Title: Privacy and Freedom of Information in the New Work World
1Privacy and Freedom of Information in the New
Work World
- Abigail Carter, CIPP/C
- University Health Network
- Donald E. Sheehy, CACISA, CIPP/C
- Deloitte Touche LLP
2This session will cover
- Privacy what is it
- What legislations are we facing
- World of work today
- Current privacy issues
- Possible Future Issues
3What is privacy
- Right to be left alone (1890, Harvard Business
Review) - Freedom from intrusion or public attention
- The protection of the collection, storage,
destruction and dissemination of personal
information (EU and US Safe Harbor)
Collection, use and disclosure
4AICPA/CICA Privacy task force
Privacy encompasses the rights and obligations
of individuals and organizations with respect to
the collection, use, disclosure and retention of
personal information.
5What are we facing
6Managing privacy in Canada
- Federal Privacy Act (1980s)
- Provincial Freedom of Information and Privacy
Legislation (1990s) - Q830 The CSA Model Code (1996)
- Personal Information Protection and Electronic
Documents Act (2000) - Existing provincial private sector privacy
legislation in certain provinces - Quebec (Bill 68 and Bill 75)
- Alberta (Bill 44)
- British Columbia (Bill 38)
7Managing Privacy in Ontario
- Freedom of Information and Privacy Legislation (
1990) (FIPPA) - Personal Health Information Protection Act
(PHIPA) - Personal Information Protection and Electronic
Documents Act (PIPEDA)
8Mandatory Breach Notification
- Since California took the lead in 2003, more than
30 US states have breach notification laws - 49 million Americans have been notified of
security breaches over the the last three years
(Harris Interactive Poll) - Ontario health sector only jurisdiction with
mandatory breach notification - Per PrivacyRights.org there have been breaches
impacting over 167,000
9Some current headlines and stats
- Oct 2007
- Massachusetts Division of Professional
Licensure450,000 professionals had social
security released - GAP 800,000 online applicants stolen laptop
- Aug/Sept 2007
- Phizer security breach 34,000
- TD Ameritrade Holding Corp. 6.3 million potential
on hack - Monster.com 1.6 million
- California Public Employees' Retirement System
445,000 mailing with exposed social security
numbers
10More privacy headlines
- Ontarios Chair of Management Board of Cabinet
apologized on behalf of the Ontario government
for a cheque printing error that led to the
disclosure of personal information of some
recipients of the Ontario Child Care Supplement
(OCCS). - Medical records found scattered across Toronto
streets ( for film shoot) - Financial institutions privacy problems
(misdirected faxes and microcomputers) - Prudential Insurance records in Manitoba
- Credit Card Numbers Stolen From State Government
Web Site Rhode Island officials said they
planned to notify affected credit card customers
whose information was stolen from a government
web site
11Marketplace Some current headlines
- Fears of identity theft have forced more than
half of web users to cease online purchases - Local government officials in Japan are refusing
to disclose personal information intended to be
used for legitimate purposes - 2006 - The Fusepoint/Sun Microsystems/Leger
Marketing survey has found that 55 percent of
Canadian companies say their confidential and
private data is at risk of an attack . . . 98
percent of the Canadian business leaders said
that it is important for companies to safeguard
private data - Accounting firms not immune.. laptop was stolen
from an . employee's car in January. .IBM
workers who have been stationed overseas at one
time or another during their careers. As a result
of the theft, the names, dates of birth, genders,
family sizes, SSNs and tax identifiers exposed.
. Last month, another firm laptop theft had
exposed the social security number and other
personal information of Sun Microsystems CEO
Scott McNealy and an unknown number of other
people
12Current Issues
13What does the World of Work look like today?
- In 2005 workers devoted between 9 and 10 hours a
day to paid employment (StatsCan) - 25 worked 10 hours
- More than 80 million workers worldwide worked
from home at least one day per month in 2005, up
from 38 million in 2000 (Gartner) - In US almost a quarter of all corporate workers
telecommuted one day a month in 2005, twice the
number from 2000 - 40 of all workers in US Canada are mobile
(Info-Tech Research Group) - Routinely do at least 20 of core business
functions remotely - Executive-level workers represent just 1/3 or
corporate mobile staff in US companies (Mobility
Market Monitor) - of firms with mobile administrative personnel
expected to rise to 46 at end of 08 - Growth of telecommuting is slowing, but is still
on the rise.
14Key issues
- Global
- Third party outsourcing
- Problems of trans-border information flows
- Business level
- Device and Data Theft
15Introduction
- Organizations are
- Increasingly focusing on their core competencies
- Strategically outsourcing non-core activities to
reduce costs and increase margins - Business models are becoming complex and
extending beyond the four walls of the enterprise - But many privacy violations have occurred at the
third party level
16Privacy Concerns in Offshoring Arrangements
- Offshoring arrangements may involve many cross
border and inter-organization transfers of PII.
Different country specific laws may exist making
the regulatory environment complex - Traditional contractual mechanisms may not be
sufficient or enforceable in countries without
appropriate legal framework for dealing with
global information technology issues - Use of encryption technology may be hampered by
specific country laws limiting the use of
encryption - Data subjects may be concerned with the onward
transfer or offshoring of PII to other entities - The privacy and information security policies of
the organizations involved may conflict or be
inconsistent - Service Provider may have opportunity and motive
to defraud - Service Provider does not safeguards in place to
protect private and/or sensitive information
1710 Questions for Outsourcing
- An organization wanting to minimize its privacy
risk and implement a best practices approach to
outsourcing should consider the following
critical questions - Who are the outsourcing organizations we contract
with and where are they located? - Precisely what data are we sending to, and
receiving from, outsourcing organizations? - Is the data personal information, and have we
given notice to our customers of this data
transfer? - What are our exposures if the data is improperly
accessed or used? - What data protection clauses do we have in these
contracts?
1810 Questions for Outsourcing (contd)
- What evidence do we have that these outsourcing
organizations protect our data as outlined in
these data protection clauses? - What processes are in place to monitor the
outsourcing organizations? - Do these organizations outsource any of their
processes in which our data may be further
transferred to another organization? - What processes do the outsourcing organizations
we contract with use to verify the data
protection practices followed by their
outsourcing partners? - What are the applicable privacy laws and
regulations?
19Transborder Information Flows
- Which act /where is our information going?
- Responsibilities and accountabilities
20The face of privacy security today?
21Device Data Theft
- Incident
- Laptop stolen from parked SUV containing health
information of 2,900 patients - Lessons
- Staff need tools to accommodate the way they work
- Standards change over time
- Quick reporting and careful incident management
is critical
22Device Data Theft
- Incident
- Laptop stolen from parked SUV containing health
information of 2,900 patients - Lessons
- Staff need tools to accommodate the way they work
- Standards change over time
- Quick reporting and careful incident management
is critical
Change takes time!!!
23Technological Failure
- Incident
- Unsecured wireless camera used for surveillance
in healthcare facility - Lessons
- A record is not just paper, or even tangible
electronic data - Shift from protecting records to safeguarding
information - Technology is tool to enhance security when
correctly implemented - Outsourcing service not accountability!
24Inappropriate Behaviour
- Incident
- Patients estranged husband gains access to
medical records through girlfriend (employee of
the hospital) - Lessons
- Systems are more reliable than employees
- Act quickly and decisively
- Balance of obligation to client ( reputation)
vs./ labour obligations - Zero tolerance?
25Inappropriate Behaviour
- Incident
- Patients estranged husband gains access to
medical records through girlfriend (employee of
the hospital) - Lessons
- Systems are more reliable than employees
- Act quickly and decisively
- Balance of obligation to client ( reputation)
vs./ labour obligations - Zero tolerance?
26Improper disposal
- Incident
- Researchers able to retrieve data from 65 per
cent of randomly purchased used disk drives from
dealers in several provinces - 18 per cent contained personal medical
information - Lessons
- Ensure procedures in place through the lifecycle
of the device
27Improper disposal
- Incident
- Researchers able to retrieve data from 65 per
cent of randomly purchased used disk drives from
dealers in several provinces - 18 per cent contained personal medical
information - Lessons
- Ensure procedures in place through the lifecycle
of the device - Involve outsourced service providers
- Dont forget the paper
28Common Trend
- 91 percent of participants are concerned about
employee security weaknesses - 79 percent of participants cite the human factor
as the root cause of information security failures
If our staff are the problem, whats the solution?
29What do your staff need from you?
- Usable alternatives to storing PI on mobile
devices (e.g. VPN) - Never lose sight of usability when implementing
security tools - Enforced password protection
- Power-on, screensaver, account layer
- Corporately maintained encryption tools
- Personal firewall, anti-virus, anti-spyware
encryption tools available for home use if needed - Enabled time-out locks
- Security assessments before devices are deployed
- Strategies for device redeployment retirement
- Regular recurring training
- Be creative e.g. screensavers as training tools
30What do your staff need to know?
- Business data (client, employee, corporate) is a
valued corporate asset - Culture of privacy
- Basic options
- Secure mobile devices at all times
- Back seat of the car under a sweater not secure
- How to report issues
- Balance of accountability with voluntary
reporting - Resources IPC Safeguarding Privacy in a Mobile
Workplace Brochure
31Current Future Drivers
32Enterprise privacy drivers
- Branding and positioning
- Risk to brand from privacy breach
- Potential inconsistencies between policies and
practices
- Sensitivity to aggressive marketing practices
- Existing privacy policies and client
expectations - Differing perspectives and expectations
- Procedures for responding to privacy complaints
- Relationships with partners, vendors and service
providers - Inconsistent implementation of privacy practices
among independent organizations - Who has responsibility and associated liability
for privacy?
Extended enterprise
Customer sensitivity
Brand risk
- Multiple jurisdictions of privacy regulations
- Country specific compliance
- Legal solutions for EU data transfers such as
Safe Harbor or model contracts - Industry specific privacy codes of conduct
- Web-based e-commerce applications interact with
clients online - Use of personalization technologies such as
cookies, smart tags, unique identifiers, client
profiles, etc.
Advances in technology
Increased regulation
Globalization
Employee data mgmt
- Employee privacy in multinational companies
- Requires localized and tailored approach
- Information exchange economy
- CRM and HRIS systems centralizes client and
employee data from around the world
33Business needs and privacy requirementsFinding
the balance
- Business needs and privacy requirements may be
opposing or supporting forces in dictating your
data management practices
- Direct and viral marketing initiatives
- Centralized vs. decentralized databases (ERP,
CRM, Legacy) - Data mining and business intelligence
- Replication and synchronization of information
- Personalized client/employee experiences
- Processed fairly and lawfully
- Collected for specific, explicit and legitimate
purposes - Adequate, relevant and not excessive
- Accurate and secure
- Not kept longer than necessary
- Processed in accordance with data subjects
rights - Not transferred to countries with inadequate
protection - Source EU Data Protection Directive 95/46/EC
Business Needs
Privacy requirements
Business needs
34The privacy-security paradox
- Privacy
- Strong privacy requires protecting a users
identityfrom unauthorized access and use.
Individual privacy and personal freedom
- Security
- Strong security requires binding a users
identity to their behavior to allow for
authentication, authorization, non-repudiation
and identity management.
Identity management and non-repudiation
Security is necessary for privacy, however the
closer an individuals identity is bound to
his/her behavior, the greater the potential
threat to the individuals privacy.
35Some privacy technologies
- Platform for privacy preferences
- Privacy policy manager
- Identity management
- Biometric encryption
- Anonymity/Pseudonymity tools
- Trust management
- PKI
36Assessments Trust me
37Types of Assessments
- Self Assessment
- Questionnaires, interviews
- Least cost
- Deal with low risk situations
- Staff availability can be an issue
- Internal Audit
- Independent from group being audited but employed
by company - Operate under defined standards
- Reports can be very comprehensive
- Can be used for all risks levels depending on
company tolerance - No independent audit opinion for external use of
needed - Independent Assessment
- By qualified third party auditor or assessor
- Performance of assessment
- Performance of audit/examination
- The latter should be considered for significant
risk areas - More cost as move to audit
Lowest
Level of Assurance
Highest
38Conclusions
- As fallible as technology is, humans are worse
- Information is valuable commodity
- Cost of breach high
- Weight business cost of implementing safeguards
- Need invest in assessment