© 2003 IBM Corporation www.ibm.com/security/privacy Preparing for Privacy Society of Internet Professionals January 19, 2004 Nigel Brown Senior Privacy.

Slides:



Advertisements
Similar presentations
Implementing a Behavior Based Safety Process at Rockwell Automation
Advertisements

Organizational Governance
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.
Sept Topics of interest & risk in our industry today Christine Scaini Compliance Consultant Market Conduct Compliance.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
BNSF Ethics and Compliance Program Roger Nober Executive Vice President Law and Secretary July 13, 2011.
What’s Next What We believe Who We Are Cloud Computing Big data Mobility Social Enterprise.
Global Information Systems
IBM Global Services © 2003 IBM Corporation Privacy Technology and the Public Sector CACR Conference November 6, 2003 IBM Global Services.
© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.
Information Systems Security Officer
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Certified Business Process Professional (CBPP®)
Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.
Opportunities & Implications for Turkish Organisations & Projects
Internal Auditing and Outsourcing
The Importance of Transparency and Disclosure Presented by Brian S. Brown Seoul, Korea - March 1999 OECD Conference: Corporate Governance in Asia.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Global Information Systems
 This presentation looks at: › What is risk management › How to identify risks › How to implement an effective risk management policy to increase your.
Information Systems Planning
© 2012 IBM Corporation Symposium on Digital Curation 0 The Future Workforce Steven Miller IBM.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Electronic Records Management: What Management Needs to Know May 2009.
ITIL & COBIT O6PLM Kevin Lisay – Rendy Winarta –
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
NIST Special Publication Revision 1
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
Marketing Ethics and Social Responsibility
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
IT PMB: Executive Oversight and Decision Authority for Application and Infrastructure Projects at NASA Larry Sweet Chair, IT PMB JSC CIO August 2010.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Mission and Mission Fulfillment Tom Miller University of Alaska Anchorage.
OUTLINE Introduction Background of Securities Regulation Objective of Securities Regulation Violations under the Securities Industry Law The Securities.
Alter – Information Systems © 2002 Prentice Hall 1 The Process of Information System Planning.
Data Governance: Addressing the Big Data Challenge IT.CAN 2015 Information Technology Law Spring Forum May 4, 2015 Adam Kardash Partner, Privacy & Data.
Chapter 4 Copyright © 2011 by Nelson Education Ltd. 1 Prepared by Norm Althouse University of Calgary Prepared by Norm Althouse University of Calgary.
+ Regulation and Compliance Summary “ Making Great Ideas Become Reality”
Location, Location, Location: The Emerging Crisis in Wireless Data Privacy Ari Schwartz & Alan Davidson Center for Democracy and Technology
G:\99Q3\9220\PD\AJD2.PPT 1 Harriet P. Pearson Chief Privacy Officer IBM February 7, 2003 IBM.
Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 What is Solution Assessment & Validation?
Copyright 2003 – Cedar Enterprise Solutions, Inc. All rights reserved. Business Process Redesign & Innovation University of Maryland, University College.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. BUSINESS PLUG-IN B19 Global Information Systems.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
1 Platform for Privacy Preferences and RBC Financial Group Della Shea Manager Enterprise Web Compliance RBC Financial Group P3P Implementation Workshop.
Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Disruptive Technology and its Implications for University Information Services David Harrison, Cardiff University “Exploiting the Potential of Blogs &
Privacy Advisory Services … … A Best Practices, Integrated Approach Insert Firm Name Here.
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
John Weigelt, MEng, PEng, CISSP, CISM National Technology Officer Microsoft Canada November 2005 Fighting Fraud Through Data Governance.
Information Technology Assessment Findings Presented to the colleges of the State Center Community College District.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
UNDERSTANDING INFORMATION MANAGEMENT (IM) WITHIN THE FEDERAL GOVERNMENT.
Internal Audit Quality Assessment Guide
Understanding Privacy An Overview of our Responsibilities.
Accountability & Structured Privacy Management
Privacy principles Individual written policies
Audit Planning and Analytical Procedures
GDPR - New Data Protection Regulation
General Data Protection Regulation
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Strategic Environmental Assessment (SEA)
Managing Privacy Risk in Your Commercial Practices
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Presentation transcript:

© 2003 IBM Corporation Preparing for Privacy Society of Internet Professionals January 19, 2004 Nigel Brown Senior Privacy Consultant IBM Global Services

Preparing for Privacy © 2003 IBM Corporation 2 Privacy Commissioners Report Introductory comments on PIPEDA... "Privacy code only the beginning It is the rare organization nowadays that isn't greatly concerned about the privacy rights of individuals -- on paper, at least. Most corporate brochures and Web sites proudly proclaim a privacy code, ostensibly in full compliance with corporate obligations under the PIPED Act. What our complaint investigations are showing, however, is that some organizations have been less than thorough about putting their codes into practice. A privacy code is pointless without comprehensive and detailed policies and procedures, and these in turn are pointless unless they are known and consistently observed and applied. The privacy violations that give rise to complaints are often attributable to problems or defects in an organization's information-handling processes or system as a whole. Such problems are themselves often caused by failure on an organization's part to grasp, or turn its attention to, the practical implications of the PIPED Act's principles. Sometimes, too, the problems derive from unquestioned adherence to traditional practices that may no longer be acceptable under the Act."

Preparing for Privacy © 2003 IBM Corporation 3 Privacy Commissioners Report Most common findings...  Overarching theme: Not Operationalizing Privacy Not putting operational procedures in place  Not appointing a Privacy Officer  Not knowing how to handle access requests and privacy complaints Not meeting the time limit  Keeping information too long or not long enough  Not limiting collection to what is necessary Especially unnecessary collection of SIN Not re-visiting old practices  Not identifying purpose Not documented, not presented before collection, employees can't explain  Not instituting proper safeguards Inadequate authorization, transmission security, "need to know"  Not recognizing employee privacy rights

Preparing for Privacy © 2003 IBM Corporation 4 What the Leaders are Doing  Senior Management Commitment –Recognition as a strategic issue - senior managers committed, involved, informed –Chief Privacy Officer is a senior officer and/or has direct access to top levels  Setting High Minimum Standards Across the Enterprise –A response to multiple sets of regulations –Adopt best practices on the core principles –Minimal local customization where necessary  Active Externally –Gain a voice in the public policy debate –Gain external benchmarks: –Leverage trade associations, industry organizations –Attend conferences, get independent/external view, share  Making Privacy part of Customer/Employee Loyalty Strategy –Viewing privacy as one end of the preference spectrum –Moving from compliance to opportunity

Preparing for Privacy © 2003 IBM Corporation 5 What the Leaders are Doing  Approaching as an Ongoing Business Requirement –Permanent cross-functional steering committees, teams –Systematic, repeatable assessment against objectives –Tracking legislative, marketplace, customer, technology trends  Process Focus –Detailed risk/opportunity analysis of personal information handling processes –Developing Privacy Specific Processes, ex: Access to personal information  Making Privacy Systemic, Embedded –Building privacy considerations into all key process and compliance checkpoints –Assigning ownership at all levels  Leveraging Technology –Identifying where technology can provide risk mitigation and opportunity enhancement –Extending Enterprise Architecture to include Privacy Architecture

Preparing for Privacy © 2003 IBM Corporation 6 PIA Tool Reports

Preparing for Privacy © 2003 IBM Corporation 7  Description –A review of a company's website privacy management practices to create trust among website users to ensure that appropriate privacy and security measures are taken and are visible to the user –Use of best-of-breed automated platform to test for privacy compliance  Deliverable –A comprehensive, web-based report identifying: Privacy Website Assessment Offering

Preparing for Privacy © 2003 IBM Corporation 8 Key Components of the GoA Privacy Architecture Identity Protection Component (IDPC) How should we index personal information? Privacy Taxonomy How should we classify personal information? Glossary How do we communicat e privacy requirements and issues? Privacy Transformation How do we transform personal information to less sensitive forms? Privacy Design Guidance How do we make privacy- smart IT design and acquisition decisions? Active Privacy Architecture How do we use technology to manage privacy in real-time? Data Placement Where should we place personal data in our IT infrastructure?

Preparing for Privacy © 2003 IBM Corporation 9 20% 13% 11%.... please Questions???