Post on 26-Dec-2015
Information Resource Management Association of Canada
Privacy and CommerceMarch 2001
Information Resource Management Association of
Canada
Privacy and Commerce
March 2001
Information Resource Management Association of Canada Privacy and Commerce
Session Overview
A sense of Privacy Privacy Law Framework Canada's Personal Information Protection
and Electronic Documents Act Corporate Compliance Strategies
Information Resource Management Association of Canada Privacy and Commerce
A Sense of Privacy• What is it?
• Personal information is any information about an identifiable individual e.g.: Information about physical or mental health, health services provided, donation of body parts or substance, social insurance number, name, address, telephone number, employment, criminal or educational history, travel or entertainment information, financial information, internet browsing stream data, location, family, fingerprints, blood type, opinions, DNA …
• What is a record?• Any correspondence, memorandum, book, plan, map, drawing,
diagram, pictoral or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form …
Information Resource Management Association of Canada Privacy and Commerce
A Sense of Privacy• “The right of individuals to determine for themselves
when, how and to what extent information about them is communicated to others.” – Dr. Westin
• “Privacy is an emotional reaction to an action” - Scott Crosby
• “It’s about self-possession, autonomy and integrity. As we move into the computerized world of the twenty-first century, privacy will be one of our most important civil rights” - Simson Garfinkel
Information Resource Management Association of Canada Privacy and Commerce
A Sense of Privacy
We have reached a point where we know less about ourselves than do the government, marketers, financial institutions, health care providers and entertainment and hospitality providers.
Information Resource Management Association of Canada Privacy and Commerce
A Sense of Privacy
Taken to an extreme, which is where we seem to be going anyway, we will soon accept the word “surveillance” the way we do “pollution”, as if intrusions into our private lives are just a normal, and acceptable part of modern living.
Information Resource Management Association of Canada Privacy and Commerce
A Sense of Privacy
“Privacy is perhaps the biggest social issue of the Internet age, and today’s practices don’t just suck, they’re downright unconstitutional”
“There’s five billion dollars sitting on the table for the company that figures out how to give people control back over their information”
– Fred Davis- founder and CEO Lumeria – Atlantic Monthly – March 2001
Information Resource Management Association of Canada Privacy and Commerce
A Sense of Privacy
Marissa Gluck, an analyst at Jupiter Research…’Privacy is the most over-hyped issue I’ve seen. It’s a way for politicians and gadflies to grandstand on an issue that the press love to hype. It gets everyone ink” Business 2.0, January 9, 2001
Information Resource Management Association of Canada Privacy and Commerce
A Sense of Privacy
November 1999: Personalized Marketing and Privacy on the Net: What Consumers Want
Privacy & American Business
Key Messages of the Survey • A majority of Internet users (61%) say they would be positive toward receiving banner ads tailored to their personal interests rather than receiving random ads. This represents about 56 million adult users interested in such personalization.
• More than two-thirds of Internet users (68%) say they would provide personal information in order to receive tailored banner ads, if notice and opt out are provided. This represents about 63 million adult users.
Information Resource Management Association of Canada Privacy and Commerce
A Sense of Privacy
Privacy is not a component of Security, Security is one means of achieving Privacy
Information Resource Management Association of Canada Privacy and Commerce
Privacy Law Framework
Based on Fair Information PracticesGovern the:
• Collection• Use• Disclosure• Retention
Information Resource Management Association of Canada Privacy and Commerce
Privacy Law Framework
Information Resource Management Association of Canada Privacy and Commerce
Privacy Law Framework Two national laws in Canada Provincial laws US laws; 14 at national level and more coming OECD Guidelines: Privacy protection laws have been introduced, or will be
introduced shortly, in approximately one half of OECD Member countries (Austria, Canada, Denmark, France, Germany, Luxembourg, Norway, Sweden and the United States have passed legislation. Belgium, Iceland, the Netherlands, Spain and Switzerland have prepared draft bills) to prevent what are considered to be violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorised disclosure of such data. OECD –www.oecd.fr
Information Resource Management Association of Canada Privacy and Commerce
Privacy Law Framework - OECD
BASIC PRINCIPLES OF NATIONAL APPLICATION 1) Collection Limitation Principle (limits, lawful, fair and with
knowledge)2) Data Quality Principle (relevant to purpose, accurate and
complete)3) Purpose Specification Principle (at time of collection)4) Use Limitation Principle (no disclosure or use other than original)
5) Security Safeguards Principle (against loss, access, destruction, use and modification)
6) Openness Principle (policies, practices and available)7) Individual Participation Principle (access)
8) Accountability Principle (for measures to give effect)
http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM
Information Resource Management Association of Canada Privacy and Commerce
Privacy Law Framework
• Approximately 60 countries with data protection directives or laws
• All cover basics, but some are sectoral or procedural
• Laws often re-form themselves into industry sector-wide codes
• Cover personal information, usually regardless of electronic transfer or hardcopy
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
•Result of consensus of industry-government working group of Canadian Standards Association
•In response to increased public concern over technological advances intruding on privacy
•The Act strikes a balance between an individual's right to the protection of personal information and the need of organizations to obtain and handle such information for legitimate business purposes.
•The Act establishes rules for the management of personal information by organizations involved in commercial activities
Information Resource Management Association of Canada Privacy and Commerce
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
Purpose – to establish rules to govern the collection, use and disclosure of Personal Information to recognize the right of privacy and to recognize the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act Applies to
organizations that collect, use and disclose Personal Information in the course of commercial activity
Customer information Employee information
Does not apply to: Organizations covered by the Privacy Act Collection, use and disclosure for domestic purposes Journalistic, artistic and literary purposes
Takes precedence over subsequent laws unless they excuse themselves
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
Phased Application • 2001 – federal works and undertakings
• Banks, inter-provincial transportation, radio broadcasters, cross-border disclosures
• 2002 – personal health information• 2004 – every entity conducting commercial
activity
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
Ten Principles:1. Accountability2. Identifying Purpose3. Consent4. Limiting Collection5. Limiting Use, Disclosure and Retention6. Accuracy7. Safeguards8. Openness9. Access10. Challenging Compliance
Information Resource Management Association of Canada Privacy and Commerce
•Facts by design–Government of Canada 1998-99:
•36,000 requests, $15 million, $550. Each
–Ontario 98-99:
•10,000 requests
–US DOD FOIAP Requests 1999:
•97,000, $32 million, 776 staff
–Office of the Privacy Commissioner of Canada
•99/00 complaints <1,600, 15 staff and $4.5 million
–Ontario Privacy Commissioner
•1999 806 complaints, $6.5 million
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
Complaints filed with the Privacy Commissioner complaints can be filed with the Commissioner
against an organization for contravening privacy obligations under the Act or the ten principles
Commissioner may initiate an investigation upon reasonable grounds
Refusal complaints must be filed within 6 months, or as Commissioner sees fit, after the refusal or deemed refusal
Commissioner shall give notice to the institution
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
Investigation of Complaints Commissioner must investigate Has powers of summons, taking oaths, entering
premises, obtain copies etc May use dispute resolution mechanisms Commissioner must report, within one year, his
findings and recommendations, settlements, recourse
Only then can a complainant apply to Federal Court for a hearing
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
Remedies• Court can order organization to correct
practices• Order an organization to publish a notice of
any action taken or proposed• Award damages to complainant, including
for humiliation
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
Audits Commissioner may audit personal information
management practices of an organization Commissioner must provide a report to the
organization Commissioner may make audit results public Commissioner may make public any information
relating to the personal information management practices of an organization
Information Resource Management Association of Canada Privacy and Commerce
Canada’s Personal Information Protection and Electronic Documents Act
Refusal of Access• Solicitor-client protected information• Confidential commercial information• Personal information about a third party• Personal information that could threaten the life or
security of another individual• Information collected under 7 (1) (b) (collected
without consent due to law enforcement)• Formal dispute resolution process information• Information can be severed
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies Recognize business value in privacy
management Privacy enhanced services and products Corporate differentiator Volvo- safety, ? - privacy Can’t forget employees Hire CPO’s Wonder who let the dog’s out?
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
The Public/Consumer…Develop common expectations Lead the way for cultural change Seek access Fringe customer
“Improved customer service will probably have to wait a decade for the realization that what the customer wants is fairness, efficiency and privacy.” MISS MANNERS – Time Canada
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
“54% of those polled decided not to use a company or buy because they were unsure of how their personal information would be used.”
Source: IBM-Harris 1999 Multi-National Consumer Privacy Survey
“31 % of respondents will not make online purchases this holiday season, and two out of five Internet users (38 %) will limit the amount they spend online because of concerns about security or privacy”
Source: Fiderus/Yankelovich Survey , 2000
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
http://www.pandab.org/
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance StrategiesPrivacy Code
Introduction- purpose Reference to authority, internal/external Roles: CPO, IM, Legal, Point of contact Scope Principles - CSA etc Definitions – personal information etc Regular review Collection –with consent, without, what is collected Use – with consent, without Disclosure – with, without Requesting access, timing, refusals
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
What should a Code do? reassure strike balance build trust/partnership engage customers engage employees enhance customer - company relationships enhance employee – company relationships meet any growing demand and customer expectations competitive edge
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
Corporate Roles and Responsibilities Lead by a CPO
Product/services development
Human Resources
Information Management
Customer relations
Audit/internal review
Regional/International perspective
Legal Representative
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
10 Easy Steps1. Be the Front Goose
2. Strategic Planning
3. Information Management
4. Change management
5. Customer Relations
6. Employees
7. Systems/Processes
8. Implementation
9. Analysis/Measurement
10. Inertia
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
Privacy Strategy Change Management Leadership Appoint a CPO Build a team Procedural infusion Campaign for cultural change and perspective Training plan Training, training, training
Regional/functional/international components Legal representative/Business development Corporate Strategic initiatives
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
Privacy and Commerce Strategy Goals Privacy Infrastructure impact analysis Privacy Infrastructure’s impact on other business activities CRM
Solid privacy infrastructure brings them back Personalized services possible Individual control is key
Corporate-wide approach External/Internal Marketing of Privacy Management Cost Forecast/predict Gap analysis – what needs to be done?
Information Resource Management Association of Canada Privacy and Commerce
Corporate Compliance Strategies
Information Resource Management Association of Canada Privacy and Commerce
Points to Take Home1. Privacy is important 2. Accountable person (s)3. Limits collection, use, disclosure and retention of
personal information4. Consent is required for collection, use and
disclosure5. Security and safeguards 6. Openness regarding policies and practices7. Individuals have access (accuracy)8. Individuals can complain9. Privacy Commissioner can initiate a complaint,
investigation and/or audit10. Federal Court has final say