1 / 39

Information Resource Management Association of Canada December 18, 2002

Information Resource Management Association of Canada December 18, 2002 An IRM Perspective on Privacy Compliance K a r e n S p e c t o r B.Sc., Ed.M. (Harvard), LL.B. Topics. Why IRMAC members need to know about privacy An overview of relevant privacy legislation Some “IRM” issues

clong
Download Presentation

Information Resource Management Association of Canada December 18, 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Resource Management Association of Canada December 18, 2002 An IRM Perspective on Privacy Compliance K a r e n S p e c t o r B.Sc., Ed.M. (Harvard), LL.B.

  2. Topics • Why IRMAC members need to know about privacy • An overview of relevant privacy legislation • Some “IRM” issues • Privacy compliance • Summary

  3. Why IRMAC members need to know about privacy

  4. Privacy legislation applies toorganizations that collect, use, and disclose personal information and to the organizations with whom they enter into transactions or contracts.

  5. Personal Information Any information • recorded or not, • about, or relating to, an identifiable individual. • employee, patient, contract staff, associate, supplier, customer, subscriber, prospective client, consultant, and member of the public.

  6. Personal Information Examples of personal information • name • residential address and telephone number • date of birth and date of death • unique identifying numbers (SIN, OHIP) • income and salary • credit records and loan records • intentions (for example to acquire goods/services or change jobs) • opinions of others relating to the individual • biometrics • membership in a union • personal health information (blood type, medical records, DNA) • predictive genetic information

  7. Personal Information What’s “out” • Contact information in business, official, professional, or employment context (name, title, professional designation, address, telephone number, email address) • An individual’s professional or official responsibilities and the manner in which an individual carries out those responsibilities • De-identified, anonymized or aggregated information • Publicly-available information

  8. Why IRMAC Members Need to Know about Privacy Manage personal information for: • organizations that carry on commercial activities • federal works, undertakings, or businesses • the public sector • organizations that enter into contracts with any of the above • employers

  9. Overview of Relevant Privacy Legislation

  10. 1988 1991 2001 Freedom of Information and Protection of Privacy Act applies to Ontario public sector Municipal Freedom of Information and Protection of Privacy Act applies to municipal institutions in Ontario Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to commercial activities in federal works, undertakings and businesses and to inter-provincial and international transfers for consideration Relevant Privacy Legislation

  11. 2002 2004 Protection of Personal Information Act, 2002 (“Draft PPIA”) - Ontario’s Consultation Draft is issued in February “Substantially similar” Ontario legislation will apply to organizations or PIPEDA will apply to all private sector commercial activities within Ontario. Relevant Privacy Legislation

  12. Common Privacy Principles Basis for both PIPEDA (Federal) and the Draft PPIA (Ontario)

  13. Accountability Identifying Purposes Consent Limiting Collection Limiting, Use, Disclosure and Retention Accuracy Safeguards Openness Individual Access Challenging Compliance Common Privacy Principles

  14. Common Privacy Principles Accountability • An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the privacy principles. Identifying Purposes • The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

  15. Common Privacy Principles Consent • The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Limiting Collection • The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

  16. Common Privacy Principles Limiting Use, Disclosure, and Retention • Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. Accuracy • Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

  17. Common Privacy Principles Safeguards • Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Openness • An organization shall make available to individuals specific information about its policies and practices relating to the management of personal information.

  18. Common Privacy Principles Individual Access • Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Challenging Compliance • An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

  19. PIPEDA Applies only to commercial activities. Oversight by Privacy Commissioner of Canada who can write reports. Same rules for personal information and personal health information. Draft PPIA No commercial activities requirement. Oversight by Information and Privacy Commissioner/Ontario who can issue orders. Specific rules for personal health information in the custody or control of “health information custodians”. Differences between PIPEDA and Draft PPIA

  20. What the Ontario Government is saying . . . • In an August 2002 Consultation Update, the Ministry of Consumer and Business Services (“MCBS”) indicated that the draft legislation is expected to be introduced into the Legislative Assembly later this fall. • In the most recent version of its Business Plan, MCBS' key strategies and commitments for 2001-2002 included introducing privacy legislation. • At a meeting of the Board of Trade on October 31, 2002, Minister Clement (Ministry of Health and Long Term Care) stated that he was urging Minister Hudak (MCBS) to proceed with the legislation.

  21. Privacy Compliance

  22. Privacy-Compliance: Deadline • Generally, organizations in the private sector that collect, use, or disclose personal information will need to comply with privacy legislation no later than January 1, 2004. • Compliance will involve making changes to information management systems, both human and technological. • Organizations that act now will minimize the burden of privacy compliance and also, the potential risks of non-compliance.

  23. Impact of Privacy Compliance Depends on factors including: • Which legislation applies (federal or provincial) • Quantity and nature of personal information • Number of employees, members . . . • Third parties with whom information is shared • Whether transfers of personal information are intra-, inter-, or extra-provincial (and whether or not for consideration) • Current information management practices • Resources • Corporate culture

  24. Compliance Steps • Designate accountable individual(s) • Define the privacy framework • Assess information management practices • Develop privacy policies • Implement the privacy policies • Monitor and enforce • Update or amend

  25. “IRM” Issues Electronic signatures Mergers and acquisitions Smart cards Identity Theft

  26. Electronic Signatures • Complaints to the Privacy Commissioner of Canada because a courier company demanded electronic signatures from parcel recipients upon delivery and then posted the signatures in the tracking section of the company website without consent. • Paper receipt not an option • Recipients’ name and address also posted with signature • Not possible to remove electronic signatures from online tracking system due to company policy

  27. Electronic Signatures Commissioner’s investigation: • Courier can use parcel identification number (PIN) to access customer’s personal information on the website • Courier can use PIN variants to access other customers’ personal information • Courier had not informed the complainants of its intention to use their electronic signatures for online tracking purposes or sought their consent • Courier’s staff believed electronic signatures to be mandatory • According to Courier’s policy, signatures could not be removed from the online tracking system.

  28. Electronic Signatures Courier’s position • Access to online tracking system is protected by a PIN • Variants only work 21 percent of the time • Integrity of electronic signatures is protected by computer-generated distortion • Company policy allows “alternate” electronic signatures and paper signatures • Changed policy: individuals can have signatures removed on request

  29. Electronic Signatures Complaints were well-founded: • A reasonable person would not have considered using electronic signatures in an online tracking to be appropriate in any circumstances, especially given the potential for unauthorized disclosure of the signatures through simple manipulation of PINs. • The electronic signatures had not been required to fulfil explicitly specified and legitimate purposes and the Courier had therefore not been justified in demanding them as a condition of service.

  30. Mergers & Acquisitions • In addition to liability, organizations that do not consider privacy-related issues are exposed to two risk areas: • reputation • integration

  31. Mergers & Acquisitions Reputation • Goodwill loss can undermine merger efficiencies. • Must assess the risk targetco has violated consumer privacy. • Analyze targetco’s privacy policy and security measures, as well as attitude of employees.

  32. Mergers & Acquisitions Integration • Pre-merger due diligence is necessary to assure a smooth transition and helps maintain customer relationships. • Need plan for integrating old data with new. • Some privacy obligations will survive the merger. • Need to assess targetco’s compliance with governing law. • Need plan for security and privacy architecture at combined entity.

  33. Mergers & Acquisitions Transition Planning • Buyers and sellers should be aware of the applicability of privacy laws and the targetco’s privacy policies to the sharing of data during the due diligence phase. • Employees’ personal (health) information • Customers’ personal information • Requirements re consent and notice • Transfers or disclosures to third parties

  34. Mergers & Acquisitions Sample Due Diligence Questions re Targetco • What are the applicable laws? regulations? codes? • Amount and type of personal information? medical? financial? • How and from whom is personal information collected? • How is personal information stored? retrieved? safeguarded? destroyed? • Did Targetco obtain consent? If so, to which uses and disclosures? • Does Targetco sell, trade, transfer, or barter personal information? • Privacy policies? • Privacy practices? • Privacy breaches? • Which privacy obligations survive the merger? • Has Targetco been investigated by the Commissioner? • Has Targetco been sued for privacy breaches?

  35. Smart Cards They are secure. • Although the microprocessor and memory are contained on the same chip, there is no means of directly accessing data stored on a smart card from the outside. • Data is segregated into separate silos, which are individually locked. • Readers have different levels of access.

  36. Smart Card Systems But, is the personal information protected? • Multi-use distinct identifiers may facilitate: • Data linkage through the storing of personal information in centralized databases or by linking unrelated databases • Data sharing, profiling, or transaction monitoring • Dataveillance (monitoring of activities or communications) • Systems designed for one purpose, such as, expediting workers’ access to a job site are extended over time to other purposes not originally intended, such as, tracking attendance. (“Function creep”)

  37. Identity Theft More Often an Inside Job* • Threat more likely to come from insiders - employees with access to large financial databases who can loot personal accounts. • Shift by identity thieves from going after single individuals to going after a mass amount of information. • Half of all cases come from thefts of business databanks that aren’t properly safeguarded. • Employee sold personal information (credit card numbers and chequing account information) on 30,000 people to scam artists for $60 per name. (2.7 million in losses so far.) * Washington Post, December 3, 2002

  38. Identity Theft More Often an Inside Job • Privacy experts estimates that there are now one million cases of identity theft a year. (Security experts say half that.) • Los Angeles County Sheriff’s Department expects 6000 cases in 2002. • Federal Trade Commission received 70,000 complaints about identity theft during the first six months of 2002. • Businesses being created to respond to concerns about identity theft.

  39. Summary • IRMAC members need to know about privacy because their organizations collect, use, and disclose personal information. Some of these organizations are already regulated by public sector or federal privacy laws. • The privacy-compliance deadline is January 1, 2004. • The Commissioner is watching. • Law enforcement is watching. • The public is watching. • Your competitors are watching.

More Related