information resource management association of canada privacy and commerce march 2001 information...

Information Resource Management Association of Canada

Privacy and CommerceMarch 2001

Information Resource Management Association of

Canada

Privacy and Commerce

March 2001

Information Resource Management Association of Canada Privacy and Commerce

Session Overview

A sense of Privacy Privacy Law Framework Canada's Personal Information Protection

and Electronic Documents Act Corporate Compliance Strategies


A Sense of Privacy• What is it?

• Personal information is any information about an identifiable individual e.g.: Information about physical or mental health, health services provided, donation of body parts or substance, social insurance number, name, address, telephone number, employment, criminal or educational history, travel or entertainment information, financial information, internet browsing stream data, location, family, fingerprints, blood type, opinions, DNA …

• What is a record?• Any correspondence, memorandum, book, plan, map, drawing,

diagram, pictoral or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form …


A Sense of Privacy• “The right of individuals to determine for themselves

when, how and to what extent information about them is communicated to others.” – Dr. Westin

• “Privacy is an emotional reaction to an action” - Scott Crosby

• “It’s about self-possession, autonomy and integrity. As we move into the computerized world of the twenty-first century, privacy will be one of our most important civil rights” - Simson Garfinkel


A Sense of Privacy

We have reached a point where we know less about ourselves than do the government, marketers, financial institutions, health care providers and entertainment and hospitality providers.


A Sense of Privacy

Taken to an extreme, which is where we seem to be going anyway, we will soon accept the word “surveillance” the way we do “pollution”, as if intrusions into our private lives are just a normal, and acceptable part of modern living.


A Sense of Privacy

“Privacy is perhaps the biggest social issue of the Internet age, and today’s practices don’t just suck, they’re downright unconstitutional”

“There’s five billion dollars sitting on the table for the company that figures out how to give people control back over their information”

– Fred Davis- founder and CEO Lumeria – Atlantic Monthly – March 2001


A Sense of Privacy

Marissa Gluck, an analyst at Jupiter Research…’Privacy is the most over-hyped issue I’ve seen. It’s a way for politicians and gadflies to grandstand on an issue that the press love to hype. It gets everyone ink” Business 2.0, January 9, 2001


A Sense of Privacy

November 1999: Personalized Marketing and Privacy on the Net: What Consumers Want

Privacy & American Business

Key Messages of the Survey • A majority of Internet users (61%) say they would be positive toward receiving banner ads tailored to their personal interests rather than receiving random ads. This represents about 56 million adult users interested in such personalization.

• More than two-thirds of Internet users (68%) say they would provide personal information in order to receive tailored banner ads, if notice and opt out are provided. This represents about 63 million adult users.


A Sense of Privacy

Privacy is not a component of Security, Security is one means of achieving Privacy


Privacy Law Framework

Based on Fair Information PracticesGovern the:

• Collection• Use• Disclosure• Retention


Privacy Law Framework Two national laws in Canada Provincial laws US laws; 14 at national level and more coming OECD Guidelines: Privacy protection laws have been introduced, or will be

introduced shortly, in approximately one half of OECD Member countries (Austria, Canada, Denmark, France, Germany, Luxembourg, Norway, Sweden and the United States have passed legislation. Belgium, Iceland, the Netherlands, Spain and Switzerland have prepared draft bills) to prevent what are considered to be violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorised disclosure of such data. OECD –www.oecd.fr


Privacy Law Framework - OECD

BASIC PRINCIPLES OF NATIONAL APPLICATION 1) Collection Limitation Principle (limits, lawful, fair and with

knowledge)2) Data Quality Principle (relevant to purpose, accurate and

complete)3) Purpose Specification Principle (at time of collection)4) Use Limitation Principle (no disclosure or use other than original)

5) Security Safeguards Principle (against loss, access, destruction, use and modification)

6) Openness Principle (policies, practices and available)7) Individual Participation Principle (access)

8) Accountability Principle (for measures to give effect)

http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM



• Approximately 60 countries with data protection directives or laws

• All cover basics, but some are sectoral or procedural

• Laws often re-form themselves into industry sector-wide codes

• Cover personal information, usually regardless of electronic transfer or hardcopy


Canada’s Personal Information Protection and Electronic Documents Act

•Result of consensus of industry-government working group of Canadian Standards Association

•In response to increased public concern over technological advances intruding on privacy

•The Act strikes a balance between an individual's right to the protection of personal information and the need of organizations to obtain and handle such information for legitimate business purposes.

•The Act establishes rules for the management of personal information by organizations involved in commercial activities




Purpose – to establish rules to govern the collection, use and disclosure of Personal Information to recognize the right of privacy and to recognize the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate


Canada’s Personal Information Protection and Electronic Documents Act Applies to

organizations that collect, use and disclose Personal Information in the course of commercial activity

Customer information Employee information

Does not apply to: Organizations covered by the Privacy Act Collection, use and disclosure for domestic purposes Journalistic, artistic and literary purposes

Takes precedence over subsequent laws unless they excuse themselves



Phased Application • 2001 – federal works and undertakings

• Banks, inter-provincial transportation, radio broadcasters, cross-border disclosures

• 2002 – personal health information• 2004 – every entity conducting commercial

activity



Ten Principles:1. Accountability2. Identifying Purpose3. Consent4. Limiting Collection5. Limiting Use, Disclosure and Retention6. Accuracy7. Safeguards8. Openness9. Access10. Challenging Compliance


•Facts by design–Government of Canada 1998-99:

•36,000 requests, $15 million, $550. Each

–Ontario 98-99:

•10,000 requests

–US DOD FOIAP Requests 1999:

•97,000, $32 million, 776 staff

–Office of the Privacy Commissioner of Canada

•99/00 complaints <1,600, 15 staff and $4.5 million

–Ontario Privacy Commissioner

•1999 806 complaints, $6.5 million



Complaints filed with the Privacy Commissioner complaints can be filed with the Commissioner

against an organization for contravening privacy obligations under the Act or the ten principles

Commissioner may initiate an investigation upon reasonable grounds

Refusal complaints must be filed within 6 months, or as Commissioner sees fit, after the refusal or deemed refusal

Commissioner shall give notice to the institution



Investigation of Complaints Commissioner must investigate Has powers of summons, taking oaths, entering

premises, obtain copies etc May use dispute resolution mechanisms Commissioner must report, within one year, his

findings and recommendations, settlements, recourse

Only then can a complainant apply to Federal Court for a hearing



Remedies• Court can order organization to correct

practices• Order an organization to publish a notice of

any action taken or proposed• Award damages to complainant, including

for humiliation



Audits Commissioner may audit personal information

management practices of an organization Commissioner must provide a report to the

organization Commissioner may make audit results public Commissioner may make public any information

relating to the personal information management practices of an organization



Refusal of Access• Solicitor-client protected information• Confidential commercial information• Personal information about a third party• Personal information that could threaten the life or

security of another individual• Information collected under 7 (1) (b) (collected

without consent due to law enforcement)• Formal dispute resolution process information• Information can be severed


Corporate Compliance Strategies Recognize business value in privacy

management Privacy enhanced services and products Corporate differentiator Volvo- safety, ? - privacy Can’t forget employees Hire CPO’s Wonder who let the dog’s out?


Corporate Compliance Strategies

The Public/Consumer…Develop common expectations Lead the way for cultural change Seek access Fringe customer

“Improved customer service will probably have to wait a decade for the realization that what the customer wants is fairness, efficiency and privacy.” MISS MANNERS – Time Canada



“54% of those polled decided not to use a company or buy because they were unsure of how their personal information would be used.”

Source: IBM-Harris 1999 Multi-National Consumer Privacy Survey

“31 % of respondents will not make online purchases this holiday season, and two out of five Internet users (38 %) will limit the amount they spend online because of concerns about security or privacy”

Source: Fiderus/Yankelovich Survey , 2000



http://www.pandab.org/


Corporate Compliance StrategiesPrivacy Code

Introduction- purpose Reference to authority, internal/external Roles: CPO, IM, Legal, Point of contact Scope Principles - CSA etc Definitions – personal information etc Regular review Collection –with consent, without, what is collected Use – with consent, without Disclosure – with, without Requesting access, timing, refusals



What should a Code do? reassure strike balance build trust/partnership engage customers engage employees enhance customer - company relationships enhance employee – company relationships meet any growing demand and customer expectations competitive edge



Corporate Roles and Responsibilities Lead by a CPO

Product/services development

Human Resources

Information Management

Customer relations

Audit/internal review

Regional/International perspective

Legal Representative



10 Easy Steps1. Be the Front Goose

2. Strategic Planning

3. Information Management

4. Change management

5. Customer Relations

6. Employees

7. Systems/Processes

8. Implementation

9. Analysis/Measurement

10. Inertia



Privacy Strategy Change Management Leadership Appoint a CPO Build a team Procedural infusion Campaign for cultural change and perspective Training plan Training, training, training

Regional/functional/international components Legal representative/Business development Corporate Strategic initiatives



Privacy and Commerce Strategy Goals Privacy Infrastructure impact analysis Privacy Infrastructure’s impact on other business activities CRM

Solid privacy infrastructure brings them back Personalized services possible Individual control is key

Corporate-wide approach External/Internal Marketing of Privacy Management Cost Forecast/predict Gap analysis – what needs to be done?


Points to Take Home1. Privacy is important 2. Accountable person (s)3. Limits collection, use, disclosure and retention of

personal information4. Consent is required for collection, use and

disclosure5. Security and safeguards 6. Openness regarding policies and practices7. Individuals have access (accuracy)8. Individuals can complain9. Privacy Commissioner can initiate a complaint,

investigation and/or audit10. Federal Court has final say

information resource management association of canada privacy and commerce march 2001 information...

Documents

westin privacy

financial information

entertainment information

extent information

commerce session

physical form slide

health services

health care providers