The Privacy Symposium August 22, 2007 ©2007. Goodwin Procter LLP The Ethics and Responsibilities of a Privacy Professional
2 Significance of Corporate Ethics Most corporate business models depend upon: A reputation for HONESTY, INTEGRITY and LACK OF BIAS in the conduct of business affairs by the Corporation and its subsidiaries, officers and employees. The Corporation’s compliance with all applicable laws, internal policies and regulatory guidance.
3 The Importance of Ethics for the Privacy Professional Corporations expect their employees to adhere to the highest possible standard of ethics and business conduct with customers, team members, stockholders, and the communities they serve. Employees are also expected to comply with all applicable laws, rules, and regulations that cover its businesses.
4 As senior executives, it is your responsibility to set “the tone at the top.” In the event of an alleged breach of law or regulation, the government will look to see that you have set the right tone in both word and deed. The Process Starts Here
5 Code of Business Conduct and Ethics A corporation’s Code of Business Conduct and Ethics identifies its policy and standards concerning ethical conduct. It also provides practical guidance to assist employees in their roles within the corporation. Guiding principles are articulated. They include: -Conduct the corporation’s business with integrity; -Conduct the corporation’s business with due skill, care and diligence; -Take reasonable care to organize and control the corporation’s affairs responsibly and effectively, with adequate systems to promote ethical conduct and compliance with the law, to prevent and detect criminal or unethical conduct, and to manage risks as they arise; and -Avoid, and, where appropriate, address any conflicts of interest in an equitable manner, between the corporation and its customers, and between customers and another client.
6 Content of Code of Ethics Many corporate Codes have a section regarding proprietary information. Not just the corporation's proprietary information but also customers’ confidential information. A financial institution’s business, in particular, depends on public confidence in its ability to confidentially manage the financial affairs of others.
7 One CEO’s Thoughts: “Our success as a company depends on managing our business with the highest standards of integrity.”
8 Reputation A company’s reputation is one of its most valued assets. It is built by serving clients well over time. We are judged each day by the way the company conducts its business.
9 What You Must Do Be a role model in adhering to your employer’s Code of Conduct. Proactively advocate the integration of ethical business practices and a commitment to compliance into all aspects of your employer’s business. Ensure to the best of your abilities that your employer upholds all relevant laws and regulations wherever it conducts business. Be a leader in the formation of ethical business practices in support of evolving business strategies and opportunities, taking into consideration legal requirements, customs, and best practices.
10 What You Must Do Raise and escalate, as necessary, significant business ethics and compliance issues. Protect confidential information obtained in the course of your professional activities unless disclosure of such information is required by law, applicable regulation, or company policy, or if maintaining the confidentiality of such information would create an appreciable health or safety risk. Avoid any actual, potential, or perceived conflicts between personal and business responsibilities, and promptly disclose and resolve any issues that may arise.
11 What You Must Do Maintain exemplary standards of personal and professional integrity. Strive to continually advance your knowledge of business ethics and compliance. Work both individually and collectively with other members of the business ethics and compliance profession to advance the development of business ethics and compliance. Take advantage of opportunities to improve public understanding of business ethics and compliance and their importance to sound business management.
12 The Privacy Professional “Amid spreading concern about consumer privacy and its enforcement, most of the nation’s largest banks are appointing ‘privacy czars’ to steer them clear of controversy.” Big Banks Put Senior-Level Execs on Privacy Watch American Banker, July 12, 1999
13 The Privacy Professional’s Initial Role Navigate uncharted waters. Send a powerful message within company and to the public. Lead others at the corporate level via example and visibility. Combine public relations and education.
14 Privacy Professional’s Responsibilities Understand what your company’s practices are. Understand how your company collects customer/consumer information. Ensure that your company secures customer/consumer information.
15 Privacy Professional’s Responsibilities Work independently on a wide variety of tasks in a fast paced environment. Be a team player and collaborator as well as a leader. Understand and keep pace with a variety of technologies. Communicate and execute domestic and offshore laws and regulations governing your industry.
16 The Privacy Team’s Functions Ensures effective privacy compliance programs are in place that safeguard customer and employee information. Analyzes and monitors the legislative and regulatory environment to assess emerging privacy risks. Directs Privacy Policy development and manages the annual notification mailing, if required under GLBA. Leads compliance efforts for new/revised privacy requirements. Communicates consistent message and privacy risk/awareness throughout the enterprise.
17 Privacy Group Partnerships Privacy Executive Council Privacy Working Task Force Notification/Mail Team Internet Privacy Group SWAT Team Telemarketing Task Force Employee Privacy Committee Industry Associations, e.g., IAPP
18 Audit. Conducts independent compliance testing to determine the effectiveness of the Program, ensuring LOBs are in compliance with applicable laws, regulations, policies, and procedures. Compliance Risk Management. Responsible for establishing the regulatory strategy for privacy and for maintaining the privacy compliance program. Legal. Serves as subject matter experts for privacy laws, responsible for providing regulatory interpretations. Executive Relations. Responds to escalated consumer issues and concerns. Key Privacy Stakeholders
19 Key Privacy Stakeholders Lines of Business. First line of defense. Primary responsibility for managing privacy rests within individual business units. Marketing. Directs annual privacy notification production process. Public Policy directs issue and legislation thought leadership. Human Resources. Directs associate privacy structure and support, including associate privacy issues/events, governance structure and process to access associate/employee data. Technology. Directs privacy technology support.
20 Questions? Agnes Bundy Scanlan, Esq. Goodwin Procter LLP 53 State Street Exchange Place Boston, MA t: f: e: