Privacy Policy from the Business Perspective

1
Privacy Policy from the Business Perspective

February 14, 2002 Chris Farkas
2
ENSURING THAT YOUR ORGANIZATION IS PRIVACY
COMPLIANT
Personal Information Privacy and the various
legislation, regulations and guidance thereon
raise complex issues. This presentation is
designed to provide a general overview of some of
the issues in ensuring organizations are privacy
compliant. It is not intended to provide legal
advice. Participants should obtain professional
advice for specific issues. Neither the sponsor,
Deloitte Touche LLP or the presenter can accept
responsibility for reliance on the contents of
this presentation.
3
AGENDA

• Privacy Whats all the fuss about?
• The Privacy Tool Kit
• Some Observations from the Field
• Suggestions for the Road Ahead

4
PRIVACY

• WHATS ALL THE FUSS ABOUT?

5
Why Worry Now

• People are willing to feign outrage on command,
  until they see the benefits of relinquishing
  their privacyPeople are not going to worry much
  about privacy unless some really horrible
  things are done, which I dont think corporations
  are stupid enough to do.
• Interview with Michael Lewis, author of
  Next, July 18, 2001, with host Katherine
  Mieszkowski, Thank God for the Internet,
  Salon (magazine).

6
SOME HORROR STORIES

• A telecommunications company donated computer
  printouts to local day care centres as drawing
  paper. The issue On one occasion, the printouts
  included customers names and card numbers. The
  cost 500 000 (forced to recall and reissue the
  calling cards) significant public embarrassment.
• A funeral home contacted a woman to offer her its
  services shortly after she was diagnosed with
  terminal cancer. The issue A member of the
  hospital staff provided the funeral home with
  details of the womans illness. The cost Serious
  distress on the part of the woman and her family
  lawsuit against the funeral home and the
  hospital case was widely reported in the media
  (reputational damage).

7
SOME HORROR STORIES

• A company employed visitor-tracking software in
  order to gain an understanding of which of its
  web pages received the most visitors. The issue
  In effect, the software installed acted as a web
  bug capable of tracking and profiling surfers
  without their permission, without their knowledge
  and without using a cookie. The cost Severe
  damage to credibility- future impact?
• While millions of Americans watched the Super
  Bowl on February 3rd, 2002, TIVO was watching
  subscribers.

8
eCOMMERCE

• 46 of online consumers are extremely or very
  concerned about the privacy of their personal
  information.
• Only 40 believe that companies will honour their
  posted privacy policies.
• (Gallup, Jan 16 2001)

9
APPROACHING PRIVACY COMPLIANCE

• A TOOL KIT

10
(No Transcript)
11
ASSESSING
12
DESIGNING
13
DESIGNING
14
IMPLEMENTING
15
ASSURING
MONITORING AND REPORTING management processes to
ensure compliance with organizational privacy
policies and procedures as well as internal and
external independent reviews and audits to ensure
compliance with legislation and regulations.

• Establish organizational procedures to
• Monitor
• Establish privacy metrics and specific criteria
  (when, timeliness) for compliance
• Establish management processes to monitor the
  performance of the organizations privacy
  activities
• Monitor complaints and inquiries

16
COMPLYING WITH THE OBLIGATIONS IMPLEMENT
MANAGEMENT AND TECHNOLOGY SOLUTIONS

• COMPLAINTS
• REQUESTS
• CONTRACT NEGOTIATION

• SECURITY
• HUMAN RESOURCES
• RETENTION
• DESTRUCTION

• PHYSICAL
• ORGANIZATIONAL
• TECHNOLOGICAL

• CAPTURING CONSENT
• AUDIT TRAILS
• ESCALATION OF ISSUES

17
Some Observations from the Field
18
Some Observations from the Field

• Striking the balance between appropriate
  disclosure and providing too much information
• Privacy initiatives highlight many gaps and
  projects in which privacy needs to be addressed.
  When is due diligence achieved?
• Give Us a Policy requests from clients
• Looking for templates
• Too far removed from realities of the
  organizations own internal processes
• Consequences Policy is shelved, or organization
  tries to redesign internal processes to fit the
  policy.

19
Some Observations from the Field

• Operationalizing Privacy is a challenge
• How do I tailor this to my environment?
• Wide variety of practices in business
• Guidance?
• In the evolving, jumbled world of e-commerce and
  individual preferences, the governments role is
  not to dictate the terms of privacy contracts
  ahead of time, but to enforce privacy contracts
  that companies have made with consumersbad
  privacy agreements are deceptive trade practices
• Jonathon Bick, author of 10 Things You Need
  to Know about Internet Law, interview by Doug
  Isenberg of GigaLaw.com

20
Some Observations from the Field

• How to manage consent?
• What should the appropriate standards be?
• What should the consent look like?
• How do you manage consent once it is captured?
• Especially in the US, addressing privacy in a
  multi-regulated environment is complex. Local vs.
  Federal vs. Global Which takes precedence?

21
Some Observations from the Field

• Misperceptions in Business
• Paper vs. Data Privacy is an online issue
• Privacy Network and Database Security
• If organizations fail to conduct an inventory of
  their personal information and data flows, they
  will likely create a policy which does not
  accurately reflect their business.
• Policies fail to reflect organizations actual
  systems capabilities and practices
• Privacy policies often fail to contemplate third
  party relationships and data flows

22
Some Observations from the Field

• Technology Related
• Systems management is increasingly complex,
  making information and data flows harder to
  manage. Privacy risks multiply when organizations
  grow quickly or if mergers and acquisitions
  occur.
• Company technical infrastructure may be incapable
  of incorporating policies and controls required
  to comply with privacy principles such as consent
  and safeguards.
• There is a general lack of understanding by
  companies of what the technology that they have
  implemented does, and has the potential to do.

23
Some Observations from the Field

• Tools
• P3P were helping clients understand it
  although many have not yet implemented. This may
  be risky given IE dominance.
• Automated Policy Generators
• Have not employed these with clients
• Good guidance, but highly dependent on the
  knowledge of the individual answering the
  questions.

24
In Summary

• Companies want to
• Comply with regulations
• Enhance brand
• Leverage data
• Provide a better user experience
• However companies
• Are hampered by legacy systems
• Confused by the distinctions between security and
  privacy
• Have a lack of understanding and knowledge about
  their technology
• Do not have a clear guidance
• Are too focused on perfunctory policies

25
Suggestions for the Road Ahead

• Privacy compliance initiatives should begin with
• Inventory of information (data and paper)
• Documentation of data flows and information
  management
• Gap assessment in relation to the 10 Principles
  and industry (or other) best practices and
  standards
• Develop policies specific to the organization
• Privacy should be incorporated into brand
  management.

26
ANY QUESTIONS?
27
FOR FURTHER INFORMATION, PLEASE CONTACT

• CHRIS FARKAS
• cfarkas_at_deloitte.ca
• (604) 640 3149
• Four Bentall Centre
• Suite 2100 - 1055 Dunsmuir Street
• Vancouver, BC
• V7X 1P4
• Canada