250 likes | 509 Views
Privacy. Australian & New Zealand University Internal Audit (ANZUIAG) Conference September 2002. ©2002 by Deloitte Touche Tohmatsu All Rights Reserved No part of this presentation may be reproduced without the express permission of Deloitte Touche Tohmatsu. Presentation Highlights.
E N D
Privacy Australian & New Zealand University Internal Audit (ANZUIAG) Conference September 2002 ©2002 by Deloitte Touche Tohmatsu All Rights Reserved No part of this presentation may be reproduced without the express permission of Deloitte Touche Tohmatsu.
Presentation Highlights • Legislative Framework • Privacy Overview • Nature of University Data • Compliance Drivers • Challenges/Issues • Data Privacy Case Study • Relationship with IT security • Privacy Methodology • Best Practices • Privacy Compliance Areas • CPO Duties • Role of Internal Audit • Conclusions
Privacy – It Does Not Get Any More Personal Than This Comfort Zone • Favorite restaurant • Birthdate • Political beliefs • Annual salary • Sexual orientation • Medical history
Privacy Legislative Framework • ACT • Health Record (Access and Privacy) Act 1997 • Qld • Information Standard 42 (2002) plus Commonwealth Law • NZ • Privacy Act 1993 Commonwealth • Privacy Act 1988 • Privacy (Private Sector) Amendment Act 2000 NSW • Privacy and Personal Protection Act 1998 Victoria • Information Privacy Act 2000 Tasmania • IPP’s WA and SA • Commonwealth Law
Privacy Overview WHAT ? Is received ? Where from ? How is it collected ? What format ? What consents ? WHERE ? Is it stored ? Who can access it ? How long do you keep it ? Do you dispose of it ? HOW ? Do you use it ? What is the main purpose ? WHO ? Do you share it with ? Do you disclose it to ?
Compliance Drivers Competitive Edge • Meeting necessary regulatory requirements vs. being a leader in the privacy arena • The adverse consequences of a lapse in privacy compliance Customer Sensitivity & Brand Image • Increased Customer Sensitivityover privacy • A high level of customer trust protects your brand name IssuesDrivingCompliance Misconceptions • The requirements don’t apply to us since we don’t sell or otherwise share information • The requirements only affect internet communications Regulatory Scrutiny Known brands and deep pockets are big targets International Regulation • Global firms need a global approach to deal with overlapping, emerging and diverse international requirements Regulation • The new privacy requirements – Privacy Act • State requirements may also apply
Potential Issues • How does privacy, information security and risk inter-relate? • Do privacy policies and disclosures accurately reflect actual practices, procedures and controls? • Have the various requirements been identified? By jurisdiction? By legislation? By line-of-business? • How does the de-centralised organisation affect security, privacy? • How do the privacy requirements affect the organisation’s “one-to-one” marketing or student relationship management initiatives? • Is there a plan to ensure that student-facing employees are adequately trained to address student needs? • Linkage to other documents – code of conduct, administration manuals
Key Pressure Points/Challenges • Are hampered by legacy systemsConfused by distinctions between security and privacyLack understanding about their technology & systemsAre focused on “policies” • Written procedures often fail to accurately reflect actual practices. • Information may be stored incorrectly. • Web sites are able to record and track individualidentity and associated activities on the Internet. • Current technology infrastructure may be unable to incorporate policies and controls to comply with notice, choice and security requirements. • Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation.
Issues & Observations • Most large firms take a “customer no-action” position that... “they do not share information with other organisations who may want to sell their products or services to you • Many organisations have begun to circulate their privacy notices and plans • There is a risk that many firms have a “procedural or internal control gap” between privacy policies/disclosures and actual procedures/ controls • The CPO role – while not uniformly established - is gaining traction and there are forums and special interest groups emerging • Regulators and litigants will become increasingly focused on privacy and the controls (information security and data management) facilitating privacy
Nature of University Data • Hold personal information • Statistical data – address, age • Academic records • Tax File Numbers • Personal matters – medical, financial, TFN’s • Online surveys • Alumni, Donors • Personnel Data • CCTV
Data Privacy Case Study A suburban insurance agent for an international insurer Devised an Access database with client asset data He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier) The brother in law passed on client information to his friend at a debt collection agency LETS BREAK THIS DOWN
Data Privacy Case Study A suburban insurance agent for an international insurer developed an Access database with client asset data – Customer consent obtained? Opt out explained? Was is collected for the stated purpose? Is it reasonable?
Data Privacy Case Study He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier) An unreasonable act. Was is collected for the stated purpose?
Data Privacy Case Study The brother in law passed on client information to his friend at a debt collecting agency An unreasonable act & not allowed
Data Privacy Case Study A list or database sale issues- Have all customers consented, and is there an opt out clause? Sight evidence the list owner has notified all on the list Is it accurate? If all notified, do a random check for accuracy, its good business practice Issues An unreasonable act. Was is collected for the stated purpose?
Is Privacy the Same as IT Security? • An enterprise may have world-class security and no privacy. • Without IT Security, it is impossible to have acceptable privacy. • So, IT Security is a building block of a “privacy compliant” organisation.
Information Life Cycle Mapping the information life-cycle is a requirement Data Distribution/ Sharing Data Acquisition Data Storage Data Destruction Data Usage Data Security
Privacy Methodology Compliance Assessment Awareness Privacy PlanDesign ProgramDesign Build
Organisation Board sponsored privacy team Privacy program management office (PMO) Assessment Defining the types of personal information gathered, stored, and processed Documenting where and how the information is stored Identifying responsibility for the information (corporate, agent, third party) Assess existing policies and practices against privacy requirements Determine any international use or exchange of personal information Develop / document areas where changes are required to complywith regulations Best Practices
Design Proposed organisation and reporting structures Framework for identifying and documenting the various privacy components Resources required (personnel, skills, technology, financial, space) Timelines, activities and deliverables Implementation Client-Facing Behaviors; Organisational Policies, Procedures and Processes; Rights and Obligations; and Data Classification Policies and Procedures; Advertising and Solicitations; Rights and Obligations; and Vendor and Third Party Agreements Best Practices
A H L J I I H H H G B G F F E E D C K K Privacy Compliance Risk Areas PRIVACY LEGISLATION Corporate Entity Related Entity Application Systems Corporate Databases Application Systems Corporate Databases Student mgmt Alumni Personal Information PRIVACY DISCLOSURE E-Business E-Business Consent Process Network Infrastructure Manual Processes Physical Records Manual Processes Physical Records Access to Information
Duties of the Chief Privacy Officer • Organise and coordinate Privacy Task Force or Committee • Commission or conduct privacy risk assessment • Track privacy environment and provide reports • Monitor privacy law and regulations environment • Support employee privacy training • Interact with student groups and regulators • Provide contact point for students/staff • Manage privacy dispute resolution • Speak for the University and prepare executives for legislative/testimony • Conduct regular / annual privacy audits • Report to top management
Role of IA • Determine that a sufficient privacy task force has been established. • Determine that sufficient privacy policies and related operational privacy procedures and practices exist. • Assess the privacy training and awareness program • Ensure that an effective privacy compliance and monitoring program has been established.
Conclusions • Privacy is now a major concern, in the online and offline worlds, domestically and globally. • Loss of reputation and credibility are major privacy risks but privacy issues hit the bottom-line, too: e.g. cost of change and lawsuits. • Privacy violations may be unintentional, accidental or unforeseen…the press and the public will not care. • Personalisation through profiling is a key strategy for gaining and retaining students - both online and offline. • Privacy is not the same as security. • Privacy compliance officers • Privacy audits
Contact Details Carl Gerrard – phone: 07 3308 7046 email: cgerrard@deloitte.com.au Cathy Blunt – phone: 07 3308 7041 email: cblunt@deloitte.com.au