Office of the Privacy Commissioner of Canada

1
Office of the Privacy Commissioner of Canada

• Managing for Privacy
• Financial Management Institute
• Ottawa
• November 27, 2007

2
Jennifer StoddartPrivacy Commissioner of Canada
3
This Presentation

• Overview of OPC
• Why privacy matters
• Privacy environment
• OPC audit review
• Privacy management

4
About the OPC

• Office of the Privacy Commissioner of Canada
• Protect promote privacy rights of individuals
• Oversee compliance with two Acts
• Independent Officer of Parliament
• Multi-faceted ombudsman role
• Responsible for promoting good management of
  personal information by organizations, both
  public and private.
• Visit www.privcom.gc.ca

5
Remind me again

• What is Privacy?

6
Why privacy matters

• Fundamental Human Right
• Rights against arbitrary intrusion freedom
  from unreasonable search and seizure. Right to
  protect personal information.
• Privacy matters because its about the kind of
  society we want the relationship we have with
  government, business and among ourselves.

7
Toronto - 1907
8
Privacy in Context

• Privacy Environment of Today

9
Ubiquitous Computing
10
A New Universe - World Connected
11
Technology no limits/bounds
12
No Shortage of Privacy Challenges

• Post 9/11 increased emphasis on information
  sharing for security purposes
• Trans border data flow
• Outsourcing activities
• Protecting ones actual persona in an age of
  information expansion-integration
• Data consolidation-mining-matching-resale
• Behavioral profiling and target advertising
• Biometrics
• Increased surveillance (in many forms visual
  and data)
• Internet - Web2 Wireless communication
  (generation shift)
• Identity theft loss/theft of PI
• Privacy breaches

13
Public increasingly concerned
14
Some days we feel a little swamped
15
Is Privacy Dead?

• Privacy is not dead
• But in need of much care

16
Annual Report to Parliament on Privacy Act
2006-07

• Overhaul of Privacy Act critical
• Increasing identity theft
• Do benefits of travel related security programs
  outweigh privacy risks?
• Breach exposure/lack of protection for personal
  information crossing boarders
• Privacy impact assessment function not working as
  it should.
• Received 839 complaints and closed 957.

17
OPC Audit Review Mandate

• Section 36(1) of the Privacy Act to investigate
  exempt data banks.
• Section 37(1) of the Privacy Act review of
  compliance with sections 4-8 in respect of
  personal information under the control of
  government institutions (public sector).
• TB Policy Privacy Impact Assessment Reviews
• Section 18(1) PIPEDA with reasonable notice,
  time and on reasonable grounds to believe
  contravention audit the PI management practices
  of an organization.

18
Audit Review Branch

• We do audits and privacy impact assessment
  reviews with a purpose.
• To conduct independent and objective audits and
  reviews of personal information management
  systems for the purpose of promoting compliance
  with applicable legislation, policies and
  standards and improving privacy practices and
  accountability.
• Building capacity now 8 growing to 19 (13
  auditors, 4 PIA review officers, the DG and one
  admin). Budget increased to 1.9m (from 896K).

19
Audit view/strategy

• People do not do what is expected but they
  will do what is inspected
• Encourage entities to take responsibility and
  ensure for themselves that they have a sound
  Privacy Management Framework in place and working
  build privacy in and know your own state of
  compliance.
• Cost effective/Risk focused
• Likely to have significant systemic impact
• Mix of government wide examination of
  issues/practices combined with entity based
  audits.
• Extension of major complaint investigation
  resultshas the respondent done what they said
  they would do?

20
Audit approach-process

• Select-notify-scope (lines of inquiry) -audit
  plan/criteria-examine-clearance/report - follow
  up.
• Examination of privacy governance/management
  framework overall to the nitty gritty.
• Systems control based approach to the life
  cycle management of personal information.
• Emphasis on assessing IT control
• Use of special advisors and contracted resources
• Operate on a no surprise basis

21
Auditing for Privacy whats it all about?
22
A Definition of Privacy Auditing

• Privacy auditing (in our context) can be
  defined as a systematic examination of control
  and accountability for the life cycle management
  of personal information consistent with fair
  information principles. It can also be viewed as
  assessment of the means employed by organizations
  to manage privacy risks. Using a systems
  approach, any particular audit under the Privacy
  Act or the Personal Information and Electronic
  Documents Act would be designed to address one
  or more of the following basic questions
  depending on the scope of audit.

23
Basic Privacy Management Questions

• Is there an effective PMF (structures, policies,
  standards, systems and procedures) in place and
  working to ensure responsibility and
  accountability for privacy. Is this framework
  transparent? For example
• Does an organization have means to
• Know and inform on what personal information they
  hold?
• Carry out privacy impact assessments in a timely
  and comprehensive manner?
• Inform an individual of how they can lodge a
  complaint?
• Receive and respond to complaint or inquiries
  about their policies and procedures relating to
  the handling of personal information?
• Identify, report and remediate privacy breaches?

24
Basic questions for a PIB

• Is the acquisition and retention of personal
  information for clear and necessary purpose?
  (Proportionality)
• Is the collection, retention and use of personal
  information within governing authorities (law,
  regulations, policy)?
• Is there appropriate consent (given or
  withdrawn)?
• Is there limiting use, disclosure and retention
  of personal information?

25
Basic questions

• Is personal information accurate, complete and
  up-to-date as is necessary for the purposes for
  which it is to be used?
• Is personal information protected in accordance
  with the sensitivity of the information?
• Is personal information appropriately safeguarded
  against loss, theft or unauthorized access?

26
Basic questions

• Is an individual informed of the existence, use
  and disclosure of his or her personal information
  and given access to that information in a
  forthright and timely manner (when and where
  access is not limited or prohibited by authorized
  exclusions to access)?
• Is an individual able to challenge an
  organizations compliance with privacy
  principals, requirements and good practice
  including the ability to make a complaint and to
  have their personal information corrected if
  necessary?

27
Keeping privacy healthy
28
Keeping Privacy Healthy

• Focus on privacy principles
• Value privacy as a credential and not just a
  compliance requirement treat personal
  information as a key asset to be safeguarded as
  well as any other
• Systematic approach to privacy risk management
• Better legislative and regulatory frameworks
• Robust privacy management framework
• Strong IT control, especially for identification
  and authentication
• Privacy checkups
• Be a privacy guardian

29
How privacy management friendly is your
organization?

• How does your organization view privacy - whats
  the culture?
• Is privacy on the agenda/radar of Senior
  Management?
• Hows your PMF? Do you have one can you
  articulate it? Is it linked to MAF?
• Do you have a handle on what personal information
  you hold, why you collect it and what you do with
  it?
• Do you have a privacy training program?
• Hows your ATIP Shop? is it sufficiently
  resourced/have capacity to do what it should? Is
  it a marginal or a key player?
• Do you track privacy breaches and have responsive
  mechanisms?
• When you introduce/change business lines or
  systems do you do a privacy impact assessment
  (including VA-TRA) before hand and then do you
  use it?
• You have policy thats good but is it just
  words on paper? How do you know its
  followed/supported?
• Does your internal audit function consider
  privacy issues/risks?
• When did your organization last do a privacy
  practices check-up?
• In what ways is managing for privacy part of a
  managers performance agreement and evaluation?

30
Privacy and FMI Community

• If you are
• In the business of building trust with Canadians
• Trying to adapt todays technologies
• Involved in the design, operation and assessment
  of systems/data banks containing personal
  information
• Then you are in the business of privacy - part of
  your responsibilities
• MAF PMF
• PIA prevention function privacy risk mitigation
• Protecting/securing sensitive PI
• Payroll (employee privacy) Receivables (client
  privacy)
• Monitoring for compliance with PA and TBS
  policies (in process of changing).

31
Thank You

• Questions?
• www.privcom.gc.ca
• 1-800-282-1376
• Trevor R. Shaw, CA CMC
• Director General - Audit and Review
• 613-996-2252