The Privacy Imperative: Go Beyond Compliance to Competitive Advantage Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Transcend Business Services Executive Conference August 25, 2004

Slide 2 Impetus for Change  Growth of Privacy as a Global Issue  EU Directive on Data Protection  Increasing amounts of personal data collected, consolidated, aggregated  Consumer Backlash; heightened consumer expectations

Slide 3 The New Debate: Privacy After 9/11  It’s business as usual: Clear distinction between public safety and business issues – make no mistake NO reduction in consumer expectations Increased value of trusted relationships

Slide 4 Consumer Attitudes  Business is not a beneficiary of the post-9/11 “Trust Mood”  Increased trust in government has not been paralleled by increased trust in business handling of personal information Privacy On and Off the Internet: What Consumers Want Harris Interactive, November 2001 Dr. Alan Westin

Slide 5 Importance of Consumer Trust  In the post-9/11 world: Consumers either as concerned or more concerned about online privacy Concerns focused on the business use of personal information, not new government surveillance powers  If consumers have confidence in a company’s privacy practices, consumers are more likely to: Increase volume of business with company……....91% Increase frequency of business……………….…...90% Stop doing business with company if PI misused…83% Harris/Westin Poll, Nov & Feb. 2002

Slide 6 Information Privacy Defined  Information Privacy: Data Protection Freedom of choice; control; informational self-determination Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

Slide 7 What Privacy is Not Security  Privacy

Slide 8  Authentication  Data Integrity  Confidentiality  Non-repudiation  Privacy; Data Protection  Fair Information Practices Privacy and Security: The Difference Security: Organizational control of information through information systems

Slide 9 STEPS: The Context  Terrorist attacks 9/11  Government concerns over public safety  U.S. Patriot and anti-terrorist legislation  Polarized debate for Security/Privacy

Slide 10 Change the Paradigm  Old Paradigm: Zero Sum Game  New Paradigm: (win-win) Security + Privacy = Freedom  Expand the discourse: Privacy and Security are not polar opposites but essential components 

Slide 11 The Challenge for Solution Developers  Introduce privacy into the concept, design and implementation of technology solutions  Promote existing STEPs:  3-D Holographic Scanner: respecting physical privacy while enhancing security  Biometric encryption: better security plus ironclad privacy

Slide 12 Fair Information Practices: A Brief History  OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data  EU Directive on Data Protection  CSA Model Code for the Protection of Personal Information  Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

Slide 13 Summary of Fair Information Practices  Accountability  Identifying Purposes  Consent  Limiting Collection  Limiting Use, Disclosure, Retention  Accuracy  Safeguards  Openness  Individual Access  Challenging Compliance

Slide 14 Extension of PIPEDA  As of January 1, 2004, the Personal Information Protection and Electronic Documents Act has extended to:  all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations  unless a substantially similar provincial privacy law is in force

Slide 15 Provincial Private-Sector Privacy Laws Québec: Act respecting the protection of personal information in the private sector B.C.: Personal Information Protection Act Alberta: Personal Information Protection Act Ontario: draft Privacy of Personal Information Act, 2002 – not introduced…so PIPEDA applies

Slide 16 Ontario: Health Information Protection Act, 2003 (PHIPA)  Ontario government introduced health privacy bill (Bill 31) on December 17, 2003  Law comes into effect on November 1, 2004  Establishes privacy rules for personal health information that is collected, used or disclosed by health information custodians

Slide 17 The Bottom Line Privacy should be viewed as a business issue, not a compliance issue

Slide 18 The Promise  Electronic Commerce projected to reach $220 billion by 2001 WTO, 1998  Electronic Commerce projected to reach $133 billion by 2004 Wharton Forum on E-Commerce, 1999 Estimates revised downward to reflect lower expectations

Slide 19 Privacy is affecting E-Commerce United States: e-commerce sales were only 1.6% of total sales -- $54.9 billion in U.S. Dept. of Commerce Census Bureau, February 2004 Canada: Online sales were only 0.6% of total revenues -- $13.7 billion in 2002 Statistics Canada, April 2003

Slide 20 Lack of Privacy = Lack of Sales “Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.” Forrester Research, September 2001 “Privacy and security concerns could cost online sellers almost $25 billion by 2006.” Jupiter Research, May 2002

Slide 21 The Business Case  “Our research shows that 80% of our customers would walk away if we mishandled their personal information.” CPO, Royal Bank of Canada, 2003  Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.

Slide 22 ISF Highlights Damage done by Privacy Breaches  The Information Security Forum reported that a company’s privacy breaches can cause major damage to brand and reputation: 25% of companies surveyed experienced some adverse publicity due to privacy 1 in 10 had experienced civil litigation, lost business or broken contracts Robust privacy policies and staff training were viewed as keys to avoiding privacy problems The Information Security Forum, July 7, 2004

Slide 23 How The Public Divides on Privacy The “Privacy Dynamic” - BattleDr. Alan Westin for the minds of the pragmatists

Slide 24 It’s all about Trust “Trust is more important than ever online … Price does not rule the Web … Trust does.” Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships

Slide 25 The High Road “When customers DO trust an online vendor, they are much more likely to share personal information. This information then enables the company to form a more intimate relationship with its customers.” Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships

Slide 26 Lack of Trust on the Web “In 70% of instances where Internet users were asked to provide information in order to access an online informational resource, those users did not pursue the resource because they thought their privacy would be compromised.” Narrowline Study, 1997

Slide 27 Trust and Privacy Policies Fully 50% of online users said they would leave a Web site if they were unhappy with a company’s privacy policy. Customer Respect Group, February 2004 survey

Slide 28 Falsifying Information on the Web “42.1% have falsified information at one time or another when asked to register at a Web site.” 10 th WWW User Survey, October 1998

Slide 29 Make Privacy a Corporate Priority  An effective privacy program needs to be integrated into the corporate culture  It is essential that privacy protection become a corporate priority throughout all levels of the organization  Senior Management and Board of Directors’ commitment is critical

Slide 30 Good Governance & Privacy “Privacy and Boards of Directors: What You Don’t Know Can Hurt You” Guidance to corporate directors faced with increasing responsibilities and expectation of openness and transparency Privacy among the key issues that Boards of Directors must address Potential risks if Directors ignore privacy Great benefits to be reaped if privacy included in a company’s business plan

Slide 31 Privacy Diagnostic Tool  Simple, plain-language tool (paper and e-versions)  Free & self-administered  CSA model code to examine an organization’s privacy management practices 

Slide 32 PETTEP  Privacy Enhancing Technologies Testing and Evaluation Project  How does one determine whether a technology can deliver on its privacy promises?  PETTEP’s objective: to test, through an international standard, the privacy claims of technologies.

Slide 33 PETTEP (cont’d)  Modeled on the Common Criteria – an international standard used to test the security components of technologies  For privacy, Fair Information Practices (FIP) would form the basis of the testing  The challenge is to translate FIPs into the functional requirements of the Common Criteria – to find the design correlates of FIPs

Slide 34 PETTEP Status Update  PETTEP partners with public & private sectors to develop an enhancement of the Privacy Chapter in the Common Criteria;  PETTEP & partners are developing the necessary privacy protection profiles that will form the basis of testing and evaluating the privacy claims of various technologies;  PETTEP, works with various levels in ISO with a view to create privacy technology standards.

Slide 35 Final Thought “Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.” Forrester Research, March 5, 2001

How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) Web: