OnLine Privacy: Building Customer Trust

1
On-Line PrivacyBuilding Customer Trust

• By Fazila Nurani
• PrivaTech Consulting

2
Why is privacy important?
P r i v a T e c h C o n s u l t i n g

• Privacy is often thought of as a basic human
  right.
• Two components
• Privacy of the person (the right to be let
  alone).
• Information privacy (the right to control the
  collection, use and disclosure of your personal
  information).
• Customer trust issue.
• 60 of on-line adults say security and privacy
  concerns stop them from doing business on the Web
  (Gartner)

3
Privacy is also a legal issue...
P r i v a T e c h C o n s u l t i n g

• Canada
• Federal Personal Information Protection and
  Electronic Documents Act
• Provinces will soon introduce their own
  legislation.
• U.S.
• Sector specific legislation Graham-Leach-Bliley
  Act (financial privacy) Childrens Online
  Privacy Protection Act, Health Insurance
  Portability and Accountability Act.
• 100 privacy-related bills introduced in the
  States last year.
• Europe
• EU Directive on Data Protection 95/46/EC.

4
Privacy vs. Security
P r i v a T e c h C o n s u l t i n g

• Security is often equated with privacy.
• Security is a necessary but not a sufficient
  element of privacy.
• Privacy is about control over ones information
  security is about organizational, physical and
  technological safeguards.
• An environment can be very secure, yet totally
  unprivate.

5
CSA Model Code for the Protection of Personal
Information
P r i v a T e c h C o n s u l t i n g

• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Limiting Use, Disclosure and Retention
• Accuracy Safeguards
• Openness
• Individual Access
• Challenging Compliance

6
The CSA Model CodePrinciple 1
P r i v a T e c h C o n s u l t i n g

• Accountability
• An organization is responsible for personal
  information under its control and must designate
  an individual or individuals who are accountable
  for the organization's compliance with the
  following principles.

7
The CSA Model CodePrinciple 2
P r i v a T e c h C o n s u l t i n g

• Identifying Purposes
• The purposes for which personal information is
  collected must be identified by the organization
  at or before the time the information is
  collected.

8
Identifying PurposesThe CSA Model Code,
Principle 1
P r i v a T e c h C o n s u l t i n g

• New purposes must be identified prior to use of
  the information.
• Example when DoubleClick merged with Abacus
  Direct Corp and announced its plan to link the
  data it collects through cookies to personally
  identifiable information and offline purchasing
  data maintained in Abacus databases.

9
The CSA Model CodePrinciple 3
P r i v a T e c h C o n s u l t i n g

• Consent
• The knowledge and consent of the individual are
  required for the collection, use, or disclosure
  of personal information, except where
  inappropriate.

10
ConsentThe CSA Model Code, Principle 3
P r i v a T e c h C o n s u l t i n g

• Express vs. implied consent.
• Implied consent is practical and acceptable in
  many circumstances.
• Opt-in vs. opt-out consent.
• Opt-out consent always receives criticism - has
  the opt-out notice been read? Has it been
  understood?
• Air Canada recently released a policy that said
  financial and credit information would be
  collected about Aeroplan members from other
  sources, and that a member could opt out of the
  scheme if they so choose.

11
The CSA Model CodePrinciple 4
P r i v a T e c h C o n s u l t i n g

• Limiting Collection
• The collection of personal information must be
  limited to that which is necessary for the
  purposes identified by the organization.
  Information must be collected by fair and lawful
  means.

12
Limiting CollectionThe CSA Model Code, Principle
4
P r i v a T e c h C o n s u l t i n g

• Only collect what you need but consider future
  uses.
• First decision under the Canadian privacy
  legislaton - No need for constant surveillance
• Centurion Security Systems placed four cameras
  on the roof of a building and pointed them at the
  main intersection in Yellowknife. The plan was to
  eventually get the RCMP to buy in to the idea as
  an effective method of cracking down on crime.

13
The CSA Model CodePrinciple 5
P r i v a T e c h C o n s u l t i n g

• Limiting Use, Disclosure and Retention
• Personal information must not be used or
  disclosed for purposes other than those for which
  it was collected, except with the consent of the
  individual or as required by law. Personal
  information must be retained only as long as
  necessary for the fulfillment of those purposes.

14
Limiting Use, Disclosure, RetentionThe CSA Model
Code, Principle 5
P r i v a T e c h C o n s u l t i n g

• Selling the customer list (Toysmart case)
• Have a retention policy in place, but bear in
  mind legislated requirements for retention in the
  Income Tax Act and employment standards
  legislation.
• Procedures for the destruction of personal
  information.

15
The CSA Model CodePrinciple 6
P r i v a T e c h C o n s u l t i n g

• Accuracy
• Personal information must be as accurate,
  complete, and up-to-date as is necessary for the
  purposes for which it is to be used.

16
AccuracyThe CSA Model Code, Principle 6
P r i v a T e c h C o n s u l t i n g

• Individuals often provide false information
  on-line.
• Again, ties back to the purposes.
• E.g. Name requested when signing up for a free
  on-line newsletter.
• PURPOSE personalizing the greeting for the
  newsletter.
• NECESSARY TO GET IT RIGHT? No harm if a false
  name is provided.

17
The CSA Model CodePrinciple 7
P r i v a T e c h C o n s u l t i n g

• Safeguards
• Personal information must be protected by
  security safeguards (physical, organizational and
  technological measures), which are appropriate to
  the sensitivity of the information.

18
SafeguardsThe CSA Model Code, Principle 7
P r i v a T e c h C o n s u l t i n g

• Progress for security on the Internet
• Improved firewall software for personal and
  business use.
• SSL and digital certificates.
• Advanced virus protection software.
• Legislation in place for e-commerce transactions.
• Will never be perfect and will only be as good as
  the people responsible for implementing it.

19
The CSA Model CodePrinciple 8
P r i v a T e c h C o n s u l t i n g

• Openness
• An organization must make readily available to
  individuals specific information about its
  policies and practices relating to the management
  of personal information.

20
OpennessThe CSA Model Code, Principle 8
P r i v a T e c h C o n s u l t i n g

• Your privacy policy should be detailed but clear.
• Kitchen-sink policies are not helpful and
  demonstrate no commitment to privacy.
• Purist policy - will never disclose personal
  information to anyone simply isnt true.
• E.g. Amazon.com changed their policy from a no
  disclosure rule to saying they may sell customer
  information in the future.
• Microsofts P3P-enabled browser translates
  privacy policies into code readable by websites.

21
The CSA Model CodePrinciple 9
P r i v a T e c h C o n s u l t i n g

• Individual Access
• Upon request, an individual must be informed of
  the existence, use, and disclosure of his or her
  personal information and must be given access to
  that information. An individual must be able to
  challenge the accuracy and completeness of the
  information and have it amended as appropriate.

22
Individual AccessThe CSA Model Code, Principle 9
P r i v a T e c h C o n s u l t i n g

• On-line access to ones own account is the best
  way of providing access.
• The file is the property of the employer, but the
  information belongs to the employee
• Where can the employee view the file?
• How often can they view the file if the
  information has not changed?
• Will copying be allowed?

23
The CSA Model CodePrinciple 10
P r i v a T e c h C o n s u l t i n g

• Challenging Compliance
• An individual must be able to address a
  challenge concerning compliance with the above
  principles to the designated individual or
  individuals accountable for the organization's
  compliance.

24
Privacy Initiatives Flourish...
P r i v a T e c h C o n s u l t i n g

• More and more privacy seals are being developed -
  do you know what youre getting?
• Ontario IPC, Guardent and PricewaterhouseCoopers
  join forces to introduce free self-assessment
  tool that gauges privacy readiness
  (http//www.ipc.on.ca).
• Microsofts upcoming Windows XP - you need a
  Passport to use it...

25
Newsletters PrivaTips and PrivaTalk
P r i v a T e c h C o n s u l t i n g

• Articles on
• - Privacy News Flash
• - Tips for Complying with Canadas Privacy Law
• - Provincial Initiatives
• - Global Impact
• - Survey Says
• - Technology to the Rescue

26
For further information please contact
P r i v a T e c h C o n s u l t i n g

• Fazila Nurani
• PrivaTech Consulting
• Tel 905-886-0751
• E-mail fnurani_at_privatech.ca
• Visit http//www.privatech.ca