© 2003 IBM Corporation Preparing for Privacy Society of Internet Professionals January 19, 2004 Nigel Brown Senior Privacy Consultant IBM Global Services
Preparing for Privacy © 2003 IBM Corporation 2 Privacy Commissioners Report Introductory comments on PIPEDA... "Privacy code only the beginning It is the rare organization nowadays that isn't greatly concerned about the privacy rights of individuals -- on paper, at least. Most corporate brochures and Web sites proudly proclaim a privacy code, ostensibly in full compliance with corporate obligations under the PIPED Act. What our complaint investigations are showing, however, is that some organizations have been less than thorough about putting their codes into practice. A privacy code is pointless without comprehensive and detailed policies and procedures, and these in turn are pointless unless they are known and consistently observed and applied. The privacy violations that give rise to complaints are often attributable to problems or defects in an organization's information-handling processes or system as a whole. Such problems are themselves often caused by failure on an organization's part to grasp, or turn its attention to, the practical implications of the PIPED Act's principles. Sometimes, too, the problems derive from unquestioned adherence to traditional practices that may no longer be acceptable under the Act."
Preparing for Privacy © 2003 IBM Corporation 3 Privacy Commissioners Report Most common findings... Overarching theme: Not Operationalizing Privacy Not putting operational procedures in place Not appointing a Privacy Officer Not knowing how to handle access requests and privacy complaints Not meeting the time limit Keeping information too long or not long enough Not limiting collection to what is necessary Especially unnecessary collection of SIN Not re-visiting old practices Not identifying purpose Not documented, not presented before collection, employees can't explain Not instituting proper safeguards Inadequate authorization, transmission security, "need to know" Not recognizing employee privacy rights
Preparing for Privacy © 2003 IBM Corporation 4 What the Leaders are Doing Senior Management Commitment –Recognition as a strategic issue - senior managers committed, involved, informed –Chief Privacy Officer is a senior officer and/or has direct access to top levels Setting High Minimum Standards Across the Enterprise –A response to multiple sets of regulations –Adopt best practices on the core principles –Minimal local customization where necessary Active Externally –Gain a voice in the public policy debate –Gain external benchmarks: –Leverage trade associations, industry organizations –Attend conferences, get independent/external view, share Making Privacy part of Customer/Employee Loyalty Strategy –Viewing privacy as one end of the preference spectrum –Moving from compliance to opportunity
Preparing for Privacy © 2003 IBM Corporation 5 What the Leaders are Doing Approaching as an Ongoing Business Requirement –Permanent cross-functional steering committees, teams –Systematic, repeatable assessment against objectives –Tracking legislative, marketplace, customer, technology trends Process Focus –Detailed risk/opportunity analysis of personal information handling processes –Developing Privacy Specific Processes, ex: Access to personal information Making Privacy Systemic, Embedded –Building privacy considerations into all key process and compliance checkpoints –Assigning ownership at all levels Leveraging Technology –Identifying where technology can provide risk mitigation and opportunity enhancement –Extending Enterprise Architecture to include Privacy Architecture
Preparing for Privacy © 2003 IBM Corporation 6 PIA Tool Reports
Preparing for Privacy © 2003 IBM Corporation 7 Description –A review of a company's website privacy management practices to create trust among website users to ensure that appropriate privacy and security measures are taken and are visible to the user –Use of best-of-breed automated platform to test for privacy compliance Deliverable –A comprehensive, web-based report identifying: Privacy Website Assessment Offering
Preparing for Privacy © 2003 IBM Corporation 8 Key Components of the GoA Privacy Architecture Identity Protection Component (IDPC) How should we index personal information? Privacy Taxonomy How should we classify personal information? Glossary How do we communicat e privacy requirements and issues? Privacy Transformation How do we transform personal information to less sensitive forms? Privacy Design Guidance How do we make privacy- smart IT design and acquisition decisions? Active Privacy Architecture How do we use technology to manage privacy in real-time? Data Placement Where should we place personal data in our IT infrastructure?
Preparing for Privacy © 2003 IBM Corporation 9 20% 13% 11%.... please Questions???