Presentation is loading. Please wait.

Presentation is loading. Please wait.

Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian Privacy Summit May 2008.

Similar presentations


Presentation on theme: "Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian Privacy Summit May 2008."— Presentation transcript:

1 Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian Privacy Summit May 2008

2 Cost of a Breach $197 per compromised record Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007

3 Why Self-Assess? Identify weaknesses and opportunities – Correct weaknesses before a breach occurs Benchmarking – Current state vs. desired state Demonstrates privacy compliance with stakeholders – Management / Board of Directors – Employees / Customers – Regulators / Privacy commissioners

4 What Youll Learn This Hour Office of the Privacy Commissioner of Canada – Auditing for privacy and guidance for best privacy practices Sun Life Assurance Co of Canada – How they conducted their own self- assessment and lessons learned CICA – Privacy Risk Assessment Tool

5 Office of the Commissariat Privacy Commissioner à la protection de of Canada la vie privée du Canada Office of the Privacy Commissioner of Canada Assessing Privacy Management IAPPToronto May 22, 2008

6 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Jennifer Stoddart Privacy Commissioner of Canada

7 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada This Presentation Overview of OPC Overview of OPC Privacy environment Privacy environment OPC audit & review OPC audit & review PIPEDA self assessing tool PIPEDA self assessing tool

8 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Warm Up P+S = 0? or P+S = 1? P-S = 300million

9 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada About the OPC Office of the Privacy Commissioner of Canada Protect & promote privacy rights of individuals Protect & promote privacy rights of individuals Oversee compliance with two Acts Oversee compliance with two Acts Independent Officer of Parliament Independent Officer of Parliament Multi-faceted ombudsman role Multi-faceted ombudsman role Responsible for promoting good management of personal information by organizations, both public and private. Responsible for promoting good management of personal information by organizations, both public and private. Visit Visit

10 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada OPC Audit & Review Mandate Section 36(1) of the Privacy Act to investigate exempt data banks. Section 36(1) of the Privacy Act to investigate exempt data banks. Section 37(1) of the Privacy Act – review of compliance with sections 4-8 in respect of personal information under the control of government institutions (public sector). About 250 entities. Section 37(1) of the Privacy Act – review of compliance with sections 4-8 in respect of personal information under the control of government institutions (public sector). About 250 entities. TB Policy – Privacy Impact Assessment Reviews TB Policy – Privacy Impact Assessment Reviews Section 18(1) PIPEDA – with reasonable notice, time and on reasonable grounds to believe contravention – audit the PI management practices of an organization. Private sector audit universe. Section 18(1) PIPEDA – with reasonable notice, time and on reasonable grounds to believe contravention – audit the PI management practices of an organization. Private sector audit universe.

11 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Audit & Review Branch We do audits and privacy impact assessment reviews – with a purpose. We do audits and privacy impact assessment reviews – with a purpose. To conduct independent and objective audits and reviews of personal information management systems for the purpose of promoting compliance with applicable legislation, policies and standards and improving privacy practices and accountability. Building capacity – now 9 growing to 19. Budget increased to $1.7m (from $896K). Building capacity – now 9 growing to 19. Budget increased to $1.7m (from $896K).

12 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada A Definition of Privacy Auditing Privacy auditing (in our context) can be defined as a systematic examination of control and accountability for the life cycle management of personal information – consistent with fair information principles. It can also be viewed as assessment of the means employed by organizations to manage privacy risks. Using a systems approach, any particular audit under the Privacy Act or the Personal Information and Electronic Documents Act would be designed to address one or more of the following basic questions – depending on the scope of audit. Privacy auditing (in our context) can be defined as a systematic examination of control and accountability for the life cycle management of personal information – consistent with fair information principles. It can also be viewed as assessment of the means employed by organizations to manage privacy risks. Using a systems approach, any particular audit under the Privacy Act or the Personal Information and Electronic Documents Act would be designed to address one or more of the following basic questions – depending on the scope of audit.

13 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Privacy management in context Privacy Environment Today

14 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Toronto

15 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Ubiquitous Computing

16 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada A New Universe - World Connected

17 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Technology – no limits/bounds

18 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada No Shortage of Privacy Challenges Post 9/11 – increased emphasis on information sharing for security purposes Post 9/11 – increased emphasis on information sharing for security purposes Trans border data flow Trans border data flow Outsourcing activities Outsourcing activities Protecting ones actual persona in an age of information expansion- integration Protecting ones actual persona in an age of information expansion- integration –Data consolidation-mining-matching-resale –Behavioral profiling and target advertising Biometrics Biometrics Increased surveillance (in many forms – visual and data) Increased surveillance (in many forms – visual and data) Internet - Web2 – Wireless communication (generation shift) Internet - Web2 – Wireless communication (generation shift) Identity theft – loss/theft of PI Identity theft – loss/theft of PI Privacy breaches Privacy breaches

19 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Public increasingly concerned

20 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Some days we feel a little overwhelmed

21 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Privacy Breaches The number one issue raised in submissions on PIPEDA review was data breach The number one issue raised in submissions on PIPEDA review was data breach Seems not a day without one Seems not a day without one How many actually happen compared to ones known about? How many actually happen compared to ones known about?

22 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada ID Theft – solutions? Virginia state legislature passed a law prohibiting individuals from dissemination Social Security Numbers legally obtained from government web sites -- $2,500 civil penalty. Ostergren story. Virginia state legislature passed a law prohibiting individuals from dissemination Social Security Numbers legally obtained from government web sites -- $2,500 civil penalty. Ostergren story. Canada introducing ID theft legislation – C27. Canada introducing ID theft legislation – C27. Informing people on how to protect themselves. Informing people on how to protect themselves.

23 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Privacy Breaches Industry Canada Policy Objectives: 1. Encourage better data security practices and better understand the link between current practices and data losses. 2. Reduce public concern about data breaches and increase confidence in the electronic marketplace and online commerce 3. Ensure that individuals obtain the information necessary to take steps to mitigate harm resulting from a breach of their personal information.

24 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Why do breaches happen? An accident – one off thing? An accident – one off thing? Function of: Function of: –Culture –Flawed systems and procedures? Likely that the resources invested to prevent a breach i.e. protect personal information would depend on the extent to which management believes they can afford a breach – function of risk management. Likely that the resources invested to prevent a breach i.e. protect personal information would depend on the extent to which management believes they can afford a breach – function of risk management. Privacy breach protocol is a key element of a privacy management program/framework. Privacy breach protocol is a key element of a privacy management program/framework.

25 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada What about data security? Despite agency reported progress, major federal agencies continue to experience significant information security control deficiencies that limit the effectiveness of their efforts to protect the confidentiality, integrity and availability of their information and information systems. GAO March 12,2008 GAO T Despite agency reported progress, major federal agencies continue to experience significant information security control deficiencies that limit the effectiveness of their efforts to protect the confidentiality, integrity and availability of their information and information systems. GAO March 12,2008 GAO T OAG Canada has reported concerns about information security among federal departments and agencies. OAG Canada has reported concerns about information security among federal departments and agencies. OPC has observed cases of poor information management and/or weak data protection in federal departments and agencies as well as private sector. OPC has observed cases of poor information management and/or weak data protection in federal departments and agencies as well as private sector.

26 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Keeping privacy h ealthy

27 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada How privacy management friendly is your organization? 1. How does your organization view privacy - whats the culture? 2. Is privacy on the agenda/radar of Senior Management? 3. Hows your PMF? Do you have one – can you articulate it? 4. Do you have a handle on what personal information you hold, why you collect it and what you do with it? 5. Do you have a privacy training program? 6. Hows your CPO Shop? – is it sufficiently resourced/have capacity to do what it should? Is it a marginal or a key player? 7. Do you track privacy breaches and have responsive mechanisms? 8. When you introduce/change business lines or systems – do you do a privacy impact assessment (including TRA) before hand and then do you use it? 9. You have policy – thats good – but is it just words on paper? How do you know its followed/supported? –Does your internal audit function consider privacy issues/risks? –When did your organization last do a privacy practices check-up? –In what ways is managing for privacy part of a managers performance agreement and evaluation?

28 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada OPC Self–assessment tool A compliance guide and a diagnostic tool we expect to make public by July 08. A compliance guide and a diagnostic tool we expect to make public by July 08. A set of standards that medium to large organizations can use to monitor compliance with the 10 Fair Information Principles from Schedule 1 of PIPEDA A set of standards that medium to large organizations can use to monitor compliance with the 10 Fair Information Principles from Schedule 1 of PIPEDA Framework of principles and criteria Framework of principles and criteria A guide - series of must, should, may by each Principle. A guide - series of must, should, may by each Principle. Diagnostic tool – checklists, means of interpretation and action determination. Diagnostic tool – checklists, means of interpretation and action determination.

29 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Self Assessment Checklists P1 Accountability 23 Qs P2 Identifying Purpose 9 Qs P3 Consent 9 Qs P4 Limiting Collection 6 Qs P5 Limiting use, disclosure, retention 5 Q P6 Accuracy 6 Qs P7 Safeguards 8 Qs P8 Openness 6 Qs P9 Individual Access 15 Qs P10 Challenging Compliance 5 Qs

30 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Sample checklist – Principle 1 Accountability StatementAssessmentEvidenceActions Met Not Met Partly Met You have reviewed your privacy policies and are satisfied that they are complete and easy to understand. You have clearly delineated who, within your organization, is responsible for privacy governance and management. You have privacy policies and practices that apply to the personal information of your employees as well as that of your customers.

31 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Evaluating Evaluating the results of a self-assessment should enable an organization to dedicate resources to improving privacy practices in the right areas. Evaluating the results of a self-assessment should enable an organization to dedicate resources to improving privacy practices in the right areas. Over time, evaluation of an organizations compliance should be put into the context of a maturity level. Over time, evaluation of an organizations compliance should be put into the context of a maturity level.

32 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Maturity A mature privacy management program/framework is characterized by due diligence and documentation of risk acceptance or mitigation decisions which should help set priorities for remedial action and define a realistic timeline for completion. A mature privacy management program/framework is characterized by due diligence and documentation of risk acceptance or mitigation decisions which should help set priorities for remedial action and define a realistic timeline for completion.

33 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada A Privacy Program Maturity Scale Level 1 – Non existent/seriously underdeveloped Level 1 – Non existent/seriously underdeveloped Level 2 – Early stages of development Level 2 – Early stages of development Level 3 – Advanced – requirements mostly met – improvements possible Level 3 – Advanced – requirements mostly met – improvements possible Level 4 – Fully developed – requirements mostly met with only minor or no adjustments need Level 4 – Fully developed – requirements mostly met with only minor or no adjustments need

34 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Likelihood of Occurrence LevelDescriptorDescription 5 Almost Certain Event occurs regularly here. 4Likely Event has occurred here more than once, or is occurring to others in similar circumstances. 3Moderate Event has occurred here before, or has been observed in similar circumstances. 2Unlikely Event has occurred infrequently before to others in similar circumstances, but has not occurred here. 1Rare Event has almost never been observed, it may occur only in exceptional circumstances.

35 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Impact LevelDescriptorDescription 5Extreme A major event with the potential to lead to long-term damage to an organizations ability to meet its objectives. 4 Very High A critical event, which with proper management, can be endured by the organization. 3Medium A significant event that can be managed under normal circumstances by the organization. 2Low An event where consequences can be absorbed, but management effort is required to minimize the impact. 1Negligible An event, the consequences of which can be absorbed through normal activity.

36 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Heat Mapping

37 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Keeping Privacy Healthy Focus on privacy principles Focus on privacy principles Value privacy as a credential and not just a compliance requirement – treat personal information as a key asset to be safeguarded as well as any other Value privacy as a credential and not just a compliance requirement – treat personal information as a key asset to be safeguarded as well as any other Systematic approach to privacy risk management Systematic approach to privacy risk management Better legislative and regulatory frameworks Better legislative and regulatory frameworks Robust privacy management framework Robust privacy management framework Strong IT control, especially for identification and authentication Strong IT control, especially for identification and authentication Privacy checkups Privacy checkups Be a privacy guardian……..why……… Be a privacy guardian……..why………

38 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Privacy Matters Fundamental Human Right R ights against arbitrary intrusion – freedom from unreasonable search and seizure. Right to protect personal information. Privacy matters because its about the kind of society we want – the relationship we have with government, business and among ourselves.

39 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Thank You Questions?www.privcom.gc.ca Trevor R. Shaw, CA CMC A/Director General - Audit and Review

40 Privacy Self-Assessment David T Shuen, MBA, LL.B., CIPP/C VP, Chief Compliance Officer Canadian Operations Sun Life Financial

41 Objectives of the Self-Assessment Governance – Update and document compliance status – Obtain evidence of management due diligence – Input for compliance testing Risk Management – Identify trends and systemic control weakness – Identify emerging issues and risks – Input for control measures development – Maintain awareness

42 The Self-Assessment Developed in-house by our privacy team with input from our Privacy Advisory Committee. Contains 37 questions based on the Fair Information Principles. Captures information on: – Compliance status – Current compliance, risk management and regulatory activities, e.g. audits, examinations – Trends / issues / risks identified – New privacy controls and safeguards and near-term planned activities – Top 5 (self-identified) privacy risks including documentation of corresponding controls and assessment of the net risk

43 The Process Semi-annual Coordinated by the privacy office Completed by privacy / compliance officers in business units with access to personal information – input from operations Reviewed by business unit heads Certification required Takes about 3 weeks at the business level

44 The Process Analyzed by the Privacy Office Consolidated report prepared for the CPO Summary reported to Canadian senior management and enterprise risk management committee Material issues escalated to executives and shared with control functions – Internal Audit, Compliance and Risk management

45 Lessons Learned A good way to know what is going on in the business Effective way to keep Privacy on the radar screen Testing a necessity – Perception of risk differs There is no such thing as too much awareness – training needs to be on-going – Front-line workers have the least time for training but have most access to customer information – Less formal but more frequent awareness campaign may be more effective than formal training course Authentication a constant struggle between good customer experience and good privacy protection

46 Privacy Risk Assessment Tool Based on Generally Accepted Privacy Principles developed by CICA and AICPA – A privacy framework to help organizations develop and assess their privacy program and privacy risk Excel based Allows up to 10 assessors

47 Generally Accepted Privacy Principles Management Notice Choice & Consent Collection Use & Retention Access Disclosure to Third Parties Security for Privacy Quality Monitoring & Enforcement

48 The Benefits of GAPP Comprehensive – Framework of over 60 measurable and relevant criteria Objective – Developed by the auditing profession to Address international expectations Create a basis for comparability Universally available at no charge Relevant – Widespread use and recognition – Applicable for evaluating privacy risk enterprise-wide Recognized as suitable criteria for a privacy audit – Can also be the basis for an internal assessment

49 GAPP - 66 CriteriaCriteria Description Likelihood of a Control Failure Business Impact Effort/Cost to Mitigate MANAGEMENT (10 criteria) Privacy Policies (1.1.0) Policies are defined for: notice, choice/consent, collection, use/retention, access, disclosure, security, quality, and monitoring and enforcement. 258 Communications to Internal Personnel (1.1.1) Privacy policies are communicated at least annually to internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in policy are communicated shortly after the changes are approved. 258 Scoring Input Template

50 GAPP - 10 Principles Likelihood of a Control Failure Business Impact Size of Marker (Cost to Mitigate) MANAGEMENT NOTICE CHOICE / CONSENT COLLECTION USE / RETENTION5.0 ACCESS DISCLOSURE SECURITY QUALITY MONITORING / ENFORCEMENT Scoring Summary

51

52 Contact Info Nicholas F. Cheung, CA, CIPP/C Principal, Assurance Services Development CICA (416)

53 Questions?


Download ppt "Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian Privacy Summit May 2008."

Similar presentations


Ads by Google