Top Privacy Issues for Public Accountancy Firms

1
Top Privacy Issues for Public Accountancy Firms

• Nicholas F. Cheung, CA, CIPP/C
• The Canadian Institute of Chartered Accountants

2
Agenda

• Privacy Defined
• Privacy Survey Results
• Overview of Canadian Privacy Laws
• Top Privacy Issues
• Generally Accepted Privacy Principles

3
Privacy Defined

• Privacy
• The rights and obligations of individuals and
  organizations with respect to the collection,
  use, retention and disclosure of personal
  information
• Personal Information (PI)
• Information that is, or can be, about or related
  to an identifiable individual
• Home or e-mail address
• Financial information
• Consumer purchase history

4
Privacy Survey Results

• More than half of all businesses believe
  customers are now more concerned about privacy
  than in the past
• Despite advances in IT, businesses storing just
  as much data on paper as on electronic format
• 1 in 2 businesses have a low to moderate
  awareness of legal privacy responsibilities

5

• one of the biggest challenges for most small
  and medium businesses is to understand their
  obligations under the privacy law.

Report of the Standing Committee on Access to
Information, Privacy and Ethics House of
Commons, May 2007
6
Private SectorPrivacy Laws

• Federal (PIPEDA) Jan. 1, 2004
• Applies to every organization that conducts
  commercial activities
• Except BC, AB, QC and ON (health only)
• Applies to all cross-border transfers of PI
• Does not apply to employee PI other than federal
  work, undertaking or business
• Overseen by Privacy Commissioner of Canada

7
Private Sector Privacy Laws

• Provincial
• Privacy laws deemed substantially similar to
  PIPEDA
• BC/AB Personal Information Protection Act
  (PIPA)
• QC Act Respecting the Protection of Personal
  Information in the Private Sector
• ON Personal Health Information Protection Act
  (PHIPA)
• Applies to collection, use and disclosure of PI
  within a province
• Each province/territory has a privacy
  commissioner

8
Top Privacy Issues

1. Establishing a privacy policy
2. Allowing clients access
3. Training your employees
4. Protecting wireless gadgets

1. Retention Destruction
2. Transferring data securely
3. Being prepared for a privacy breach
4. Employee privacy

9
Establishing Your Privacy Policy

• A must for your clients and your employees
• 1 in 3 SMEs report either being
• in the process of implementing or
• have yet to implement a policy to oversee how the
  company and its employees collect, use, and
  disclose PI
• If there is ever a privacy investigation, this is
  the first thing an investigator will ask to see
• Readily accessible and available when PI is first
  collected from the individual
• Include a copy with engagement letter or
  reference it

10
Key Elements in a Privacy Notice

• Notice to individuals, including the purpose(s)
  for collecting personal information
• Choices available to individuals and the consent
  to be obtained
• Collection of personal information
• Use and retention of personal information
• Access to individuals personal information
• Disclosure of personal information to third
  parties
• Security of personal information
• Quality of personal information
• Monitoring and enforcement of privacy and
  policies and procedures

11
2. Allowing ClientsAccess

• Individuals should be
• given access to their PI
• informed of the existence, use and disclosure
• allowed to correct errors
• One of the more popular reasons cited for a
  privacy compliant
• 1 in 5 companies have not implemented any method
  to allow individuals to access their PI
• 30 days to respond under federal law

12
What To Include In Your Access Policy

• Details required to document access request
• Confirm identity
• Date and details of request
• How a search should be conducted
• Which files, databases should be reviewed
• Informing the individual about potential costs
• Should be provided at no or minimal cost
• Access should be free but charging for copies
  allowed
• When the CPO should be informed
• Unable to fulfill request
• Delay required beyond 30 days

13
3. Training Your Employees

• The weak link in many companies privacy chain
  is the untrained employee. Awareness training is
  not an option, its a necessity!
• Fran Faier
• Executive Director, TRUSTe

14
Why Train Staff on Privacy?

• Required by law
• Minimize employee errors
• Majority of breaches caused by employee error,
  not by external attacks
• Minimize customer frustration
• Know what to collect, why and how to access
• Reinforce culture of privacy
• Customer confidentiality is a core value
• Contractual requirement

15
What Should Your Staff Know?

• Know that privacy is protected by law
• May be a sensitive issue with clients
• Know what PI is in the context of your business
• Personal income tax info, SINs, client investment
  statements
• Understand how PI will be collected, used and
  disclosed
• Be familiar with and be able to reference privacy
  policy
• Provide a copy to clients upon request
• Understand when issues should be escalated
• Reinforce privacy concepts by referring to
  privacy within employee confidentiality and
  technology use agreements

16
4. Protecting Wireless Gadgets

• You can have security without privacy,
• but you cant have privacy without security.
• Many breaches caused by employees are due to loss
  of portable devices
• Laptops
• PDAs and Blackberries
• USB keys
• Points to consider
• Do you really need to take PI offsite?
• Take only what you need
• Is it possible to anonymize?

17
Laptop Protection

• Types of encryption for computers
• Whole Disk
• Virtual Disk
• Folder
• Biometric access
• Swap passwords for a swipe of your finger
• Lenovo laptops with this feature
• Lock in car trunk if necessary to leave in car
• Consider using a virtual private network to
  reduce need for laptops

18
5. Secure Retention Destruction

• Some recent headlines
• Film set uses real health records
• Private health records sold at auction
• Dumped receipts end up in criminals possession
• Police documents found blowing in Winnipeg wind

19
Benefits of a Retention and Destruction Policy

• Protect your business
• If you dont have it, you cant lose it
• Reduce scope of access requests
• Save costs
• Less storage space
• At the office
• At the storage facility

20
Keep Only What You Need

• Determine legal and regulatory requirements
• ICAO Practice Advisory suggests 15 years might be
  appropriate due to Limitations Act, 2002
• CRA
• generally is six years from end of tax year in
  question

21
Properly Destroying PI

• Physical copies
• Shred (this doesnt mean recycle!)
• Cross cut vs. strip
• Incinerate
• Pulverize
• Electronic copies
• Smash itrender the object unusable
• Disk wipe

22
Using An External Shredder

• Use a company accredited by NAID
• Ensure signed contract in place
• Spells out their obligation for secure
  destruction
• Provides written confirmation
• Allows witnessing of destruction
• Time limit
• ON priv comm has fact sheet on secure destruction
  that includes sample contract clauses
• http//www.ipc.on.ca/images/Resources/up-fact_10_e
  .pdf

23
6. Transferring Data Securely

• Fax machines
• Ensure confidential faxes are received in a
  secure location and that faxes are sent to the
  right fax number
• USB keys
• Purchase encryption software
• Protect your computers by configuring them not to
  accept unencrypted USB keys
• Encrypted e-mail
• Ensure your mail isnt being read
• Eg. Zixcorp, Echoworx
• Secure file transfer
• Eg www.yousendit.com

24
7. Being Prepared for a Privacy Breach

• Quickly being a case of not if, but when
• What is a privacy breach?
• Loss of personal information under your control
• Inadvertent
• Misplaced fax or laptop containing PI
• Paper files not destroyed properly
• Old computers with data still on hard drives
• Deliberate act
• Office break-in
• Computer hacker

25
Breach Notification

• Ontario is the only CDN jurisdiction to require
  breach notification
• Only pertains to health information custodians
• However, May 2007 parliamentary review of PIPEDA
  is advocating breach notification
• Certain breaches to be reported to Priv Comm
• Priv Comm to determine if notification required

26
Breach Policy

• Develop a breach policy to ensure proper
  procedures are followed
• Evaluate seriousness of breach
• How to ensure containment
• Notifying affected parties / Priv Comm
• Communication with media
• Tools available
• Incident Response Plan CICA Privacy website
• Breach Notification Assessment Tool
• www.ipc.on.ca

27
8. Employee Privacy

• PIPEDA only applies to employees of a federal
  work, undertaking or business
• Employees protected under provincial privacy acts
• British Columbia
• Alberta
• Quebec
• Employee personal information is information used
  to establish, manage or terminate an employment
  relationship

28
Surveillance Four Part Test

• The surveillance must be demonstrably necessary
  to meet a specific need
• It must be likely to be effective in meeting
  that need
• The loss of privacy must be proportional to the
  benefit gained
• The existence of a less privacy invasive way to
  meet the need must be considered
• Can be applied to video surveillance and
  e-mail/Internet monitoring

29
Employee Privacy Policy

• Best practice is to create a separate employee
  privacy policy
• Sends positive message to employees, especially
  if not required by law
• Often seen as add-on to Code of Conduct
• Communicate and obtain acknowledgement
• Consent is not optional
• Have employees sign they have read and understand
  the policy
• Make specific reference to important policies or
  procedures
• Surveillance
• E-mail
• Internet
• Policy must be enforced

30
What are Generally Accepted Privacy Principles
(GAPP)?

• A privacy framework to help organizations develop
  and assess their privacy program and privacy risk
• Developed by the CICA and AICPA
• To create a common North American standard
• Endorsed by ISACA and IIA

31
Generally Accepted Privacy Principles

• Access
• Disclosure to Third Parties
• Security for Privacy
• Quality
• Monitoring Enforcement

• Management
• Notice
• Choice Consent
• Collection
• Use Retention

32
The Benefits of GAPP

• Comprehensive
• Framework of over 60 measurable and relevant
  criteria
• Not just a list of principles
• Objective
• Developed by the auditing profession to
• Address international expectations
• Create a basis for comparability
• Universally available at no charge
• Relevant
• Widespread use and recognition
• Applicable for evaluating privacy risk
  enterprise-wide
• Recognized as suitable criteria for a privacy
  audit
• Can also be the basis for an internal assessment

33
Other CICA Privacy Resources

• Online privacy courses
• 20 Questions Businesses Should Ask About Privacy
  available in Sept 07
• Canadian Privacy Laws Map
• Privacy Guide for CA Firms
• Upcoming News Events
• Other Publications Toolkits
• FAQs

34
Contact Info

• www.cica.ca/privacy
• Nicholas F. Cheung, CA, CIPP/C
• Principal, Assurance Services Development
• CICA
• (416) 204-3251
• nicholas.cheung_at_cica.ca