2Presentation Highlights Legislative FrameworkPrivacy OverviewNature of University DataCompliance DriversChallenges/IssuesData Privacy Case StudyRelationship with IT securityPrivacy MethodologyBest PracticesPrivacy Compliance AreasCPO DutiesRole of Internal AuditConclusions
3Privacy – It Does Not Get Any More Personal Than This Comfort ZoneFavorite restaurantBirthdatePolitical beliefsAnnual salarySexual orientationMedical history
4Privacy Legislative Framework CommonwealthPrivacy Act 1988Privacy (Private Sector) Amendment Act 2000NSWPrivacy and Personal Protection Act 1998VictoriaInformation Privacy Act 2000TasmaniaIPP’sWA and SACommonwealth LawACTHealth Record (Access and Privacy) Act 1997QldInformation Standard 42 (2002) plus Commonwealth LawNZPrivacy Act 1993
5Privacy Overview WHAT ? WHERE ? Is received ? Is it stored ? Where from ?How is it collected ?What format ?What consents ?WHERE ?Is it stored ?Who can access it ?How long do you keep it ?Do you dispose of it ?HOW ?Do you use it ?What is the mainpurpose ?WHO ?Do you share it with ?Do you disclose it to ?
6Issues Driving Compliance Compliance DriversCustomer Sensitivity & Brand ImageIncreased Customer Sensitivity over privacyA high level of customer trust protects your brand nameCompetitive EdgeMeeting necessary regulatory requirements vs. being a leader in the privacy arenaThe adverse consequences of a lapse in privacy complianceIssues Driving ComplianceMisconceptionsThe requirements don’t apply to us since we don’t sell or otherwise share informationThe requirements only affect internet communicationsRegulatory ScrutinyKnown brands and deep pockets are big targetsInternational RegulationGlobal firms need a global approach to deal with overlapping, emerging and diverse international requirementsRegulationThe new privacy requirements – Privacy ActState requirements may also apply
7Potential IssuesHow does privacy, information security and risk inter-relate?Do privacy policies and disclosures accurately reflect actual practices, procedures and controls?Have the various requirements been identified? By jurisdiction? By legislation? By line-of-business?How does the de-centralised organisation affect security, privacy?How do the privacy requirements affect the organisation’s “one-to-one” marketing or student relationship management initiatives?Is there a plan to ensure that student-facing employees are adequately trained to address student needs?Linkage to other documents – code of conduct, administration manuals
8Key Pressure Points/Challenges Are hampered by legacy systems Confused by distinctions between security and privacy Lack understanding about their technology & systems Are focused on “policies”Written procedures often fail to accurately reflect actual practices.Information may be stored incorrectly.Web sites are able to record and track individual identity and associated activities on the Internet.Current technology infrastructure may be unable to incorporate policies and controls to comply with notice, choice and security requirements.Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation.
9Issues & ObservationsMost large firms take a “customer no-action” position that... “they do not share information with other organisations who may want to sell their products or services to youMany organisations have begun to circulate their privacy notices and plansThere is a risk that many firms have a “procedural or internal control gap” between privacy policies/disclosures and actual procedures/ controlsThe CPO role – while not uniformly established - is gaining traction and there are forums and special interest groups emergingRegulators and litigants will become increasingly focused on privacy and the controls (information security and data management) facilitating privacy
10Nature of University Data Hold personal informationStatistical data – address, ageAcademic recordsTax File NumbersPersonal matters – medical, financial, TFN’sOnline surveysAlumni, DonorsPersonnel DataCCTV
11Data Privacy Case Study A suburban insurance agent for an international insurerDevised an Access database with client asset dataHe sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier)The brother in law passed on client information to his friend at a debt collection agency LETS BREAK THIS DOWN
12Data Privacy Case Study A suburban insurance agent for an international insurer developed an Access database with client asset data –Customer consent obtained?Opt out explained?Was is collected for the stated purpose?Is it reasonable?
13Data Privacy Case Study He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier)An unreasonable act.Was is collected for the stated purpose?
14Data Privacy Case Study The brother in law passed on client information to his friend at a debt collecting agencyAn unreasonable act & not allowed
15Data Privacy Case Study A list or database sale issues-Have all customers consented, and is there an opt out clause?Sight evidence the list owner has notified all on the listIs it accurate?If all notified, do a random check for accuracy, its good business practiceIssuesAn unreasonable act.Was is collected for the stated purpose?
16Is Privacy the Same as IT Security? An enterprise may have world-class security and no privacy.Without IT Security, it is impossible to have acceptable privacy.So, IT Security is a building block of a “privacy compliant” organisation.
17Information Life Cycle Mapping the information life-cycle is a requirementDataAcquisitionDataStorageDataDistribution/SharingDataUsageDataDestructionData Security
18Privacy Methodology Privacy Compliance Assessment Awareness Plan DesignProgram DesignBuild
19Best Practices Organisation Assessment Board sponsored privacy team Privacy program management office (PMO)AssessmentDefining the types of personal information gathered, stored, and processedDocumenting where and how the information is storedIdentifying responsibility for the information (corporate, agent, third party)Assess existing policies and practices against privacy requirementsDetermine any international use or exchange of personal informationDevelop / document areas where changes are required to comply with regulations
20Best Practices Design Implementation Proposed organisation and reporting structuresFramework for identifying and documenting the various privacy componentsResources required (personnel, skills, technology, financial, space)Timelines, activities and deliverablesImplementationClient-Facing Behaviors; Organisational Policies, Procedures and Processes; Rights and Obligations; and Data ClassificationPolicies and Procedures; Advertising and Solicitations; Rights and Obligations; and Vendor and Third Party Agreements
21Privacy Compliance Risk Areas PRIVACY LEGISLATIONLCorporate EntityKRelated EntityGKBDApplication SystemsCorporate DatabasesApplication SystemsCorporate DatabasesStudentmgmtAlumniPersonal InformationAFHHEIPRIVACY DISCLOSUREConsent ProcessE-BusinessE-BusinessA.Classification of Personal Information According to SensitivityB.Disclosure of Privacy PracticesC.Consent ProcessD.Collection of Personal InformationE.Storage of Personal InformationF.Processing of Personal InformationG.Transmission and Disclosure of Personal InformationH.Reporting and Access to Personal InformationI.Disposal of Personal InformationJ.Response Process to Complaints and Individual’s RequestsK.Awareness of Privacy RequirementsL.Compliance with Privacy LegislationCGNetwork InfrastructureManual ProcessesPhysical RecordsManual ProcessesPhysical RecordsFHHJEIAccess to Information
22Duties of the Chief Privacy Officer Organise and coordinate Privacy Task Force or CommitteeCommission or conduct privacy risk assessmentTrack privacy environment and provide reportsMonitor privacy law and regulations environmentSupport employee privacy trainingInteract with student groups and regulatorsProvide contact point for students/staffManage privacy dispute resolutionSpeak for the University and prepare executives for legislative/ testimonyConduct regular / annual privacy auditsReport to top management
23Role of IADetermine that a sufficient privacy task force has been established.Determine that sufficient privacy policies and related operational privacy procedures and practices exist.Assess the privacy training and awareness programEnsure that an effective privacy compliance and monitoring program has been established.
24ConclusionsPrivacy is now a major concern, in the online and offline worlds, domestically and globally.Loss of reputation and credibility are major privacy risks but privacy issues hit the bottom-line, too: e.g. cost of change and lawsuits.Privacy violations may be unintentional, accidental or unforeseen…the press and the public will not care.Personalisation through profiling is a key strategy for gaining and retaining students - both online and offline.Privacy is not the same as security.Privacy compliance officersPrivacy audits