Top Privacy Issues for Public Accountancy Firms - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

Top Privacy Issues for Public Accountancy Firms

Description:

Top Privacy Issues for Public Accountancy Firms Nicholas F. Cheung, CA, CIPP/C The Canadian Institute of Chartered Accountants Agenda Privacy Defined Privacy Survey ... – PowerPoint PPT presentation

Number of Views:128

Avg rating:3.0/5.0

Slides: 35

Provided by: Nicholas191

Category:

more less

Transcript and Presenter's Notes

Title: Top Privacy Issues for Public Accountancy Firms

1
Top Privacy Issues for Public Accountancy Firms

Nicholas F. Cheung, CA, CIPP/C
The Canadian Institute of Chartered Accountants

2
Agenda

Privacy Defined
Privacy Survey Results
Overview of Canadian Privacy Laws
Top Privacy Issues
Generally Accepted Privacy Principles

3
Privacy Defined

Privacy
The rights and obligations of individuals and
organizations with respect to the collection,
use, retention and disclosure of personal
information
Personal Information (PI)
Information that is, or can be, about or related
to an identifiable individual
Home or e-mail address
Financial information
Consumer purchase history

4
Privacy Survey Results

More than half of all businesses believe
customers are now more concerned about privacy
than in the past
Despite advances in IT, businesses storing just
as much data on paper as on electronic format
1 in 2 businesses have a low to moderate
awareness of legal privacy responsibilities

one of the biggest challenges for most small
and medium businesses is to understand their
obligations under the privacy law.

Report of the Standing Committee on Access to
Information, Privacy and Ethics House of
Commons, May 2007
6
Private SectorPrivacy Laws

Federal (PIPEDA) Jan. 1, 2004
Applies to every organization that conducts
commercial activities
Except BC, AB, QC and ON (health only)
Applies to all cross-border transfers of PI
Does not apply to employee PI other than federal
work, undertaking or business
Overseen by Privacy Commissioner of Canada

7
Private Sector Privacy Laws

Provincial
Privacy laws deemed substantially similar to
PIPEDA
BC/AB Personal Information Protection Act
(PIPA)
QC Act Respecting the Protection of Personal
Information in the Private Sector
ON Personal Health Information Protection Act
(PHIPA)
Applies to collection, use and disclosure of PI
within a province
Each province/territory has a privacy
commissioner

8
Top Privacy Issues

Establishing a privacy policy
Allowing clients access
Training your employees
Protecting wireless gadgets

Retention Destruction
Transferring data securely
Being prepared for a privacy breach
Employee privacy

9
Establishing Your Privacy Policy

A must for your clients and your employees
1 in 3 SMEs report either being
in the process of implementing or
have yet to implement a policy to oversee how the
company and its employees collect, use, and
disclose PI
If there is ever a privacy investigation, this is
the first thing an investigator will ask to see
Readily accessible and available when PI is first
collected from the individual
Include a copy with engagement letter or
reference it

10
Key Elements in a Privacy Notice

Notice to individuals, including the purpose(s)
for collecting personal information
Choices available to individuals and the consent
to be obtained
Collection of personal information
Use and retention of personal information
Access to individuals personal information
Disclosure of personal information to third
parties
Security of personal information
Quality of personal information
Monitoring and enforcement of privacy and
policies and procedures

11
2. Allowing ClientsAccess

Individuals should be
given access to their PI
informed of the existence, use and disclosure
allowed to correct errors
One of the more popular reasons cited for a
privacy compliant
1 in 5 companies have not implemented any method
to allow individuals to access their PI
30 days to respond under federal law

12
What To Include In Your Access Policy

Details required to document access request
Confirm identity
Date and details of request
How a search should be conducted
Which files, databases should be reviewed
Informing the individual about potential costs
Should be provided at no or minimal cost
Access should be free but charging for copies
allowed
When the CPO should be informed
Unable to fulfill request
Delay required beyond 30 days

13
3. Training Your Employees

The weak link in many companies privacy chain
is the untrained employee. Awareness training is
not an option, its a necessity!
Fran Faier
Executive Director, TRUSTe

14
Why Train Staff on Privacy?

Required by law
Minimize employee errors
Majority of breaches caused by employee error,
not by external attacks
Minimize customer frustration
Know what to collect, why and how to access
Reinforce culture of privacy
Customer confidentiality is a core value
Contractual requirement

15
What Should Your Staff Know?

Know that privacy is protected by law
May be a sensitive issue with clients
Know what PI is in the context of your business
Personal income tax info, SINs, client investment
statements
Understand how PI will be collected, used and
disclosed
Be familiar with and be able to reference privacy
policy
Provide a copy to clients upon request
Understand when issues should be escalated
Reinforce privacy concepts by referring to
privacy within employee confidentiality and
technology use agreements

16
4. Protecting Wireless Gadgets

You can have security without privacy,
but you cant have privacy without security.
Many breaches caused by employees are due to loss
of portable devices
Laptops
PDAs and Blackberries
USB keys
Points to consider
Do you really need to take PI offsite?
Take only what you need
Is it possible to anonymize?

17
Laptop Protection

Types of encryption for computers
Whole Disk
Virtual Disk
Folder
Biometric access
Swap passwords for a swipe of your finger
Lenovo laptops with this feature
Lock in car trunk if necessary to leave in car
Consider using a virtual private network to
reduce need for laptops

18
5. Secure Retention Destruction

Some recent headlines
Film set uses real health records
Private health records sold at auction
Dumped receipts end up in criminals possession
Police documents found blowing in Winnipeg wind

19
Benefits of a Retention and Destruction Policy

Protect your business
If you dont have it, you cant lose it
Reduce scope of access requests
Save costs
Less storage space
At the office
At the storage facility

20
Keep Only What You Need

Determine legal and regulatory requirements
ICAO Practice Advisory suggests 15 years might be
appropriate due to Limitations Act, 2002
CRA
generally is six years from end of tax year in
question

21
Properly Destroying PI

Physical copies
Shred (this doesnt mean recycle!)
Cross cut vs. strip
Incinerate
Pulverize
Electronic copies
Smash itrender the object unusable
Disk wipe

22
Using An External Shredder

Use a company accredited by NAID
Ensure signed contract in place
Spells out their obligation for secure
destruction
Provides written confirmation
Allows witnessing of destruction
Time limit
ON priv comm has fact sheet on secure destruction
that includes sample contract clauses
http//www.ipc.on.ca/images/Resources/up-fact_10_e
.pdf

23
6. Transferring Data Securely

Fax machines
Ensure confidential faxes are received in a
secure location and that faxes are sent to the
right fax number
USB keys
Purchase encryption software
Protect your computers by configuring them not to
accept unencrypted USB keys
Encrypted e-mail
Ensure your mail isnt being read
Eg. Zixcorp, Echoworx
Secure file transfer
Eg www.yousendit.com

24
7. Being Prepared for a Privacy Breach

Quickly being a case of not if, but when
What is a privacy breach?
Loss of personal information under your control
Inadvertent
Misplaced fax or laptop containing PI
Paper files not destroyed properly
Old computers with data still on hard drives
Deliberate act
Office break-in
Computer hacker

25
Breach Notification

Ontario is the only CDN jurisdiction to require
breach notification
Only pertains to health information custodians
However, May 2007 parliamentary review of PIPEDA
is advocating breach notification
Certain breaches to be reported to Priv Comm
Priv Comm to determine if notification required

26
Breach Policy

Develop a breach policy to ensure proper
procedures are followed
Evaluate seriousness of breach
How to ensure containment
Notifying affected parties / Priv Comm
Communication with media
Tools available
Incident Response Plan CICA Privacy website
Breach Notification Assessment Tool
www.ipc.on.ca

27
8. Employee Privacy

PIPEDA only applies to employees of a federal
work, undertaking or business
Employees protected under provincial privacy acts
British Columbia
Alberta
Quebec
Employee personal information is information used
to establish, manage or terminate an employment
relationship

28
Surveillance Four Part Test

The surveillance must be demonstrably necessary
to meet a specific need
It must be likely to be effective in meeting
that need
The loss of privacy must be proportional to the
benefit gained
The existence of a less privacy invasive way to
meet the need must be considered
Can be applied to video surveillance and
e-mail/Internet monitoring

29
Employee Privacy Policy

Best practice is to create a separate employee
privacy policy
Sends positive message to employees, especially
if not required by law
Often seen as add-on to Code of Conduct
Communicate and obtain acknowledgement
Consent is not optional
Have employees sign they have read and understand
the policy
Make specific reference to important policies or
procedures
Surveillance
E-mail
Internet
Policy must be enforced

30
What are Generally Accepted Privacy Principles
(GAPP)?

A privacy framework to help organizations develop
and assess their privacy program and privacy risk
Developed by the CICA and AICPA
To create a common North American standard
Endorsed by ISACA and IIA

31
Generally Accepted Privacy Principles