Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2002 by Deloitte Touche Tohmatsu All Rights Reserved

Similar presentations

Presentation on theme: "©2002 by Deloitte Touche Tohmatsu All Rights Reserved"— Presentation transcript:

1 ©2002 by Deloitte Touche Tohmatsu All Rights Reserved
Privacy Australian & New Zealand University Internal Audit (ANZUIAG) Conference September 2002 ©2002 by Deloitte Touche Tohmatsu All Rights Reserved No part of this presentation may be reproduced without the express permission of Deloitte Touche Tohmatsu.

2 Presentation Highlights
Legislative Framework Privacy Overview Nature of University Data Compliance Drivers Challenges/Issues Data Privacy Case Study Relationship with IT security Privacy Methodology Best Practices Privacy Compliance Areas CPO Duties Role of Internal Audit Conclusions

3 Privacy – It Does Not Get Any More Personal Than This
Comfort Zone Favorite restaurant Birthdate Political beliefs Annual salary Sexual orientation Medical history

4 Privacy Legislative Framework
Commonwealth Privacy Act 1988 Privacy (Private Sector) Amendment Act 2000 NSW Privacy and Personal Protection Act 1998 Victoria Information Privacy Act 2000 Tasmania IPP’s WA and SA Commonwealth Law ACT Health Record (Access and Privacy) Act 1997 Qld Information Standard 42 (2002) plus Commonwealth Law NZ Privacy Act 1993

5 Privacy Overview WHAT ? WHERE ? Is received ? Is it stored ?
Where from ? How is it collected ? What format ? What consents ? WHERE ? Is it stored ? Who can access it ? How long do you keep it ? Do you dispose of it ? HOW ? Do you use it ? What is the main purpose ? WHO ? Do you share it with ? Do you disclose it to ?

6 Issues Driving Compliance
Compliance Drivers Customer Sensitivity & Brand Image Increased Customer Sensitivity over privacy A high level of customer trust protects your brand name Competitive Edge Meeting necessary regulatory requirements vs. being a leader in the privacy arena The adverse consequences of a lapse in privacy compliance Issues Driving Compliance Misconceptions The requirements don’t apply to us since we don’t sell or otherwise share information The requirements only affect internet communications Regulatory Scrutiny Known brands and deep pockets are big targets International Regulation Global firms need a global approach to deal with overlapping, emerging and diverse international requirements Regulation The new privacy requirements – Privacy Act State requirements may also apply

7 Potential Issues How does privacy, information security and risk inter-relate? Do privacy policies and disclosures accurately reflect actual practices, procedures and controls? Have the various requirements been identified? By jurisdiction? By legislation? By line-of-business? How does the de-centralised organisation affect security, privacy? How do the privacy requirements affect the organisation’s “one-to-one” marketing or student relationship management initiatives? Is there a plan to ensure that student-facing employees are adequately trained to address student needs? Linkage to other documents – code of conduct, administration manuals

8 Key Pressure Points/Challenges
Are hampered by legacy systems Confused by distinctions between security and privacy Lack understanding about their technology & systems Are focused on “policies” Written procedures often fail to accurately reflect actual practices. Information may be stored incorrectly. Web sites are able to record and track individual identity and associated activities on the Internet. Current technology infrastructure may be unable to incorporate policies and controls to comply with notice, choice and security requirements. Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation.

9 Issues & Observations Most large firms take a “customer no-action” position that... “they do not share information with other organisations who may want to sell their products or services to you Many organisations have begun to circulate their privacy notices and plans There is a risk that many firms have a “procedural or internal control gap” between privacy policies/disclosures and actual procedures/ controls The CPO role – while not uniformly established - is gaining traction and there are forums and special interest groups emerging Regulators and litigants will become increasingly focused on privacy and the controls (information security and data management) facilitating privacy

10 Nature of University Data
Hold personal information Statistical data – address, age Academic records Tax File Numbers Personal matters – medical, financial, TFN’s Online surveys Alumni, Donors Personnel Data CCTV

11 Data Privacy Case Study
A suburban insurance agent for an international insurer Devised an Access database with client asset data He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier) The brother in law passed on client information to his friend at a debt collection agency  LETS BREAK THIS DOWN

12 Data Privacy Case Study
A suburban insurance agent for an international insurer developed an Access database with client asset data – Customer consent obtained? Opt out explained? Was is collected for the stated purpose? Is it reasonable?

13 Data Privacy Case Study
He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier) An unreasonable act. Was is collected for the stated purpose?

14 Data Privacy Case Study
The brother in law passed on client information to his friend at a debt collecting agency An unreasonable act & not allowed 

15 Data Privacy Case Study
A list or database sale issues- Have all customers consented, and is there an opt out clause? Sight evidence the list owner has notified all on the list Is it accurate? If all notified, do a random check for accuracy, its good business practice Issues An unreasonable act. Was is collected for the stated purpose?

16 Is Privacy the Same as IT Security?
An enterprise may have world-class security and no privacy. Without IT Security, it is impossible to have acceptable privacy. So, IT Security is a building block of a “privacy compliant” organisation.

17 Information Life Cycle
Mapping the information life-cycle is a requirement Data Acquisition Data Storage Data Distribution/ Sharing Data Usage Data Destruction Data Security

18 Privacy Methodology Privacy Compliance Assessment Awareness
Plan Design Program Design Build

19 Best Practices Organisation Assessment Board sponsored privacy team
Privacy program management office (PMO) Assessment Defining the types of personal information gathered, stored, and processed Documenting where and how the information is stored Identifying responsibility for the information (corporate, agent, third party) Assess existing policies and practices against privacy requirements Determine any international use or exchange of personal information Develop / document areas where changes are required to comply with regulations

20 Best Practices Design Implementation
Proposed organisation and reporting structures Framework for identifying and documenting the various privacy components Resources required (personnel, skills, technology, financial, space) Timelines, activities and deliverables Implementation Client-Facing Behaviors; Organisational Policies, Procedures and Processes; Rights and Obligations; and Data Classification Policies and Procedures; Advertising and Solicitations; Rights and Obligations; and Vendor and Third Party Agreements

21 Privacy Compliance Risk Areas
PRIVACY LEGISLATION L Corporate Entity K Related Entity G K B D Application Systems Corporate Databases Application Systems Corporate Databases Student mgmt Alumni Personal Information A F H H E I PRIVACY DISCLOSURE Consent Process E-Business E-Business A.Classification of Personal Information According to Sensitivity B.Disclosure of Privacy Practices C.Consent Process D.Collection of Personal Information E.Storage of Personal Information F.Processing of Personal Information G.Transmission and Disclosure of Personal Information H.Reporting and Access to Personal Information I.Disposal of Personal Information J.Response Process to Complaints and Individual’s Requests K.Awareness of Privacy Requirements L.Compliance with Privacy Legislation C G Network Infrastructure Manual Processes Physical Records Manual Processes Physical Records F H H J E I Access to Information

22 Duties of the Chief Privacy Officer
Organise and coordinate Privacy Task Force or Committee Commission or conduct privacy risk assessment Track privacy environment and provide reports Monitor privacy law and regulations environment Support employee privacy training Interact with student groups and regulators Provide contact point for students/staff Manage privacy dispute resolution Speak for the University and prepare executives for legislative/ testimony Conduct regular / annual privacy audits Report to top management

23 Role of IA Determine that a sufficient privacy task force has been established. Determine that sufficient privacy policies and related operational privacy procedures and practices exist. Assess the privacy training and awareness program Ensure that an effective privacy compliance and monitoring program has been established.

24 Conclusions Privacy is now a major concern, in the online and offline worlds, domestically and globally. Loss of reputation and credibility are major privacy risks but privacy issues hit the bottom-line, too: e.g. cost of change and lawsuits. Privacy violations may be unintentional, accidental or unforeseen…the press and the public will not care. Personalisation through profiling is a key strategy for gaining and retaining students - both online and offline. Privacy is not the same as security. Privacy compliance officers Privacy audits

25 Contact Details Carl Gerrard – phone: 07 3308 7046
Cathy Blunt – phone:

Download ppt "©2002 by Deloitte Touche Tohmatsu All Rights Reserved"

Similar presentations

Ads by Google