1 information resource management association of canada december 18, 2002 an irm perspective on...
TRANSCRIPT
1
Information Resource Management Association of Canada
December 18, 2002
An IRM Perspective on Privacy Compliance
K a r e n S p e c t o rB.Sc., Ed.M. (Harvard), LL.B.
2
Topics
• Why IRMAC members need to know about
privacy
• An overview of relevant privacy legislation
• Some “IRM” issues
• Privacy compliance
• Summary
Privacy legislation applies to
organizationsthat collect, use, and disclose
personal information
and
to the organizations
with whom they enter into transactions or contracts.
5
Personal Information
Any information• recorded or not,• about, or relating to, an identifiable individual.
– employee, patient, contract staff, associate, supplier, customer, subscriber, prospective client, consultant, and member of the public.
6
Personal Information
Examples of personal information• name• residential address and telephone number• date of birth and date of death• unique identifying numbers (SIN, OHIP)• income and salary• credit records and loan records• intentions (for example to acquire goods/services or change jobs)• opinions of others relating to the individual• biometrics• membership in a union• personal health information (blood type, medical records, DNA)• predictive genetic information
7
Personal Information
What’s “out”– Contact information in business, official, professional, or
employment context (name, title, professional designation, address, telephone number, email address)
– An individual’s professional or official responsibilities and the manner in which an individual carries out those responsibilities
– De-identified, anonymized or aggregated information– Publicly-available information
8
Why IRMAC Members Need to Know about Privacy
Manage personal information for:• organizations that carry on commercial activities
• federal works, undertakings, or businesses
• the public sector
• organizations that enter into contracts with any of the
above
• employers
10
Relevant Privacy Legislation
1988
1991
2001
• Freedom of Information and Protection of Privacy Act applies to Ontario public sector
• Municipal Freedom of Information and Protection of Privacy Act applies to municipal institutions in Ontario
• Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to commercial activities in federal works, undertakings and businesses and to inter-provincial and international transfers for consideration
11
Relevant Privacy Legislation
2002
2004
• Protection of Personal Information Act, 2002 (“Draft PPIA”) - Ontario’s Consultation Draft is issued in February
• “Substantially similar” Ontario legislation will apply to organizations or PIPEDA will apply to all private sector commercial activities within Ontario.
13
Common Privacy Principles
• Accountability• Identifying Purposes• Consent• Limiting Collection• Limiting, Use,
Disclosure and Retention
• Accuracy• Safeguards• Openness• Individual Access• Challenging
Compliance
14
Common Privacy Principles
Accountability• An organization is responsible for personal information under
its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the privacy principles.
Identifying Purposes• The purposes for which personal information is collected shall
be identified by the organization at or before the time the information is collected.
15
Common Privacy Principles
Consent• The knowledge and consent of the individual are
required for the collection, use, or disclosure of personal information, except where inappropriate.
Limiting Collection• The collection of personal information shall be
limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
16
Common Privacy Principles
Limiting Use, Disclosure, and Retention• Personal information shall not be used or disclosed for
purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Accuracy• Personal information shall be as accurate, complete, and up-
to-date as is necessary for the purposes for which it is to be used.
17
Common Privacy Principles
Safeguards• Personal information shall be protected by security
safeguards appropriate to the sensitivity of the information.
Openness• An organization shall make available to individuals
specific information about its policies and practices relating to the management of personal information.
18
Common Privacy Principles
Individual Access• Upon request, an individual shall be informed of the
existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Challenging Compliance• An individual shall be able to address a challenge concerning
compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
19
Differences between PIPEDA and Draft PPIA
PIPEDA• Applies only to commercial
activities.
• Oversight by Privacy Commissioner of Canada who can write reports.
• Same rules for personal information and personal health information.
Draft PPIA• No commercial activities
requirement.
• Oversight by Information and Privacy Commissioner/Ontario who can issue orders.
• Specific rules for personal health information in the custody or control of “health information custodians”.
20
What the Ontario Government is saying . . .
• In an August 2002 Consultation Update, the Ministry of Consumer and Business Services (“MCBS”) indicated that the draft legislation is expected to be introduced into the Legislative Assembly later this fall.
• In the most recent version of its Business Plan, MCBS' key strategies and commitments for 2001-2002 included introducing privacy legislation.
• At a meeting of the Board of Trade on October 31, 2002, Minister Clement (Ministry of Health and Long Term Care) stated that he was urging Minister Hudak (MCBS) to proceed with the legislation.
22
Privacy-Compliance: Deadline
• Generally, organizations in the private sector that collect, use, or disclose personal information will need to comply with privacy legislation no later than January 1, 2004.
• Compliance will involve making changes to information management systems, both human and technological.
• Organizations that act now will minimize the burden of privacy compliance and also, the potential risks of non-compliance.
23
Impact of Privacy Compliance
Depends on factors including:– Which legislation applies (federal or provincial)– Quantity and nature of personal information– Number of employees, members . . .– Third parties with whom information is shared– Whether transfers of personal information are intra-, inter-,
or extra-provincial (and whether or not for consideration)– Current information management practices– Resources– Corporate culture
24
Compliance
Steps• Designate accountable individual(s)• Define the privacy framework• Assess information management practices• Develop privacy policies• Implement the privacy policies• Monitor and enforce• Update or amend
26
Electronic Signatures
• Complaints to the Privacy Commissioner of Canada because a courier company demanded electronic signatures from parcel recipients upon delivery and then posted the signatures in the tracking section of the company website without consent.– Paper receipt not an option– Recipients’ name and address also posted with
signature– Not possible to remove electronic signatures from
online tracking system due to company policy
27
Electronic Signatures
Commissioner’s investigation:• Courier can use parcel identification number (PIN) to access
customer’s personal information on the website • Courier can use PIN variants to access other customers’
personal information• Courier had not informed the complainants of its intention to use
their electronic signatures for online tracking purposes or sought their consent
• Courier’s staff believed electronic signatures to be mandatory• According to Courier’s policy, signatures could not be removed
from the online tracking system.
28
Electronic Signatures
Courier’s position• Access to online tracking system is protected by a PIN• Variants only work 21 percent of the time• Integrity of electronic signatures is protected by computer-
generated distortion• Company policy allows “alternate” electronic signatures and
paper signatures• Changed policy: individuals can have signatures removed on
request
29
Electronic Signatures
Complaints were well-founded:
• A reasonable person would not have considered using
electronic signatures in an online tracking to be appropriate in
any circumstances, especially given the potential for
unauthorized disclosure of the signatures through simple
manipulation of PINs.
• The electronic signatures had not been required to fulfil explicitly
specified and legitimate purposes and the Courier had therefore
not been justified in demanding them as a condition of service.
30
Mergers & Acquisitions
• In addition to liability, organizations that do not consider privacy-related issues are exposed to two risk areas:
• reputation• integration
31
Mergers & Acquisitions
Reputation
• Goodwill loss can undermine merger efficiencies.• Must assess the risk targetco has violated consumer
privacy.• Analyze targetco’s privacy policy and security
measures, as well as attitude of employees.
32
Mergers & Acquisitions
Integration
• Pre-merger due diligence is necessary to assure a smooth transition and helps maintain customer relationships.
• Need plan for integrating old data with new.
• Some privacy obligations will survive the merger.
• Need to assess targetco’s compliance with governing law.
• Need plan for security and privacy architecture at combined entity.
33
Mergers & Acquisitions
Transition Planning
• Buyers and sellers should be aware of the applicability of privacy laws and the targetco’s privacy policies to the sharing of data during the due diligence phase.– Employees’ personal (health) information– Customers’ personal information– Requirements re consent and notice– Transfers or disclosures to third parties
34
Mergers & AcquisitionsSample Due Diligence Questions re Targetco• What are the applicable laws? regulations? codes?
• Amount and type of personal information? medical? financial?
• How and from whom is personal information collected?
• How is personal information stored? retrieved? safeguarded? destroyed?
• Did Targetco obtain consent? If so, to which uses and disclosures?
• Does Targetco sell, trade, transfer, or barter personal information?
• Privacy policies?
• Privacy practices?
• Privacy breaches?
• Which privacy obligations survive the merger?
• Has Targetco been investigated by the Commissioner?
• Has Targetco been sued for privacy breaches?
35
Smart Cards
They are secure.• Although the microprocessor and memory are
contained on the same chip, there is no means of directly accessing data stored on a smart card from the outside.
• Data is segregated into separate silos, which are individually locked.
• Readers have different levels of access.
36
Smart Card Systems
But, is the personal information protected?• Multi-use distinct identifiers may facilitate:
– Data linkage through the storing of personal information in centralized databases or by linking unrelated databases
– Data sharing, profiling, or transaction monitoring
– Dataveillance (monitoring of activities or communications)
• Systems designed for one purpose, such as, expediting workers’ access to a job site are extended over time to other purposes not originally intended, such as, tracking attendance. (“Function creep”)
37
Identity Theft More Often an Inside Job*
• Threat more likely to come from insiders - employees with access to large financial databases who can loot personal accounts.– Shift by identity thieves from going after single individuals to
going after a mass amount of information. – Half of all cases come from thefts of business databanks
that aren’t properly safeguarded.– Employee sold personal information (credit card numbers
and chequing account information) on 30,000 people to scam artists for $60 per name. (2.7 million in losses so far.)
* Washington Post, December 3, 2002
38
Identity Theft More Often an Inside Job
• Privacy experts estimates that there are now one million cases of identity theft a year. (Security experts say half that.)– Los Angeles County Sheriff’s Department expects 6000
cases in 2002.– Federal Trade Commission received 70,000 complaints
about identity theft during the first six months of 2002.
• Businesses being created to respond to concerns about identity theft.
39
Summary
• IRMAC members need to know about privacy because their organizations collect, use, and disclose personal information. Some of these organizations are already regulated by public sector or federal privacy laws.
• The privacy-compliance deadline is January 1, 2004.
• The Commissioner is watching.
• Law enforcement is watching.
• The public is watching.
• Your competitors are watching.