privacy presentation - 17 jun 10
TRANSCRIPT
RISK & COMPLIANCE
INFORMATION PROTECTION ADVISORY SERVICES
ISACA SA KZN Chapter MeetingIntroduction to the Protection of Personal Information Bill, 2009
17 June 2010
2
What will we be discussing today?
Why is information privacy important?Are there any information protection regulatory requirements currently applicable in SA?What is the PPI Bill about?What is personal information?What should organisations be doing about the PPI Bill?
3
Privacy: What is it all about?
Privacy is:
Information privacy is:
Personal information is:
The right of everyone to be left alone.The right of everyone to be left alone.The ability to preserve confidentiality, anonymity and The ability to preserve confidentiality, anonymity and solitude.solitude.It includes the right not to have the privacy of oneIt includes the right not to have the privacy of one’’s s communications infringed.communications infringed.
The handling and protection of personal information The handling and protection of personal information that is processed in the course of an organisationthat is processed in the course of an organisation’’s s everyday activities.everyday activities.
Any information about an individual that could be Any information about an individual that could be used to identify that person.used to identify that person.Specific examples are listed in regulation/standards, Specific examples are listed in regulation/standards, e.g. PPI Bill, Draft ISO 29100.e.g. PPI Bill, Draft ISO 29100.
4
Why bother about privacy?
How much do THEY know about you……..
Privacy - Order Pizza.swf
5
Seriously…why bother about Privacy?
Increased global attention – EU Directive – adequacy assurances – business impact
Public image and reputation: privacy incidents- SA: Zurich notification letters – over 600 000 – resource and reputational impact- UK: HSBC fined £3.2 mill (R38 mill) for data loss – reports in Business Day – global exposure- Germany: Deutsche Bahn AG fined €1.1mil (R11.5mil) for violation of data protection law
Fines and law suits (incl. class action, aggravated damages)- UK: ICO announces initial penalties of £500 000 (R6 mill) for non-compliance even if no loss/damage- USA: HIPAA announces fines of up to $1.5mil (R11mil)
Citizen expectations – transparency and accountability – trust is non-negotiable
Contractual obligations
Cross border data transfers
6
Information Protection Regulatory Landscape (South Africa)
Code of Banking Practice
FAIS
RICA
The Constitution Section 14
Banks Act
ECTA
KING IIIConsumer
Protection Act
PAIA
FICA National Credit Act
PPI (???)
7
Summary of key information protection legislation
Right to privacy & right of access to information – Constitution
Security safeguards – ECTA (and PPI Bill)
Information classification – PAIA (and PPI Bill)
Document retention and archiving – ECTA, RICA (and PPI Bill)
Information privacy – processing of personal information – PPI Bill
E-commerce and electronic contracting – ECTA
Monitoring and intercepting of communication (eg. emails) – RICA
Good corporate governance – protect information as an important business asset including PI – King III
8
The Protection of Personal Information Bill, 2009
The Bill:The Bill requires ‘processors’ of personal information to comply with eight core principles:1 Accountability 5 Information Quality2 Processing Limitation 6 Openness3 Purpose Specification 7 Security Safeguards4 Further Processing Limitation 8 Data Subject Participation
The official plan:
The reality:- Late July, August, September?
9
What is personal information (PI)?
“… information relating to an identifiable, living, natural personidentifiable, living, natural person, and where it isapplicable, an identifiable, existing juristic personidentifiable, existing juristic person, including, but not limited to–
(a) information relating to the racerace, gender, sex, pregnancy, marital status,national, ethnic or social origin, colour, sexual orientationsexual orientation, age, physical or mentalphysical or mentalhealthhealth, well-being, disability, religion,religion, conscience, belief, culture, language andbirth of the person;(b) information relating to the education or the medicalmedical, financial, criminalcriminal oremployment history of the person;(c) any identifyingany identifying number, symbol, e-mail address, physical address, telephonenumber or other particular assignment to the person;(d) the blood type or any other biometricbiometric information of the person;(e) the personal opinions, views or preferencesopinions, views or preferences of the person;(f) correspondencecorrespondence sent by the person that is implicitly or explicitly of a private orprivate orconfidentialconfidential nature or further correspondencefurther correspondence that would reveal reveal the contents of the original correspondence;(g) the views or opinions of anotherviews or opinions of another individual about the person; and(h) the namename of the person if it appears with other personal information relatingto the person or if the disclosure of the name itself would revealreveal informationabout the person…”
10
Draft ISO 29100 – Examples of PI – Unique v Linkable
11
Special personal information
May not be processed except in specific circumstances
RACERACECHILDRENCHILDREN
TRADE UNION TRADE UNION MEMBERSHIPMEMBERSHIP
HEALTH or HEALTH or SEXUAL LIFESEXUAL LIFE
CRIMINAL CRIMINAL BEHAVIOURBEHAVIOUR
POLITICAL POLITICAL PERSUASIONPERSUASION
RELIGIOUS or RELIGIOUS or PHILOSOPHICAL PHILOSOPHICAL
BELIEFSBELIEFS
12
The Eight Principles in the PPI Bill
AccountabilityProcessing LimitationPurpose SpecificationFurther Processing LimitationInformation QualityOpennessSecurity SafeguardsData Subject Participation
1313
Principle 7: Security Safeguards
Reasonable measures:- Risk identification – internal & external- Implement controls against risks- Periodically monitor control effectiveness- Update controls where needed
Breach notification:- Data subject- Regulator- Reasonable time- Contents of notification
1414
Principle 7: Security Safeguards (cont…)
Information security & IT governance standards & practices:- ISO 27001, ISO 27002, Draft ISO 29100
- CoBIT, ITIL, BS 10012
- King III, PCI-DSS
1515
Principle 7: Security Safeguards (cont…)
Third parties:- Confidentiality- Contractual arrangements- Security requirements- Cross border transfers
16
Applying Principle 1: Accountability
Does your organisation currently have an individual who is accountable for overall information protection?
Does your organisation currently designate specific individuals to monitor compliance with information protection standards within each business area?Does your organisation currently have a privacy policy?Does your organisation currently have document retention and access to information policies?
How often does your organisation conduct training or awareness sessions for employees on information protection and/or security?
Are you aware of any information breaches that occurred within your organisation during the past year?
17
Applying Principle 2: Processing Limitation
What are the different ways in which your organisation processes personal information?
What categories of personal information does your organisation process?What are the different purposes for which your organisation processes these different categories of personal information?How does your organisation assess whether the type of personal information is adequate for, and relevant to, the purpose for which it is collected?
Does your organisation have procedures in place for de- identifying personal information to ensure minimum disclosure?
How does your organisation obtain the consent of individuals before processing their personal information?
18
Applying Principle 3: Purpose Specification
Does your organisation classify personal information in terms of the purposes for which it is processed?How and when does your organisation inform relevant persons about the specific purposes for which their personal information is required? For example, consider updating of application forms, call centre scripts, employee on-boarding forms etc.Does your organisation clearly identify the names and categories of all people/organisations to whom the information will be supplied?Does your organisation have a document retention policy and does the policy provide for the retention of records containing personal information?What is your organisation’s process for destroying and/or de- identifying records at the end of the retention period?Does your organisation inform relevant persons about the duration for which the records will be retained and how these records will be destroyed at the end of the retention period?
19
Applying Principle 4: Further Processing Limitation
Does your organisation process personal information for any other purpose except the identified purposes that are disclosed to the individual concerned?
What type of personal information does your organisation generally subject to further processing?
How does this further processing affect the individual to whom the information relates, i.e. is it likely to benefit/prejudice the individual?
Is the personal information obtained directly from the individual concerned or from other sources, e.g. third parties, marketing databases, internal leads?Is the further processing required in terms of any contractual obligation between your organisation and the individua l concerned, or a third party?
When and how does your organisation inform the individual concerned when personal information is used for a purpose other than originally disclosed?
20
Applying Principle 5: Information Quality
Does your organisation have a process for checking the accuracy and completeness of records containing personal information?Does your organisation have a process to deal with complaints relating to the timeliness and accuracy of personal information?
Does your organisation provide the opportunity to individuals to periodically verify and update their personal information?
How and when are individuals made aware of these processes?
Does your organisation have a process for monitoring and tracking updates to personal information?
Who is responsible in your organisation for ensuring that records containing personal information remain relevant, accurate and up- to-date?
21
Applying Principle 6: Openness
Does your organisation have a formal process for notifying individuals before processing personal information?
Does your organisation have a formal process for notifying the Regulator before processing personal information? (after enactment only)
Do your notifications contain the specific information required in clause 17?Has your organisation compiled a manual and made it available in terms of the Promotion of Access to Information Act?
Who in your organisation is responsible for liaising with the Regulator in terms of the Promotion of Access to Information Act?
Does your organisation use personal information for historical, statistical or research purposes?
22
Applying Principle 7: Security Safeguards
Does your organisation’s risk management strategy cover risks associated with personal information?
Does your organisation have an information security policy and does the policy make specific reference to personal information?
Does your organisation limit the number and categories of employees who have access to personal information?
Does your organisation share personal information with any third parties and are you aware of all your third parties?
Does your organisation have an incident management strategy and does this deal specifically with personal information breaches?Does your organisation have a process for notifying affected individuals about information breaches?
23
Applying Principle 8: Data Subject Participation
Does your organisation have mechanisms for individuals to access and amend their personal information?
How often does your organisation communicate with employees and customers about updating their personal information?
Does your organisation conduct periodic assessments on the accuracy and validity of personal information contained in your databases?Does your organisation have a process for dealing with requests for corrections to personal information?
Does your organisation have a process for informing third parties of updates, corrections or deletions of personal information?
Does your organisation charge any fees for requests to access records containing personal information?
24
Implications of the Bill – Multi-disciplinary approach to compliance
Governance Assigning of overall accountability for compliance with the Bill – not where it sits, but who?
Information management
Classification, retention and security of information
Human resources Collection and processing of employee personal information – identify sources, purposes, information flows
Customer relations Collection and processing of customer personal information - identify sources, purposes, information flows
Marketing Restrictions on direct marketing, product leads and maintenance of opt-out registers/”do-not-call” lists
Contract management
Identification and management of third party processors – accountability remains with you
International transacting
Restrictions on cross-border transfers – require assurance of adequacy
Training and awareness
Embedding a culture of information protection throughout the organisation
25
Costs and Enforcement
Implementation costsSystems cost estimations: R150 - R200 millionTraining cost estimations: R 80 000 p.a.Time: 3 - 5 year roll out for full compliance
The RegulatorInformation Protection Regulator (IPR)Start-up budget – R80million
Non-compliance costsRegulatory finesTen year prison sentenceCivil litigation costsAggravated damage awardsRegulatory auditsReputational damage
26
Don’t get caught…zzzzzzzz…….huh.huh…….. whatwhat……DUH?DUH?
2727
Case Study Findings
Client takes 6 months to identify third parties
Identified 16 000 third parties
Gap assessment alone costs R2 million – takes 12 months
Remediation planned for up to 18 months
Number of business units affected were 37
Group wide gaps identified were 92
Project team consisted of 10 internal client employees and 11 consultants
2828
What Local Organisations Are Doing
Conducting privacy gap analyses to identify control weaknessesAssigning responsibility – defining role profiles - appointing Information Protection OfficersEmbarking on remediation programmes - addressing control weaknesses - attaining a state of readiness to complyAssessing cross border data transfers to ensure an adequate level of protectionDeveloping and updating privacy policies and proceduresImplementing employee and customer information protection awareness programmesAuditing third party processorsUpdating third party contracts
29
Global Privacy Experience: Success Factors
Assign responsibilities – “privacy governance”
Multi-disciplinary and process-based approach
Privacy impact assessments to prioritise and develop action plans
Determine information flows, information owners, classify information
Effective policies and processes: retention, incident management, complaints
Privacy awareness: over-communicating / training is not possible
Ensure privacy compliance in systems, processes and at third parties
30
Remember … every organisation is unique!
AFRICAAFRICA
INDIAINDIA
AMERICAAMERICA
31
Achieving compliance: To-do-list
By whom?
Privacy risk and impact assessments
Designing and implementing privacy governance frameworks
Information Protection Officer role profile
Organisational culture - awareness and training
32
Achieving compliance: To-do-list (cont…)
By whom?
Information management processes – document retention, information classification
Compliance risk management plans
Policies, disclaimers, contract clauses, website terms and conditions, SLAs
Incident response and breach notification
33
How many boxes did you tick?
3434
Other Questions To Ask Your Organisation
What personal information are we processing?
Do we obtain explicit consent for the processing of personal information on
our application forms, contracts, online or telephonically? Have our customers given their express
consent for all the purposes for which we use their information (e.g. marketing, cross selling in group, third parties,
acquisition transfer)?
Are we sure that customer or employee information that is processed by third parties is
done so in accordance with the privacy principles (e.g. secure, accurate, up to date,
only for agreed purpose)?Do our contracts with employees, third parties
and customers include a privacy clause?
Are our employees aware of how to protect our customer information in accordance with the
privacy principles?
Do we have a breach and notification procedure for personal information breaches?
Do we ensure that an adequate level of protection is in place and agreed between parties
when transferring personal information across the South African border?
Do we provide our customers with means to regularly access and verify their
personal information? Do we destroy personal information when it is no longer required and in accordance with
specific legislative requirements? How?
35
Proposed Roadmap: An integrated plan for achieving sustainable privacy compliance
36
Privacy Resources
KPMG’s Global Privacy Knowledge Base – www.kpmg.com/privacyinstitute
ISO/SABS – Privacy Working Group 71F -
ISG Africa – Privacy Special Interest Group - www.isgafrica.org/
IAPP/CIPP certification - www.privacyassociation.org/
EE--mail me!!!mail me!!!
37
38
Questions
39
Presenter’s contact detailsFarzana BadatInformation Protection Advisory ServicesKPMG Services (Pty) Ltd+ 27 (0) 11 647 [email protected]
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
©
2010
KPMG
South Africa the
member firm of KPMG International, a Swiss cooperative. All rights reserved.
Printed in
South Africa