, Heatmaps, and Object Explorer, that allow users to visualize patterns in data without opening individual records. Palantir Gotham operates at a granular level, allowing organizations to tailor privacy protections to comply with virtually any data protection regime. Fine-grained access controls help organizations mitigate unnecessary processing by securing each and every piece of information in their enterprise individually, rather than applying blanket permissions across entire data sources. Depending on permissions and/or clearance levels, each analyst may see a different cut of the data. Palantir Gotham can also apply different measures of data protection to different classes of data. For instance, special access restrictions might apply to certain categories of data (e.g., personally identifiable information and health records) and users. These comprehensive data controls help focus compliance audits on conduct raising special regulatory or privacy concerns. Swiss Data Protection Act (Article 4.2) OECD (FIPPS) Principle 4, Use Limitation Principle UK Data Protection Act 1998 (Schedule 1, Part I, Section 2) EU Data Protection Directive (Articles 6, 8, and 15)

4 Upholding Data Protection Regulations in the European Union 03 RIGHTS TO TRANSPARENCY, CORRECTON & ACCESS Any individual may request information from the controller of a data file containing their personal data. Data processing must be reported to the relevant authorities under certain circumstances. Palantir Gotham is designed to facilitate access to relevant data. As a result, Palantir Gotham substantially reduces the time to respond to a request for information under applicable statutes. Administrators can quickly identify all records related to a particular individual and, if necessary, disseminate corrections related to that information throughout the enterprise. Granular data handling allows users to easily parse data that should not be provided per applicable legal exceptions. Palantir Gotham leverages a pointer system to ensure that only a single canonical copy of the data exists. When an individual requests access to records containing his or her personal information, this information is easily identified and accessed without requiring administrators to check multiple databases and/or hard drives to ensure a complete response. This capability substantially reduces the possibility of multiple, inconsistent, and/or out-of-date personally identifiable information scattered among an indeterminate number of case files. Swiss Data Protection Act (Article 8) OECD (FIPPS) Para , Openness and Individual Participation UK Data Protection Act 1998 (Part II, Section 7) EU Data Protection Directive (Article 10 and 12) ACCOUNTABILITY Data controllers should be held accountable for complying with measures that affect the principles discussed above. Palantir Gotham includes tamper-evident auditing capabilities to prevent and mitigate the misuse of data. These capabilities allow organizations to undertake periodic processing reviews to ensure analysts are working within authorized boundaries. Audit logs capture everything from login attempts to specific search queries to individual record views and can be configured to capture more verbose information as necessary. For instance, audit logs can be used to retrace all investigations by a particular user on a specific date or to isolate investigations where that user accessed a specific piece of data. In the case of a data breach, Palantir Gotham tracks which user exported the data; any access revocation quickly propagates through Palantir Gotham. OECD (FIPPS) Para. 14 Swiss Data Protection Act (Article 4) EU Data Protection Directive (Article 12) UK Data Protection Act 1998 (Part V, Section 41A)

5 Upholding Data Protection Regulations in the European Union 04 DATA QUALITY & ACCURACY Individuals processing personally identifiable information must make certain that it is accurate and take all reasonable measures to ensure that inaccurate and/ or incomplete data is either corrected or removed from the system. Inaccurate data can lead to mistakes and misidentifications that may negatively impact privacy and civil liberties. The Revisioning Database is a critical component of Palantir Gotham that maintains a rich set of data about data to help users and administrators ensure data quality and accuracy. The Revisioning Database records the pedigree and lineage of each piece of information in the enterprise, including all additions and modifications. Authorized users and administrators can access this metadata to discover when the information was integrated, accessed, and modified, and by whom. In addition to providing a valuable oversight tool, the Revisioning Database allows authorized users to reverse changes if inaccuracies are discovered. For instance, users can unmerge improperly merged records at a later date. Palantir Gotham allows organizations to control how changes are published. Using a publish/update model, updates are quickly propagated throughout the system so analysts are always working with the most accurate and up-to-date information. Through the use of a pointer system, rather than the unnecessary and resourceconsuming duplication of information, Palantir Gotham ensures that additions, modifications, and deletions of information are quickly reflected across the enterprise. All information in Palantir Gotham is tethered to its original source, whether generated by analyst or integrated from an external database. With tethered sourcing, Palantir Gotham enables analysts to quickly gain context and make informed judgments about data reliability. If inaccurate data is discovered, Palantir Gotham can quickly revoke user access to the data. When necessary, authorized users and administrators can purge the data from Palantir Gotham, consistent with applicable data protection standards. Finally, Palantir Gotham uses a unified data model to standardize formatting and appearance for all integrated data. Each type of data is uniformly represented within the system, even if it is stored externally in different formats. For example, Palantir Gotham allows users to query dates in a format-agnostic manner, regardless of how they are structured in the source system. Swiss Data Protection Act (Article 5) OECD (FIPPS) Para. 8, Data Quality Principle UK Data Protection Act 1998 (Schedule 1, Part I, Section 4) EU Data Protection Directive (Article 6.1d)

6 Upholding Data Protection Regulations in the European Union 05 DATA SECURITY Personal information must be protected with adequate technical and organizational measures against unauthorized processing. Palantir Gotham includes a centralized, fully monitored identity management and authentication capability to maintain data security. Every user is assigned a unique identity that allows Palantir Gotham to track their activity. Once authorized users are granted access to Palantir Gotham, data owners can impose additional restrictions on information by applying granular access controls. All information communicated within Palantir Gotham is securely encrypted. Data is transmitted via HTTPS, which ensures the security of all data and transactions. Palantir Gotham limits data to its session in a monitored environment, preventing users from storing data on local machines. When Palantir Gotham is deployed in a private cloud infrastructure, a private/public encryption key management system ensures that data access remains in the control of the data owner. Swiss Data Protection Act (Article 7) OECD (FIPPS) Para. 11, Security Safeguards Principle UK Data Protection Act 1998 (Schedule 1, Part, 1, Section 7) EU Data Protection Directive (Article 16) DATA RETENTION Data must not be kept longer than is allowed by the law and organizational policies. Data retention is proportional to the legitimate purposes that justify collection. Palantir Gotham allows organizations to implement granular data retention regimes that are consistent with regulation and policy. Organizations can institute quick and granular decisions about data deletion and access; for example, authorized administrators can remove access on a data-point-by-data-point basis from a single user, group of users, or all users. If necessary, data can also be deleted permanently from the entire system. By formalizing data retention requirements, organizations can limit the number of people with deletion permissions and reduce the possibility of mistakes. Retention schedules can be configured as data is ingested or according to other institutionally-defined workflows, ensuring compliance with data retention standards. Palantir Gotham can generate notifications about upcoming purges so that analysts can submit timely requests if data needs to be retained past the default period (e.g., if the information is pertinent to an ongoing investigation). Swiss Data Protection Act (Article 21) UK Data Protection Act 1998 (Schedule 1, Part 1, Section 7)

7 Upholding Data Protection Regulations in the European Union 06 DATA TRANSFERS & THIRD PARTY ACCESS Data transfers must be limited to jurisdictions with adequate privacy regulations. Data transfers that do not meet this threshold may be subject to additional requirements, including reporting and approval by data protection authorities. Palantir Technologies is certified under the Swiss/United States and European Union/ United States safe harbor agreements. If cloud hosting is requested, we will work with cloud services based in either the European Union or the United States to uphold local data privacy requirements. Palantir Gotham includes public-private key management tools that can be deployed to prevent users or contractors from decrypting data without express authorization. Using this functionality, organizations can revoke encryption keys remotely and/or require periodic renewal of encryption keys. Palantir Gotham also prevents unauthorized data disclosure by monitoring the export, sharing, and transfer of data through tamper-evident audit logs. All exports are monitored and recorded in the audit trail. In the event of a data breach, organizations can easily identify which user exported the data; revocation of access quickly propagates throughout Palantir Gotham and ongoing investigations are updated to show only allowed information. OECD (FIPPS) Para , Free Flow and Legitimate Restrictions Swiss Data Protection Act (Article 6) UK Data Protection Act 1998 (Schedule 1, Part I, Section 8) EU Data Protection Directive (Article 25)

8 Upholding Data Protection Regulations in the European Union 07 Principle Data protection Proportionality and minimization Rights to transparency, correction, and access Accountability Data quality and accuracy Data security Data retention Data transfers and third-party access Swiss Data Protection Act (Article 4.1 and 4.3) EU Data Protection Directive (Article 6.1b) UK Data Protection Act (Schedule 1, Part I, Section 2) OECD (FIPPS) Para. 9, Purpose Specification Principle Swiss Data Protection Act (Article 4.2) OECD (FIPPS) Principle 4, Use Limitation Principle UK Data Protection Act 1998 (Schedule 1, Part I, Section 2) EU Data Protection Directive (Articles 6, 8, and 15) Swiss Data Protection Act (Article 8) OECD (FIPPS) Para , Openness and Individual Participation UK Data Protection Act 1998 (Part II, Section 7) EU Data Protection Directive (Article 10 and 12) OECD (FIPPS) Para. 14 Swiss Data Protection Act (Article 4) EU Data Protection Directive (Article 12) UK Data Protection Act 1998 (Part V, Section 41A) Swiss Data Protection Act (Article 5) OECD (FIPPS) Para. 8, Data Quality Principle UK Data Protection Act 1998 (Schedule 1, Part I, Section 4) EU Data Protection Directive (Article 6.1d) Swiss Data Protection Act (Article 7) OECD (FIPPS) Para. 11, Security Safeguards Principle UK Data Protection Act 1998 (Schedule 1, Part, 1, Section 7) EU Data Protection Directive (Article 16) Swiss Data Protection Act (Article 21) UK Data Protection Act 1998 (Schedule 1, Part 1, Section 7) OECD (FIPPS) Para , Free Flow and Legitimate Restrictions Swiss Data Protection Act (Article 6) UK Data Protection Act 1998 (Schedule 1, Part I, Section 8) EU Data Protection Directive (Article 25) Palantir Gotham includes granular access controls, justification-based access restrictions, and tamper-edit audit logs to protect data from unauthorized access. Palantir Gotham supports proportionality through a flexible data model, fine-grained access controls, and federated search capabilities, which allows users to query on demand data that is stored externally. By using a pointer system, Palantir Gotham ensures that only a single canonical copy of data exists, substantially reducing the time required to provide requested information under relevant legal statutes. Tamper-evident audit logs help organizations prevent and mitigate the misuse of data. Palantir Gotham records the pedigree and lineage of each piece of information, which authorized administrators can access directly. If inaccuracies are discovered, administrators can revoke user access or purge the data (consistent with applicable data protection standards). Each user is assigned a unique identity to authenticate their login information, track their activity, and apply granular access controls. All information communicated in Palantir Gotham is securely encrypted. Palantir Gotham allows organizations to implement granular data retention regimes consistent with regulations and policies. Palantir Gotham includes public-private key management tools to prevent unauthorized users from decrypting data. Palantir Gotham also monitors the export, transfer, and sharing of data in tamper-evident audit logs.