ENTERPRISE RISK SERVICES Presentation Highlights Legislative Framework Privacy Overview Nature of University Data Compliance Drivers Challenges/Issues Data Privacy Case Study Relationship with IT security Privacy Methodology Best Practices Privacy Compliance Areas CPO Duties Role of Internal Audit Conclusions
ENTERPRISE RISK SERVICES Privacy – It Does Not Get Any More Personal Than This Favorite restaurant Birthdate Political beliefs Annual salary Sexual orientation Medical history Comfort Zone
ENTERPRISE RISK SERVICES Commonwealth Privacy Act 1988 Privacy (Private Sector) Amendment Act 2000 NSW Privacy and Personal Protection Act 1998 Victoria Information Privacy Act 2000 Tasmania IPPs WA and SA Commonwealth Law Privacy Legislative Framework ACT Health Record (Access and Privacy) Act 1997 Qld Information Standard 42 (2002) plus Commonwealth Law NZ Privacy Act 1993
ENTERPRISE RISK SERVICES Privacy Overview WHERE ? Is it stored ? Who can access it ? How long do you keep it ? Do you dispose of it ? HOW ? Do you use it ? What is the main purpose ? WHO ? Do you share it with ? Do you disclose it to ? WHAT ? Is received ? Where from ? How is it collected ? What format ? What consents ?
ENTERPRISE RISK SERVICES Customer Sensitivity & Brand Image –Increased Customer Sensitivity over privacy –A high level of customer trust protects your brand name Competitive Edge –Meeting necessary regulatory requirements vs. being a leader in the privacy arena –The adverse consequences of a lapse in privacy compliance Misconceptions –The requirements dont apply to us since we dont sell or otherwise share information –The requirements only affect internet communications Regulation –The new privacy requirements – Privacy Act –State requirements may also apply Regulatory Scrutiny Known brands and deep pockets are big targets International Regulation –Global firms need a global approach to deal with overlapping, emerging and diverse international requirements Compliance Drivers Issues Driving Compliance
ENTERPRISE RISK SERVICES Potential Issues How does privacy, information security and risk inter-relate? Do privacy policies and disclosures accurately reflect actual practices, procedures and controls? Have the various requirements been identified? By jurisdiction? By legislation? By line-of-business? How does the de-centralised organisation affect security, privacy? How do the privacy requirements affect the organisations one-to-one marketing or student relationship management initiatives? Is there a plan to ensure that student-facing employees are adequately trained to address student needs? Linkage to other documents – code of conduct, administration manuals
ENTERPRISE RISK SERVICES Key Pressure Points/Challenges Are hampered by legacy systems Confused by distinctions between security and privacy Lack understanding about their technology & systems Are focused on policies Written procedures often fail to accurately reflect actual practices. Information may be stored incorrectly. Web sites are able to record and track individual identity and associated activities on the Internet. Current technology infrastructure may be unable to incorporate policies and controls to comply with notice, choice and security requirements. Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation.
ENTERPRISE RISK SERVICES Issues & Observations Most large firms take a customer no-action position that... they do not share information with other organisations who may want to sell their products or services to you Many organisations have begun to circulate their privacy notices and plans There is a risk that many firms have a procedural or internal control gap between privacy policies/disclosures and actual procedures/ controls The CPO role – while not uniformly established - is gaining traction and there are forums and special interest groups emerging Regulators and litigants will become increasingly focused on privacy and the controls (information security and data management) facilitating privacy
ENTERPRISE RISK SERVICES Nature of University Data Hold personal information Statistical data – address, age Academic records Tax File Numbers Personal matters – medical, financial, TFNs Online surveys Alumni, Donors Personnel Data CCTV
ENTERPRISE RISK SERVICES Data Privacy Case Study A suburban insurance agent for an international insurer Devised an Access database with client asset data He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier) The brother in law passed on client information to his friend at a debt collection agency LETS BREAK THIS DOWN
ENTERPRISE RISK SERVICES Data Privacy Case Study A suburban insurance agent for an international insurer developed an Access database with client asset data – Customer consent obtained? Opt out explained? Was is collected for the stated purpose? Is it reasonable?
ENTERPRISE RISK SERVICES Data Privacy Case Study He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier) An unreasonable act. Was is collected for the stated purpose?
ENTERPRISE RISK SERVICES Data Privacy Case Study The brother in law passed on client information to his friend at a debt collecting agency An unreasonable act & not allowed
ENTERPRISE RISK SERVICES A list or database sale issues- Have all customers consented, and is there an opt out clause? Sight evidence the list owner has notified all on the list Is it accurate? If all notified, do a random check for accuracy, its good business practice Issues An unreasonable act. Was is collected for the stated purpose? Data Privacy Case Study
ENTERPRISE RISK SERVICES Is Privacy the Same as IT Security? An enterprise may have world-class security and no privacy. Without IT Security, it is impossible to have acceptable privacy. So, IT Security is a building block of a privacy compliant organisation.
ENTERPRISE RISK SERVICES Information Life Cycle Data Destruction Data Acquisition Data Usage Data Storage Data Distribution/ Sharing Data Security Mapping the information life-cycle is a requirement
ENTERPRISE RISK SERVICES Privacy Methodology Privacy Compliance Assessment Plan Design Program Design Build Awareness
ENTERPRISE RISK SERVICES Best Practices Organisation Board sponsored privacy team Privacy program management office (PMO) Assessment Defining the types of personal information gathered, stored, and processed Documenting where and how the information is stored Identifying responsibility for the information (corporate, agent, third party) Assess existing policies and practices against privacy requirements Determine any international use or exchange of personal information Develop / document areas where changes are required to comply with regulations
ENTERPRISE RISK SERVICES Best Practices Design Proposed organisation and reporting structures Framework for identifying and documenting the various privacy components Resources required (personnel, skills, technology, financial, space) Timelines, activities and deliverables Implementation Client-Facing Behaviors; Organisational Policies, Procedures and Processes; Rights and Obligations; and Data Classification Policies and Procedures; Advertising and Solicitations; Rights and Obligations; and Vendor and Third Party Agreements
ENTERPRISE RISK SERVICES Corporate DatabasesApplication Systems Student mgmt E-Business Network Infrastructure Manual ProcessesPhysical Records Corporate DatabasesApplication Systems Alumni Manual ProcessesPhysical Records Corporate EntityRelated Entity PRIVACY DISCLOSURE E-Business Consent Process Personal Information Access to Information PRIVACY LEGISLATION ABCDEEFFGGHHHHIIJL Privacy Compliance Risk Areas KK
ENTERPRISE RISK SERVICES Duties of the Chief Privacy Officer Organise and coordinate Privacy Task Force or Committee Commission or conduct privacy risk assessment Track privacy environment and provide reports Monitor privacy law and regulations environment Support employee privacy training Interact with student groups and regulators Provide contact point for students/staff Manage privacy dispute resolution Speak for the University and prepare executives for legislative/ testimony Conduct regular / annual privacy audits Report to top management
ENTERPRISE RISK SERVICES Role of IA Determine that a sufficient privacy task force has been established. Determine that sufficient privacy policies and related operational privacy procedures and practices exist. Assess the privacy training and awareness program Ensure that an effective privacy compliance and monitoring program has been established.
ENTERPRISE RISK SERVICES Conclusions Privacy is now a major concern, in the online and offline worlds, domestically and globally. Loss of reputation and credibility are major privacy risks but privacy issues hit the bottom-line, too: e.g. cost of change and lawsuits. Privacy violations may be unintentional, accidental or unforeseen…the press and the public will not care. Personalisation through profiling is a key strategy for gaining and retaining students - both online and offline. Privacy is not the same as security. Privacy compliance officers Privacy audits