doing privacy ‘rights’ - isaca · · 2017-10-27doing privacy ‘rights’ vs doing privacy...
TRANSCRIPT
CONTROL Vs JUSTICE
A strong control-driven privacy
protection approach =
• minimum behaviours to avoid
regulatory oversight.
• focusing initiatives on internal
stakeholders
• operating an information
ownership strategy (Greenaway
and Chan, 2013).
A strong justice-driven privacy
protection approach =
• focus privacy initiatives on all
stakeholders,
• embed privacy into externally
focused programs such as CSR,
value trust and reputation highly
• demonstrate an information
stewardship strategy.
(Greenaway and Chan, 2013).
A ‘culture of caring’ (Ponemon &
Accenture 2015).
Vs
INFORMATION
OWNERSHIP
Information ownership refers to the
possession of, responsibility for, and
control over that information (Loshin,
2002).
INFORMATION
STEWARDSHIP
Information stewardship reflects Fair
Information Privacy Practices (FIPPs), and is
intended to convey a trust level of
responsibility toward the information
(Rosenbaum, 2010). No matter what, the
organisation remains responsible and
retains oversight of the processing of that
information
DOING RIGHT What if organisations implemented privacy initiatives that were driven by, and aimed
at, enhancing the consumer-trust relationship (instead of focusing on the ‘culture of
compliance’)?
SO WHAT?
Results from a recent global survey (Accenture and Ponemon, 2015) determined that
organisations that exhibit a ‘culture of caring’ with respect to information privacy
protection are far less likely to experience privacy breaches.
€€€!!! These organisations tend to see themselves as stewards of the information taking
actions BEYOND regulatory compliance to protect the information ENTRUSTED to
them.
Trust under the microscope
“The intention to accept vulnerability based upon positive expectations of the intentions or behaviour of another” (Rousseau et al., 1998) ….has values in congruence with ones own values , particularly in new or high risk situations. (Sitkin & Roth, 1993)
Components
of
Trust
Ability
Benevolence Integrity
Predictability
Dietz and Hartog (2006)
Where to look:
• CSR reports of some of the Fortune 500 technology companies
• Privacy disclosures and policies of same companies
• Looking for themes: TRUST, CONTROL, JUSTICE, EXCEEDING
Key Findings :
• Privacy Protection as a Tool to Enhance Consumer-Trust
• Privacy Protection as a Risk Management Objective
• Privacy Protection as Compliance ‘Problem-to-be-Solved’
• Privacy Protection as a Cost-to-be-Minimised
• IBM : A company must be true to its values in all of its activities — both internal and external. IBM’s core values have remained consistent and are embedded in all our citizenship activities. These values are….. Trust and personal responsibility in all relationships.
• CISCO: Doing business honestly, ethically, and with integrity helps us build long-term, trusting relationships with our employees, customers, suppliers, and stakeholders worldwide
• IBM: Your Privacy is important to IBM, maintaining your trust is paramount to us
• CISCO: We are committed to maintaining the trust of our stakeholders by advocating for global standards, improving product security, and protecting data privacy to enable widespread access to information...
• HP: Maintain HP’s position as the most trusted private sector advisor to regulators by upholding an industry-leading privacy program that anticipates trends such as big data, cloud computing, Internet of Things…
• M’SOFT: measures to continue to meet commitments to data privacy/security and earn customers’ trust include expanding encryption across our services, providing choice/transparency on data location, stronger legal protections for customers.
TRUST
• Samsung: announced its Global Policy on Personal Information to reinforce data protection, and has policies in place that reflect regional regulatory environments and local characteristics. We operate a Privacy Legal Management System through which lawyers in charge of this issue review whether the company’s policy is reflected throughout the stages of products and services
• Cisco: Our commitment to an approach that balances protecting user data privacy and the rule of law
• Facebook: If the ownership or control of all or part of our Services or their assets changes, we may transfer your information to the new owner.
• Apple: We have developed powerful tools to help others adhere to our strict standards
CONTROL
• IBM’s long-standing commitment to policies of equal opportunity, fairness and diversity — from our stand against segregation in the 1950s, to our pioneering protection of employees’ genetic privacy, to our staunch defense of our clients’ data against government intrusions.
• Cisco: We advocate for strong freedom of expression and privacy protections, which we believe are fundamental to successful business innovation and a thriving society
• Apple Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you.
• IBM are extending our long history of leadership in privacy and data protection to our new areas of strategic focus
• Google: We want to be a responsible steward of the information we hold. We recognize our responsibility to protect the data that users entrust to us.
JUSTICE
• HP’s Chief Privacy Officer co-chairs the project’s research team, which is developing a code of ethics to guide companies and other organizations that work with big data
• HP strive to provide protections across all of our operations that EXCEED legal minimums and to deploy consistent, rigorous policies and procedures.
• Dell is committed to engaging in the process to help shape public policy in a responsible and transparent way to ensure the interests of customers, employees and other stakeholders are fairly represented at all levels of government
• Cisco: In addition to regulatory compliance, we voluntarily support several ambitious and successful industry-led initiatives, such as the Online Privacy Alliance and TRUSTe, which are well respected efforts that achieve a reasonable balance between consumer protection and business requirements.
• IBM employs some of the industry’s most sophisticated, enterprise-level security capabilities to protect our clients and their data.
• MSoft: We’ve led our industry with privacy protections such as our commitment to not scan Microsoft Outlook email services for targeting online advertising. ….the 1st companies to sign the Student Privacy Pledge developed by the Future of Privacy Forum to establish a common set of principles to protect the privacy of student info.
EXCEED
Enhance Consumer Trust
Risk Management
Cost to be minimised
Compliance problem to be solved
Microsoft
Key Elements of a Privacy Culture?
• Information Stewardship
• Privacy Governance
• Privacy embedded into all projects
• Information initiatives required privacy signoff
• Privacy awareness training, to all stakeholders
• Stakeholder focus : 360
• The Consumer is central to all privacy protection initiatives
• Privacy is not optional
• Privacy reported as a CSR
What would ‘Doing Right’ look like?
• Exceeding Compliance,
where Compliance is
the baseline, not the
end-goal. Policies and
T&Cs are living working
documents, not just
legal requirements
• The implementation of a
justice-based set of non
binding rules such as
the OECDs Fair
Information Privacy
Practises
• Accreditation to Trust
seals. A possible
‘nutritional label’ for
privacy
• The provision of data
protection and privacy
awareness training to
both internal and
external customers
• Published privacy
initiatives in CSR and
Transparency Reports.
• The incorporation of
Privacy By Design
principles ‘baked in’
from the onset of
projects involving
personal information.
Conclusion
• Organisations need to remind themselves that the personal data
that they collect and process, does not belong to them
• Trust is fundamental to the sustainability of the consumer
relationship
• Organisations that can demonstrate how serious they take their
information custodian responsibilities will experience greater
consumer engagement and less privacy breaches
• Organisations need to be cognisant of the proposed EU’s Digital
Ethics Regulation.