90 likes | 221 Views
Preparing for Privacy. Society of Internet Professionals January 19, 2004 Nigel Brown Senior Privacy Consultant IBM Global Services. Privacy Commissioners 2001-2 Report Introductory comments on PIPEDA. " Privacy code only the beginning
E N D
Preparing for Privacy Society of Internet Professionals January 19, 2004 Nigel Brown Senior Privacy Consultant IBM Global Services
Privacy Commissioners 2001-2 ReportIntroductory comments on PIPEDA... "Privacy code only the beginning It is the rare organization nowadays that isn't greatly concerned about the privacy rights of individuals -- on paper, at least. Most corporate brochures and Web sites proudly proclaim a privacy code, ostensibly in full compliance with corporate obligations under the PIPED Act. What our complaint investigations are showing, however, is that some organizations have been less than thorough about putting their codes into practice. A privacy code is pointless without comprehensive and detailed policies and procedures, and these in turn are pointless unless they are known and consistently observed and applied. The privacy violations that give rise to complaints are often attributable to problems or defects in an organization's information-handling processes or system as a whole. Such problems are themselves often caused by failure on an organization's part to grasp, or turn its attention to, the practical implications of the PIPED Act's principles. Sometimes, too, the problems derive from unquestioned adherence to traditional practices that may no longer be acceptable under the Act."
Privacy Commissioners 2001-2 ReportMost common findings... • Overarching theme: Not Operationalizing Privacy • Not putting operational procedures in place • Not appointing a Privacy Officer • Not knowing how to handle access requests and privacy complaints • Not meeting the time limit • Keeping information too long or not long enough • Not limiting collection to what is necessary • Especially unnecessary collection of SIN • Not re-visiting old practices • Not identifying purpose • Not documented, not presented before collection, employees can't explain • Not instituting proper safeguards • Inadequate authorization, transmission security, "need to know" • Not recognizing employee privacy rights
What the Leaders are Doing • Senior Management Commitment • Recognition as a strategic issue - senior managers committed, involved, informed • Chief Privacy Officer is a senior officer and/or has direct access to top levels • Setting High Minimum Standards Across the Enterprise • A response to multiple sets of regulations • Adopt best practices on the core principles • Minimal local customization where necessary • Active Externally • Gain a voice in the public policy debate • Gain external benchmarks: • Leverage trade associations, industry organizations • Attend conferences, get independent/external view, share • Making Privacy part of Customer/Employee Loyalty Strategy • Viewing privacy as one end of the preference spectrum • Moving from compliance to opportunity
What the Leaders are Doing • Approaching as an Ongoing Business Requirement • Permanent cross-functional steering committees, teams • Systematic, repeatable assessment against objectives • Tracking legislative, marketplace, customer, technology trends • Process Focus • Detailed risk/opportunity analysis of personal information handling processes • Developing Privacy Specific Processes, ex: Access to personal information • Making Privacy Systemic, Embedded • Building privacy considerations into all key process and compliance checkpoints • Assigning ownership at all levels • Leveraging Technology • Identifying where technology can provide risk mitigation and opportunity enhancement • Extending Enterprise Architecture to include Privacy Architecture
Privacy Website Assessment Offering • Description • A review of a company's website privacy management practices to create trust among website users to ensure that appropriate privacy and security measures are taken and are visible to the user • Use of best-of-breed automated platform to test for privacy compliance • Deliverable • A comprehensive, web-based report identifying:
Key Components of the GoA Privacy Architecture How should we index personal information? How should we classify personal information? How do we communicate privacy requirements and issues? Privacy Taxonomy Identity Protection Component (IDPC) Glossary How do we use technology to manage privacy in real-time? How do we transform personal information to less sensitive forms? Privacy Transformation Active Privacy Architecture Data Placement Privacy Design Guidance How do we make privacy-smart IT design and acquisition decisions? Where should we place personal data in our IT infrastructure?
Questions??? 20% 13% .... please 11%