Top Privacy Issues for Public Accountancy Firms - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Top Privacy Issues for Public Accountancy Firms

Description:

Top Privacy Issues for Public Accountancy Firms Nicholas F. Cheung, CA, CIPP/C The Canadian Institute of Chartered Accountants Agenda Privacy Defined Privacy Survey ... – PowerPoint PPT presentation

Number of Views:135
Avg rating:3.0/5.0
Slides: 35
Provided by: Nicholas191
Category:

less

Transcript and Presenter's Notes

Title: Top Privacy Issues for Public Accountancy Firms


1
Top Privacy Issues for Public Accountancy Firms
  • Nicholas F. Cheung, CA, CIPP/C
  • The Canadian Institute of Chartered Accountants

2
Agenda
  • Privacy Defined
  • Privacy Survey Results
  • Overview of Canadian Privacy Laws
  • Top Privacy Issues
  • Generally Accepted Privacy Principles

3
Privacy Defined
  • Privacy
  • The rights and obligations of individuals and
    organizations with respect to the collection,
    use, retention and disclosure of personal
    information
  • Personal Information (PI)
  • Information that is, or can be, about or related
    to an identifiable individual
  • Home or e-mail address
  • Financial information
  • Consumer purchase history

4
Privacy Survey Results
  • More than half of all businesses believe
    customers are now more concerned about privacy
    than in the past
  • Despite advances in IT, businesses storing just
    as much data on paper as on electronic format
  • 1 in 2 businesses have a low to moderate
    awareness of legal privacy responsibilities

5
  • one of the biggest challenges for most small
    and medium businesses is to understand their
    obligations under the privacy law.

Report of the Standing Committee on Access to
Information, Privacy and Ethics House of
Commons, May 2007
6
Private SectorPrivacy Laws
  • Federal (PIPEDA) Jan. 1, 2004
  • Applies to every organization that conducts
    commercial activities
  • Except BC, AB, QC and ON (health only)
  • Applies to all cross-border transfers of PI
  • Does not apply to employee PI other than federal
    work, undertaking or business
  • Overseen by Privacy Commissioner of Canada

7
Private Sector Privacy Laws
  • Provincial
  • Privacy laws deemed substantially similar to
    PIPEDA
  • BC/AB Personal Information Protection Act
    (PIPA)
  • QC Act Respecting the Protection of Personal
    Information in the Private Sector
  • ON Personal Health Information Protection Act
    (PHIPA)
  • Applies to collection, use and disclosure of PI
    within a province
  • Each province/territory has a privacy
    commissioner

8
Top Privacy Issues
  1. Establishing a privacy policy
  2. Allowing clients access
  3. Training your employees
  4. Protecting wireless gadgets
  1. Retention Destruction
  2. Transferring data securely
  3. Being prepared for a privacy breach
  4. Employee privacy

9
Establishing Your Privacy Policy
  • A must for your clients and your employees
  • 1 in 3 SMEs report either being
  • in the process of implementing or
  • have yet to implement a policy to oversee how the
    company and its employees collect, use, and
    disclose PI
  • If there is ever a privacy investigation, this is
    the first thing an investigator will ask to see
  • Readily accessible and available when PI is first
    collected from the individual
  • Include a copy with engagement letter or
    reference it

10
Key Elements in a Privacy Notice
  • Notice to individuals, including the purpose(s)
    for collecting personal information
  • Choices available to individuals and the consent
    to be obtained
  • Collection of personal information
  • Use and retention of personal information
  • Access to individuals personal information
  • Disclosure of personal information to third
    parties
  • Security of personal information
  • Quality of personal information
  • Monitoring and enforcement of privacy and
    policies and procedures

11
2. Allowing ClientsAccess
  • Individuals should be
  • given access to their PI
  • informed of the existence, use and disclosure
  • allowed to correct errors
  • One of the more popular reasons cited for a
    privacy compliant
  • 1 in 5 companies have not implemented any method
    to allow individuals to access their PI
  • 30 days to respond under federal law

12
What To Include In Your Access Policy
  • Details required to document access request
  • Confirm identity
  • Date and details of request
  • How a search should be conducted
  • Which files, databases should be reviewed
  • Informing the individual about potential costs
  • Should be provided at no or minimal cost
  • Access should be free but charging for copies
    allowed
  • When the CPO should be informed
  • Unable to fulfill request
  • Delay required beyond 30 days

13
3. Training Your Employees
  • The weak link in many companies privacy chain
    is the untrained employee. Awareness training is
    not an option, its a necessity!
  • Fran Faier
  • Executive Director, TRUSTe

14
Why Train Staff on Privacy?
  • Required by law
  • Minimize employee errors
  • Majority of breaches caused by employee error,
    not by external attacks
  • Minimize customer frustration
  • Know what to collect, why and how to access
  • Reinforce culture of privacy
  • Customer confidentiality is a core value
  • Contractual requirement

15
What Should Your Staff Know?
  • Know that privacy is protected by law
  • May be a sensitive issue with clients
  • Know what PI is in the context of your business
  • Personal income tax info, SINs, client investment
    statements
  • Understand how PI will be collected, used and
    disclosed
  • Be familiar with and be able to reference privacy
    policy
  • Provide a copy to clients upon request
  • Understand when issues should be escalated
  • Reinforce privacy concepts by referring to
    privacy within employee confidentiality and
    technology use agreements

16
4. Protecting Wireless Gadgets
  • You can have security without privacy,
  • but you cant have privacy without security.
  • Many breaches caused by employees are due to loss
    of portable devices
  • Laptops
  • PDAs and Blackberries
  • USB keys
  • Points to consider
  • Do you really need to take PI offsite?
  • Take only what you need
  • Is it possible to anonymize?

17
Laptop Protection
  • Types of encryption for computers
  • Whole Disk
  • Virtual Disk
  • Folder
  • Biometric access
  • Swap passwords for a swipe of your finger
  • Lenovo laptops with this feature
  • Lock in car trunk if necessary to leave in car
  • Consider using a virtual private network to
    reduce need for laptops

18
5. Secure Retention Destruction
  • Some recent headlines
  • Film set uses real health records
  • Private health records sold at auction
  • Dumped receipts end up in criminals possession
  • Police documents found blowing in Winnipeg wind

19
Benefits of a Retention and Destruction Policy
  • Protect your business
  • If you dont have it, you cant lose it
  • Reduce scope of access requests
  • Save costs
  • Less storage space
  • At the office
  • At the storage facility

20
Keep Only What You Need
  • Determine legal and regulatory requirements
  • ICAO Practice Advisory suggests 15 years might be
    appropriate due to Limitations Act, 2002
  • CRA
  • generally is six years from end of tax year in
    question

21
Properly Destroying PI
  • Physical copies
  • Shred (this doesnt mean recycle!)
  • Cross cut vs. strip
  • Incinerate
  • Pulverize
  • Electronic copies
  • Smash itrender the object unusable
  • Disk wipe

22
Using An External Shredder
  • Use a company accredited by NAID
  • Ensure signed contract in place
  • Spells out their obligation for secure
    destruction
  • Provides written confirmation
  • Allows witnessing of destruction
  • Time limit
  • ON priv comm has fact sheet on secure destruction
    that includes sample contract clauses
  • http//www.ipc.on.ca/images/Resources/up-fact_10_e
    .pdf

23
6. Transferring Data Securely
  • Fax machines
  • Ensure confidential faxes are received in a
    secure location and that faxes are sent to the
    right fax number
  • USB keys
  • Purchase encryption software
  • Protect your computers by configuring them not to
    accept unencrypted USB keys
  • Encrypted e-mail
  • Ensure your mail isnt being read
  • Eg. Zixcorp, Echoworx
  • Secure file transfer
  • Eg www.yousendit.com

24
7. Being Prepared for a Privacy Breach
  • Quickly being a case of not if, but when
  • What is a privacy breach?
  • Loss of personal information under your control
  • Inadvertent
  • Misplaced fax or laptop containing PI
  • Paper files not destroyed properly
  • Old computers with data still on hard drives
  • Deliberate act
  • Office break-in
  • Computer hacker

25
Breach Notification
  • Ontario is the only CDN jurisdiction to require
    breach notification
  • Only pertains to health information custodians
  • However, May 2007 parliamentary review of PIPEDA
    is advocating breach notification
  • Certain breaches to be reported to Priv Comm
  • Priv Comm to determine if notification required

26
Breach Policy
  • Develop a breach policy to ensure proper
    procedures are followed
  • Evaluate seriousness of breach
  • How to ensure containment
  • Notifying affected parties / Priv Comm
  • Communication with media
  • Tools available
  • Incident Response Plan CICA Privacy website
  • Breach Notification Assessment Tool
  • www.ipc.on.ca

27
8. Employee Privacy
  • PIPEDA only applies to employees of a federal
    work, undertaking or business
  • Employees protected under provincial privacy acts
  • British Columbia
  • Alberta
  • Quebec
  • Employee personal information is information used
    to establish, manage or terminate an employment
    relationship

28
Surveillance Four Part Test
  • The surveillance must be demonstrably necessary
    to meet a specific need
  • It must be likely to be effective in meeting
    that need
  • The loss of privacy must be proportional to the
    benefit gained
  • The existence of a less privacy invasive way to
    meet the need must be considered
  • Can be applied to video surveillance and
    e-mail/Internet monitoring

29
Employee Privacy Policy
  • Best practice is to create a separate employee
    privacy policy
  • Sends positive message to employees, especially
    if not required by law
  • Often seen as add-on to Code of Conduct
  • Communicate and obtain acknowledgement
  • Consent is not optional
  • Have employees sign they have read and understand
    the policy
  • Make specific reference to important policies or
    procedures
  • Surveillance
  • E-mail
  • Internet
  • Policy must be enforced

30
What are Generally Accepted Privacy Principles
(GAPP)?
  • A privacy framework to help organizations develop
    and assess their privacy program and privacy risk
  • Developed by the CICA and AICPA
  • To create a common North American standard
  • Endorsed by ISACA and IIA

31
Generally Accepted Privacy Principles
  • Access
  • Disclosure to Third Parties
  • Security for Privacy
  • Quality
  • Monitoring Enforcement
  • Management
  • Notice
  • Choice Consent
  • Collection
  • Use Retention

32
The Benefits of GAPP
  • Comprehensive
  • Framework of over 60 measurable and relevant
    criteria
  • Not just a list of principles
  • Objective
  • Developed by the auditing profession to
  • Address international expectations
  • Create a basis for comparability
  • Universally available at no charge
  • Relevant
  • Widespread use and recognition
  • Applicable for evaluating privacy risk
    enterprise-wide
  • Recognized as suitable criteria for a privacy
    audit
  • Can also be the basis for an internal assessment

33
Other CICA Privacy Resources
  • Online privacy courses
  • 20 Questions Businesses Should Ask About Privacy
    available in Sept 07
  • Canadian Privacy Laws Map
  • Privacy Guide for CA Firms
  • Upcoming News Events
  • Other Publications Toolkits
  • FAQs

34
Contact Info
  • www.cica.ca/privacy
  • Nicholas F. Cheung, CA, CIPP/C
  • Principal, Assurance Services Development
  • CICA
  • (416) 204-3251
  • nicholas.cheung_at_cica.ca
Write a Comment
User Comments (0)
About PowerShow.com