380 likes | 388 Views
This session provides an overview of privacy laws and corporate compliance strategies in Canada, focusing on the Personal Information Protection and Electronic Documents Act. Learn how to protect personal information and navigate privacy regulations.
E N D
Information Resource Management Association of Canada Information Resource Management Association of Canada Privacy and Commerce March 2001 Privacy and Commerce March 2001
Session Overview • A sense of Privacy • Privacy Law Framework • Canada's Personal Information Protection and Electronic Documents Act • Corporate Compliance Strategies
A Sense of Privacy • What is it? • Personal information is any information about an identifiable individual e.g.: Information about physical or mental health, health services provided, donation of body parts or substance, social insurance number, name, address, telephone number, employment, criminal or educational history, travel or entertainment information, financial information, internet browsing stream data, location, family, fingerprints, blood type, opinions, DNA … • What is a record? • Any correspondence, memorandum, book, plan, map, drawing, diagram, pictoral or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form …
A Sense of Privacy • “The right of individuals to determine for themselves when, how and to what extent information about them is communicated to others.” – Dr. Westin • “Privacy is an emotional reaction to an action” - Scott Crosby • “It’s about self-possession, autonomy and integrity. As we move into the computerized world of the twenty-first century, privacy will be one of our most important civil rights” - Simson Garfinkel
A Sense of Privacy We have reached a point where we know less about ourselves than do the government, marketers, financial institutions, health care providers and entertainment and hospitality providers.
A Sense of Privacy Taken to an extreme, which is where we seem to be going anyway, we will soon accept the word “surveillance” the way we do “pollution”, as if intrusions into our private lives are just a normal, and acceptable part of modern living.
A Sense of Privacy “Privacy is perhaps the biggest social issue of the Internet age, and today’s practices don’t just suck, they’re downright unconstitutional” “There’s five billion dollars sitting on the table for the company that figures out how to give people control back over their information” – Fred Davis- founder and CEO Lumeria – Atlantic Monthly – March 2001
A Sense of Privacy • Marissa Gluck, an analyst at Jupiter Research…’Privacy is the most over-hyped issue I’ve seen. It’s a way for politicians and gadflies to grandstand on an issue that the press love to hype. It gets everyone ink” Business 2.0, January 9, 2001
A Sense of Privacy November 1999: Personalized Marketing and Privacy on the Net: What Consumers Want Privacy & American Business Key Messages of the Survey• A majority of Internet users (61%) say they would be positive toward receiving banner ads tailored to their personal interests rather than receiving random ads. This represents about 56 million adult users interested in such personalization. • More than two-thirds of Internet users (68%) say they would provide personal information in order to receive tailored banner ads, if notice and opt out are provided. This represents about 63 million adult users.
A Sense of Privacy Privacy is not a component of Security, Security is one means of achieving Privacy
Privacy Law Framework Based on Fair Information Practices Govern the: • Collection • Use • Disclosure • Retention
Privacy Law Framework • Two national laws in Canada • Provincial laws • US laws; 14 at national level and more coming • OECD Guidelines: Privacy protection laws have been introduced, or will be introduced shortly, in approximately one half of OECD Member countries (Austria, Canada, Denmark, France, Germany, Luxembourg, Norway, Sweden and the United States have passed legislation. Belgium, Iceland, the Netherlands, Spain and Switzerland have prepared draft bills) to prevent what are considered to be violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorised disclosure of such data. OECD –www.oecd.fr
Privacy Law Framework - OECD BASIC PRINCIPLES OF NATIONAL APPLICATION 1) Collection Limitation Principle (limits, lawful, fair and with knowledge) 2) Data Quality Principle (relevant to purpose, accurate and complete) 3) Purpose Specification Principle (at time of collection) 4) Use Limitation Principle (no disclosure or use other than original) 5) Security Safeguards Principle (against loss, access, destruction, use and modification) 6) Openness Principle (policies, practices and available) 7) Individual Participation Principle (access) 8) Accountability Principle (for measures to give effect) http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM
Privacy Law Framework • Approximately 60 countries with data protection directives or laws • All cover basics, but some are sectoral or procedural • Laws often re-form themselves into industry sector-wide codes • Cover personal information, usually regardless of electronic transfer or hardcopy
Information Resource Management Association of Canada Privacy and Commerce Canada’s Personal Information Protection and Electronic Documents Act • Result of consensus of industry-government working group of Canadian Standards Association • In response to increased public concern over technological advances intruding on privacy • The Act strikes a balance between an individual's right to the protection of personal information and the need of organizations to obtain and handle such information for legitimate business purposes. • The Act establishes rules for the management of personal information by organizations involved in commercial activities
Canada’s Personal Information Protection and Electronic Documents Act Purpose – to establish rules to govern the collection, use and disclosure of Personal Information to recognize the right of privacy and to recognize the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate
Canada’s Personal Information Protection and Electronic Documents Act • Applies to • organizations that collect, use and disclose Personal Information in the course of commercial activity • Customer information • Employee information • Does not apply to: • Organizations covered by the Privacy Act • Collection, use and disclosure for domestic purposes • Journalistic, artistic and literary purposes • Takes precedence over subsequent laws unless they excuse themselves
Canada’s Personal Information Protection and Electronic Documents Act Phased Application • 2001 – federal works and undertakings • Banks, inter-provincial transportation, radio broadcasters, cross-border disclosures • 2002 – personal health information • 2004 – every entity conducting commercial activity
Canada’s Personal Information Protection and Electronic Documents Act Ten Principles: • Accountability • Identifying Purpose • Consent • Limiting Collection • Limiting Use, Disclosure and Retention • Accuracy • Safeguards • Openness • Access • Challenging Compliance
Facts by design • Government of Canada 1998-99: • 36,000 requests, $15 million, $550. Each • Ontario 98-99: • 10,000 requests • US DOD FOIAP Requests 1999: • 97,000, $32 million, 776 staff • Office of the Privacy Commissioner of Canada • 99/00 complaints <1,600, 15 staff and $4.5 million • Ontario Privacy Commissioner • 1999 806 complaints, $6.5 million
Canada’s Personal Information Protection and Electronic Documents Act Complaints filed with the Privacy Commissioner • complaints can be filed with the Commissioner against an organization for contravening privacy obligations under the Act or the ten principles • Commissioner may initiate an investigation upon reasonable grounds • Refusal complaints must be filed within 6 months, or as Commissioner sees fit, after the refusal or deemed refusal • Commissioner shall give notice to the institution
Canada’s Personal Information Protection and Electronic Documents Act Investigation of Complaints • Commissioner must investigate • Has powers of summons, taking oaths, entering premises, obtain copies etc • May use dispute resolution mechanisms • Commissioner must report, within one year, his findings and recommendations, settlements, recourse • Only then can a complainant apply to Federal Court for a hearing
Canada’s Personal Information Protection and Electronic Documents Act Remedies • Court can order organization to correct practices • Order an organization to publish a notice of any action taken or proposed • Award damages to complainant, including for humiliation
Canada’s Personal Information Protection and Electronic Documents Act Audits • Commissioner may audit personal information management practices of an organization • Commissioner must provide a report to the organization • Commissioner may make audit results public • Commissioner may make public any information relating to the personal information management practices of an organization
Canada’s Personal Information Protection and Electronic Documents Act Refusal of Access • Solicitor-client protected information • Confidential commercial information • Personal information about a third party • Personal information that could threaten the life or security of another individual • Information collected under 7 (1) (b) (collected without consent due to law enforcement) • Formal dispute resolution process information • Information can be severed
Corporate Compliance Strategies • Recognize business value in privacy management • Privacy enhanced services and products • Corporate differentiator • Volvo- safety, ? - privacy • Can’t forget employees • Hire CPO’s • Wonder who let the dog’s out?
Corporate Compliance Strategies The Public/Consumer… Develop common expectations • Lead the way for cultural change • Seek access • Fringe customer “Improved customer service will probably have to wait a decade for the realization that what the customer wants is fairness, efficiency and privacy.” MISS MANNERS– Time Canada
Corporate Compliance Strategies • “54% of those polled decided not to use a company or buy because they were unsure of how their personal information would be used.” • Source: IBM-Harris 1999 Multi-National Consumer Privacy Survey • “31 % of respondents will not make online purchases this holiday season, and two out of five Internet users (38 %) will limit the amount they spend online because of concerns about security or privacy” • Source: Fiderus/Yankelovich Survey , 2000
Corporate Compliance Strategies http://www.pandab.org/
Corporate Compliance Strategies Privacy Code • Introduction- purpose • Reference to authority, internal/external • Roles: CPO, IM, Legal, Point of contact • Scope • Principles - CSA etc • Definitions – personal information etc • Regular review • Collection –with consent, without, what is collected • Use – with consent, without • Disclosure – with, without • Requesting access, timing, refusals
Corporate Compliance Strategies What should a Code do? • reassure • strike balance • build trust/partnership • engage customers • engage employees • enhance customer - company relationships • enhance employee – company relationships • meet any growing demand and customer expectations • competitive edge
Corporate Compliance Strategies Corporate Roles and Responsibilities • Lead by a CPO • Product/services development • Human Resources • Information Management • Customer relations • Audit/internal review • Regional/International perspective • Legal Representative
Corporate Compliance Strategies 10 Easy Steps • Be the Front Goose • Strategic Planning • Information Management • Change management • Customer Relations • Employees • Systems/Processes • Implementation • Analysis/Measurement • Inertia
Corporate Compliance Strategies Privacy Strategy • Change Management • Leadership • Appoint a CPO • Build a team • Procedural infusion • Campaign for cultural change and perspective • Training plan • Training, training, training • Regional/functional/international components • Legal representative/Business development • Corporate Strategic initiatives
Corporate Compliance Strategies Privacy and Commerce Strategy • Goals • Privacy Infrastructure impact analysis • Privacy Infrastructure’s impact on other business activities • CRM • Solid privacy infrastructure brings them back • Personalized services possible • Individual control is key • Corporate-wide approach • External/Internal Marketing of Privacy Management • Cost • Forecast/predict • Gap analysis – what needs to be done?
Points to Take Home • Privacy is important • Accountable person (s) • Limits collection, use, disclosure and retention of personal information • Consent is required for collection, use and disclosure • Security and safeguards • Openness regarding policies and practices • Individuals have access (accuracy) • Individuals can complain • Privacy Commissioner can initiate a complaint, investigation and/or audit • Federal Court has final say