privacy score for organizations - a whitepaper

Organizational Privacy Score

Rajesh Jayaprakash r a j e s h j p @ g m a i l . c o m

Organizational Privacy Score quantify ethical treatment of consumers’ privacy by organizations. It is similar to the “Credit Score” concept for organizations but focus on privacy instead of credit worthiness. The key to the concept is the enablement of “Informed Consent and Control” by the customers. An organization gets higher scores as it ensures greater levels of granularity and clarity to the adoption of this central concept. The survey approach used measure, globally compare and identify weak areas in organizations’ privacy approach for ALL types of customers’ data used in the organization. Overall, adoption of such a score can lead to an industry situation where organizations have to compete for customer trust and leave the choices of privacy to consumers. Privacy and Security are treated as two different topics and security is not covered here.

of 33

Acknowledgements I would like to gratefully acknowledge the encouragement, support and reviews of the following individuals in drafting this paper:

Matt Musselman

Dalia Hussein

Legal Disclosure I, Rajesh Jayaprakash currently work in a large, private sector organization in Canada. I previously worked in multiple large organizations in Canada and US. The views and opinions I share in this paper are my personal views only and have no indication or are reflection of organizational policies or practices of my current or previous employers. The information provided in this web site is the property of Rajesh Jayaprakash and may not be reproduced without the express written permission of Rajesh Jayaprakash.

All materials are copyrighted Rajesh Jayaprakash © 2014. All rights reserved.

Disclaimer of Liability

Rajesh Jayaprakash provides the information found in this article for informational purposes only. The information posted in this article is not intended as advice to, or concerning, particular readers or circumstances. THE INFORMATION IS PROVIDED "AS IS," WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF COMPLETENESS, ACCURACY, USABILITY, FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTIBILITY. The user or viewer of the information assumes all risk for the use of this material. The user's sole remedy for dissatisfaction with the information provided is to stop using the information. Rajesh Jayaprakash completely disclaims all liability for the use of the information posted in this article by any user or viewer, including liability for any losses, damages, lawsuits, claims or expenses, including, but not limited to, consequential losses anyone may incur as a result of using this information. Rajesh Jayaprakash’s rights, obligations and responsibilities to its customers, or any other third parties, are governed solely by the agreements under which those rights, obligations and responsibilities were created. All links noted in this article are provided solely for informational purposes. Rajesh Jayaprakash’s does not endorse the linked entities, nor is Rajesh Jayaprakash responsible for the content accessible through these links. Under no circumstances will Rajesh Jayaprakash Corporation be held liable to any third party who may choose to rely on a linked entity, their products, services or information given.

of 33

Table of Contents

1 INTRODUCTION ............................................................................................................................ ... 5

2 TERMINOLOGY: PRIVACY, SECURITY AND IDENTITY .......................................................................... 5

2.1 Data Privacy approach ...................................................................................................................................... 6 2.2 Security ............................................................................................................................................................. 6 2.3 Identity & Access .............................................................................................................................................. 7

3 CURRENT SITUATION OF PRIVACY COMPARISON METHODS ............................................................. 7

4 NEED OF A ‘PRIVACY SCORE’ ............................................................................................................. 8

5 PROPOSED APPROACH: THE CONCEPT .............................................................................................. 8

5.1 Informed Consent and Control - Questions to measure it. .............................................................................. 9

5.2 Organizational Privacy Score – Components scores Tree................................................................................. 9

6 ‘BASIC PRIVACY SCORE’ SECTION .................................................................................................... 11

7 ‘DATA PRIVACY SCORE’ SECTION .................................................................................................... 14

7.1 Why include all data in scoring, not just PII? .................................................................................................. 14

7.2 The definition of “Internal data” in an organization. ..................................................................................... 16

7.3 The definition of “External data” of the customer. ........................................................................................ 18

7.4 Principles for Identification of Nine Data Categories ..................................................................................... 19

7.5 Visual representation of nine data categories ................................................................................................ 20

7.6 Nine data domains categories and questions ................................................................................................. 21

7.6.1 Category 1 - Customer Basic static (master) data provided by user directly. ................................................ 21 7.6.2 Category 2 - Customer Basic static (master) augmented data by harvesting methods. ................................ 24

7.6.3 Category 3 - Customer business (transactional) data ..................................................................................... 26

7.6.4 Category 4 - Customer’s Augmented Transactional Data .............................................................................. 28

7.6.5 Category 5 - External people/prospect basic data obtained from external sources. ..................................... 28

7.6.6 Category 6 - External transactional data of people/prospects. ...................................................................... 30

7.6.7 Category 7 - External analytics information ................................................................................................... 30

7.6.8 Category 8 - Internal analytics information .................................................................................................... 31

7.6.9 Category 9 - Non-Customer data .................................................................................................................... 31

8 ‘SPECIAL DOMAINS PRIVACY SCORES’ SECTION ............................................................................... 28

9 OVERALL ‘ORGANIZATIONAL PRIVACY SCORE’ CALCULATION .......................................................... 32

10 SURVEY SHEET ............................................................................................................................ 35

11 VERIFICATION OF PRIVACY SCORE AND ROLE OF THIRD PARTIES ................................................. 35

12 PRIVACY DASHBOARD – SOME SAMPLE VIEWS ........................................................................... 35

12.1 Detailed View - Numerical .............................................................................................................................. 35

12.2 Summary View - Numerical ............................................................................................................................ 36

13 APPENDIX .................................................................................................................................. 36

of 33

1 Introduction

Consumer’s Online Privacy and Consent are relatively maturing areas globally and there are some highly polarised views about them. Today, approaches to data privacy and laws vary drastically from country to country. However, technology is global, making this issue more complex. Currently, in the industry, privacy is viewed mostly from two angles. First is basic Legal Compliance which varies by region or country. The second is the security capability which treats consent gathering from consumers as a subtask and ensures legal compliance (mostly bare minimum) with it. Most of the European Union nations have a good legal framework based on the concept that online privacy is a human right and it is built it into the laws. The United States has a more controversial legal standard and industry supported economic model based approach. Ie: As long as consumers’ data is made ‘non-personally identifiable’ or even otherwise if there is consent, all available data can be used for economic activity. There is not much available from industry as global standards or guidelines. There are multiple proposed frameworks which are yet to get widespread adoption. (Eg: Guidelines proposed by FTC, another from the US Commerce department) This causes widely varying and non-comparable approaches to privacy among organizations. Lack of these standards also makes sharing of privacy and consent data between industry partner organizations difficult, resulting in customers repeating their preferences to a lot of entities. Overall, it reduces the understanding the consumer has about the privacy approaches of organizations and the transparency of it. There was a study published by a leading university stating that if a consumer reads all the privacy statements and policies of commonly used websites he/she visits, it would takes 200 hours a year.

2 Terminology: Privacy, Security and Identity

Before we get to some of the details, it is necessary to state the views on some of these basic terms. These terms are used in the industry with widely varying definitions. So the angle that is used as a premise to the privacy score concept is described here.

of 33

2.1 Data Privacy approach

This is about the policy of an organization. Or, let us say the stated ‘intention’ of an organization. What they plan to do with customers’ information, etc. However, this is not the same as the long ‘terms and conditions’ usually displayed to the consumer when a consumer interacts with an organization. It is one of the mediums the organization is using to communicate its intentions to the consumer. So the organizational privacy policy is more encompassing than the terms and conditions.

2.2 Security

This is a technology & operations function which ensures the stated intentions in the data privacy policy of an organization are met. There could be security policies that ensure this. However, those are security policies which eventually enable the delivery of the privacy policy, not the privacy policy itself. In that aspect, we can comfortably separate privacy and security. Here is an example to illustrate the difference between privacy and security and the complimentary nature: You need some money and need a personal loan from some of your friends. You have four friends. The first one has no money, and even if he had some, you know he would not part with it for you. The second one would have given it to you if he had it, but he doesn’t have any money. The third one has money, but would not loan it to you. The fourth one has money and would be willing to loan it to you. Here, the second one and fourth one have the intention of giving it to you. The third one has no intention but has the capability. Only the fourth one has both.

Privacy policy domain defines the promises the organization is making to the customer about their

privacy – or not making. Security domain is about the capability to keep those privacy promises. In that sense,

these are fairly distinct topics and should be treated separately. This paper addresses only the privacy part (ie: the promises the organization is making – or not making).

Mixing up these concepts is the root cause of the lack of clarity in this area.

of 33

The same is the case with privacy and security. Both are different. We need some kind of privacy score and security score. And we need to know both.

2.3 Identity & Access

Identity also has widely varying definitions. For this paper, it is considered as a set of credentials that an individual or machine supply in a given context to complete the authentication process of him/it. Ie: For the organization to verify he/she/it is what he/she/it claims to be. Some of these credentials could be PII, biometric information, etc. it could be an internal organization Id (Like Billing Account), A governmental Issued one (SSN) or a privately issued external organization ID (Facebook ID or LinkedIn ID). Or, usually, a combination of these. There are other definitions which give a much bigger scope for identity, which get into profiling, Personally Identifiable Information(PII), any information that can be related or traced back to an individual etc. It is not our intention to discuss these views further.

3 Current Situation of Privacy Comparison methods

Currently, there are privacy maturity frameworks and privacy scores in use sporadically in the industry. But these are assessing the maturity of the privacy program of the organization. They do not measure or compare what the organization intends to do or not about the disclosure of data privacy practices of the organization or choice to customer (ie: The privacy policy itself). 1. GAPP (Generally Accepted Privacy Principles) based privacy maturity framework of AICPA and CAC. 2. There are also ‘privacy scores out there but they are very specific to websites. Ie: Specific to amount of tracking done in websites using cookies, etc. Ie:: AVG’s privacy score. 3. There is also a privacy score which can be derived as part of DOW sustainability index which many organization’s use. However this is also based on a general set of questions and does not follow a holistic and structured approach specific to data privacy. Most of the existing standards revolve around PII and Non-PII since the legalities are around this. However, consumer data can be easily combined with new technologies like big data and cloud and the context around it. So we are not taking the PII based approach here.

of 33

4 Need of a ‘Privacy Score’

Anything that gets measured gets done in large organizations. And, currently, the industry does not measure privacy policy or privacy intentions. All the industry measures are ‘Security’ capabilities and technologies, which themselves are hard to measure. When security breaches occur, there is lot of attention on privacy, but naturally it soon gets diverted to security. So changes in the privacy domain need to start with measuring the privacy intentions of the organization and making it clearer to public. This, in turn, helps to convert privacy policy to a visible, competitive advantage in the marketplace.

5 Proposed Approach: The concept

The global nature of technology makes it the right space to find solutions to the holistic privacy problem, even though some of the components to the solution may reside in other domains like legal. The legal components need to be addressed by countries and are going to be country specific, and it may not be wise to expect a global legal baseline to emerge. The basic premise of this article and the concept of “Organizational Privacy Score’ is that online privacy, and the control of it, should be driven from a meaningful consumer choice, irrespective of the nationality of consumer. The choice should enable the consumer to select the human rights based on an approach similar to what is prevalent in the European Union or the economic approach in United States and the finer details of it. So every person gets the same choices to choose and maintain their own privacy setting regardless of the country he lives in. However, nations can set their own minimum for their citizens by setting their own laws. This is a larger concept within which the privacy score concept operates; however, understand that these are not the reality today. So it can start as just a scoring mechanism for each organization’s current policies and practices. This is a survey to identify and compare business organizations’ approach in terms of respecting consumer privacy at a policy level, globally, and to identify areas of improvement. The objective is to measure and compare what the organizations intend to do (and not do) about the organization’s data privacy practices and offer meaningful choices to customers irrespective of the laws of the land. This does not affect or measure the security capabilities in protecting privacy. So it is not a ‘security’ score. It measures the intention or policy; not the capability to achieve them (i.e.; the security aspect of it). There are three broad sections of questions to arrive at this score:

of 33

‘Basics’ Privacy Score:

‘Data Privacy Score:

‘Specialised Domains’ Privacy Scores: All questions should be given in a multiple choice format. Each question and choice associated with scores can be later summarised to scorecards. With this approach, we are developing a comparable approach for privacy, as opposed to specific things or projects that an organization has done about privacy.

5.1 Informed Consent and Control - Questions to measure them.

All the questions used here are geared towards measuring the ‘informed consent and control’ of the customer. Namely:

Is the customer informed about the existence of the data?

Does the customer understand the meaning and impacts of this data that the organization has?

Does the customer have access to the data and the ease of doing it?

Does the customer have control to update or remove the data the organizations have, and the ease of doing it?

5.2 Organizational Privacy Score – Components scores Tree Components of the Organizational Privacy Score explained using a diagram.

of 33

6 ‘Basic Privacy Score’ Section

The intention of the “Basics” section is to identify whether the organization has the basic framework and intention to protect consumers’ privacy and their general approach to privacy holistically. For organizations starting to work on their privacy improvements, this is a good area to focus on first.

Questions to decide the Basics privacy score

No Type Question Choices & Points

Importance of

question ( 1 to 10, 10 Most

important)

Maximum points for Question

(Multiplying Points of

choices and Grade of

Question)

1 ‘Basics’ Privacy Score

Do you have a formal privacy policy documented and approved?

Yes - 5

No - 0 10 50


Would you let the consumers know of a data request of governmental bodies if the law of the country permitted you to do it?

Yes - 5

No - 0 5 25


Do you sell your customers’ data?

No – 5

Yes - 0

10 50


Do you rent out or in any other way make your customers’ information available to outside organizations, including your partner organizations or legal subsidiaries?

No – 5

Only to subsidiaries – 4

Only to Partners & Subsidiaries – 2

Anybody (who may or may not pay) - 0

8 40

of 33


Do you track customer actions in any of your organization’s websites?

No – 5

Yes - 0

5 25


If you track customers’ actions on the website, do you get consent for that and are you able to provide proof of that?

Do Not Track - 5

Yes - 3

No - 0

2 10


Do you inform the visitors of your website what data you are collecting?

Yes - 5

No - 0

2 10


Do you inform the visitors of your website why you are collecting it?

Yes - 5

No - 0

2 10


Do you inform the visitors of your website whether you will be selling or renting the information collected?

Do Not sell or Rent - 5

Yes – 3

No - 0

2 10


Do you inform the visitors of your website about other legal entities (i.e.; another legacy entity that will be responsible for future actions with that data) that might collect their data?

There is only one legal entity responsible and it is us - 5

Yes - 2

No - 0

2 10


Do you inform the visitors of your website of the list if there are other legal entities that you would share the data with? (Y/N)

Not shared with anyone else - 5

Yes - 3

No – 0

2 10


Do you set consents in a way to give you consent by default? (Eg: pre-checking consent boxes)

No – 5

Yes - 0

10 50


Is your privacy policy specific to your organization? (Eg: Using privacy policy templates available online without many specifics spelled out, not removing non applicable

Yes - 5

No - 0

2 20

of 33

phrases)


Do you have a team with formal authority to create/update the privacy policy?

Yes - 5

No - 0 5 25


How long are the terms and conditions that a customer has to give consent to?

Less than one page – 5

One to five pages – 3

Six to ten pages – 1

More than ten pages - 0

5 25

7 ‘Data Privacy Score’ Section

This section measures the privacy policies of the organization with respect to its customers’ data. Here, ALL data used by an organization is classified into nine categories and the privacy approach is assessed with questions on how the organization “intends” to treat the consumer privacy aspect of the data. However, before we get into the nine categories, it is important to explain the principles used and some key concepts used.

This is a holistic technology based approach for data privacy scoring. This does not divide data by the business type,

nature of it or use of it. Calculations based on such dividisions can soon get very complex and become country or industry specific leading to non-comparability. So, rather, this is an industry, country neutral privacy score which denotes an

intention for the ethical treatment of consumer data privacy by organizations

of 33

7.1 Why include all data in scoring, not just PII? Most of the laws on privacy today are surrounding Personally Identifiable Information (PII). However, as we get to the details, there are no clear answers on what constitutes the PII definition. There is a big influence on context in personally identifying somebody. For example, in a group of 10 people, if one is wearing a unique colour shirt, that alone is sufficient to ‘identify’ him in that context. If somebody with green eyes is living in a village in a country where all others are of another eye colour, that is enough to identify him there. So the legal protection of ‘de-identification’ is not sufficient in a lot of practical cases. In largely used circumstances of zip code, age, and health indicators are enough to make key decisions which could have serious impacts on people living there even if they are not personally identifiable. For example, an insurance company can decide not to offer certain coverage in areas where there are many incidents – if they are allowed to do so. In a new world of big data, this issue gets new dimensions. There is lot of data generated in social media, text analytics, location based services etc. As big data technologies bring these data together and link them up and analyse them, it opens up a whole new world of understanding and insights. However, it also gives lot more data dimensions to slice and dice, effectively pointing to much smaller subsets of groupings of people, essentially taking away their privacy. Eg: How difficult it is to identify the real people if you have all the following information.

In your zip code

And Aged 60 to 65,

And Driving a Ford fusion car

And Wearing an Armani suite,

And Using Ray ban sunglass

And Starting from home 6 am mostly and getting back at 5 pm,

And Driveing to a specific industrial area once a week,

And Eating in Greek restaurants most Sunday afternoons,

And Having 4 to 6 grandchildren,

And Who was born in Germany,

And Income range of 80 to 90 K,

And Flies to Hawaii 3 times a year,

And Going to public library every Monday afternoon,

And Buying pills for diabetes at Shoppers Drugs Mart,

And Active in social media from 6 pm to 8 pm

And Likes history books

And Watches horror movies online

And Uses iPhone 4 S and recently changed to IPhone 5

And Divorced twice and remarried two years back

of 33

And Member of private golf course 10 km from residence

And Making an average 6 calls a week to Texas

And Many more, (as they get more sources of information, information of relatives get combined to this etc.)

All these are Non-PII data according to most available definitions. When location of such a

person become available via real time GPS tracking devices and that information gets commoditized (a lot of people have access to it cheaply via cloud etc.), privacy equations around PII become obsolete. And we need to re-examine them.

7.2 The definition of “Internal data” in an organization. “Internal data” is data created due to the direct business interactions with their customers. Simply put, it is the entire data used in an organization. Most of the data is expected to be of customers -- prospective or previous customers’ data. Most of this data is created, managed and destroyed under the control of the organizations. However, storage of this data can be inside the organization or outside, due to cloud storage or partnerships with other IT companies to manage etc. In other words, we do not mean the physical location or maintenance of the ownership with the term ‘internal’. This diagram depicts this data in a set of concentric circles and classifies this data into three categories using the principles of master data management. Master data, Transactional Data & Analytical data.

of 33

The core of it is the ‘identifier’ or identifying mechanism for a person/customer. Then, there is a static set of information about him/her which doesn’t change on a day to day basis, like names, addresses, his or her preferences, contact information etc. Then, he or she does the transactions with the organization. Like order products, get it fulfilled, receive shipments via his preferred channels, respond to surveys by the organizations, use the products by the organization (which generates another set of usage data) etc. The above two types are factual information. Data about things that actually happen or close to it. Then we have the traditional data warehouses which analyse both of these pieces of information together to form various derived ‘information’ or conclusions. We can call this as analytical information.

of 33

However, the key is all this can happen within the logical periphery of an organization. If the data is lost or breached, the accountability is clear.

7.3 The definition of “External data” of the customer. As human beings, we do lot of things every day, every moment. Each and all of these can be described as events of different types. And then there are our feelings and moods about things and events. Most of these events were not recorded during these previous years/decades. But in the current and up and coming future, this is being recorded. A discussion on whether this is good or bad is not intended here as it is not the topic. The whole industry will be so happy to get this entire event recorded and get their hands on that data. Currently, it is happening in a piecemeal fashion. We have social media which records our likes and dislikes and pictures in private and public spaces. We have CCTVs mopping up people in public places, we have government issued ID’S like drivers’ licenses and social security numbers and passport numbers which can precisely identify an individual anywhere in the world. Electronic devices we carry and cars we drive generate a lot of data about our locations, things we buy, search for etc. All these can also be represented in a similar fashion just as the data generated inside an organization for the customer. The identifiers and set of relatively static data for the person. Identifiers could be SIN/SSN, passport numbers, or even widespread ID’s like a Facebook ID but mostly a combination of these. Then, details like names, addresses, relationships and contact information. These do change but not every day. The subset of this information is available with each of these organizations that the person does business with. Actions of the persons. Or say the transactional data of people. Any actions and events can be like this. Like reading newspaper for 20 mins and visiting a friend after that. This information could look trivial. But for a toiletry company would be very interested in this so would a newspaper company. Earlier these types of events were not tracked. However, nowadays, users input a lot of information into social media, whether they realize the consequences of doing this or not.Other trackers like mobile phones track the movement. New kinds of ‘planning assistants’ like “Google Now” create very detailed sequences of these activities. For salespeople, we have “salesforce.com today”. It is an early market and we can expect more here. The detailed information connected to the actions of people can also be tracked via the devices. Eg: The GPS of the car. Then, there is the analytical information industry which helps to sell, process and resell data and information derived from it. There are also a variety of information visualisation products based on that.

of 33

7.4 Principles for Identification of Nine Data Categories Categorize ALL data used in the organization (PII and Non-PII, internal and external) into nine broad categories and evaluate the privacy practices that are followed for those areas. Each of these categories will need to be answered separately. All data is expected to fall into one these sections most times, and multiple categories occasionally. The intention of this classification is to accurately classify any particular piece of data into only one section but it may not be always possible for some specific types of data.

Data: Divided into nine categories:

Type of data Source of

ownership Type of creation Master

Data transactional Analytical

Consumer Data

Internal Customer Directly

Provided data Category 1 Category 3 N/A

Internal Customer data

augmented Category 2 Category 4 N/A

External Externally source data (Buy/Rent)

Category 5 Category 6 Category 7

Internal Internal analytics

information N/A N/A Category 8

Non Consumer

Data Category 9

These nine categories are developed using principles used in master data management(MDM). According to MDM

principles, the entire data in an organization can be categorized into three groups: Master data, Transactional

data and Analytical data. Master data is the relatively static data, like customer names, address, etc. Transactional data is the day to day business operations data. Analytical data is the derived from information using the other two. These

are then extended due to the recent heavy use in the industry of data from external sources. Eg: social media

data, D&B, data.com, upcoming external transactional data sources like Google 'Now', salesforce 'today' etc.

of 33

7.5 Visual representation of nine data categories

From a survey quesitons perspective, the most quesitons would be repetitions across these nine categories and the

"Basic Privacy Score' questions.

This is okay since we are focusing on different types of data all together, which are different in properties, collection

methods, ownership,legalities etc.

However, it is important to ask these questions seperately since the treatment of these categories of data varies vastly

in organizations.

of 33

7.6 Nine data domains categories and questions

7.6.1 Category 1 - Customer Basic static (master) data provided by user directly.

This is basic and mostly static information about individuals provided directly to the organization by the user. This channel of collection could be online, or in any stores. Usually this data originates in CRM systems, portal databases, Identity databases, and customer master data repositories etc. The business or IT team owning such systems can be expected to answer questions in this section. However, this data is usually replicated across many systems in large organizations. If such teams are not able to answer in a comprehensive manner, data governance teams or enterprise architecture teams could answer this section. We consider this a separate category due to these features,

1. Given by customer directly to the organization. 2. Usually given multiple times and across multiple channels 3. Maintenance of this data is the responsibility of the organization 4. A good portion of this will be PII 5. Changes to this data are usually infrequent. 6. This is common data across many types of transactions and contexts and the

customer/person interacts with customer

The reason to split the data into these categories is to bring in the specific nature when answering questions about data in any organization. These data categories have considerably different lifecycles, business and technical ownership across

large enterprises.Many of these categories represents certain type of systems owned by the specific departments in an

organization.

So even though still not perfect, dividing customer data to such categories is expected to help to get realistic and useful

answers, revealing the data privacy approach of the organization to the practiced details. All these responses can

be summarised to form the final score of the organization.

of 33

7. Can be used during future transactions so that customer does not have to re-enter this information.

8. Accuracy/factuality is as good as what customer has given. Examples of this data category

Customers’ Names

Physical Address

Contact information : Emails, Phone, Facebook id, Twitter id

User ids.

Questions to decide the Data privacy score – Category type 1 data.


(1 to 5 points max)

Importance of


important)




Question)

1 Data Privacy Score – Category 1

Do you explain the purpose of collecting the data before collecting it or in a referenceable location?

Yes - 5

No – 0

5 25


Do you sell this data to other legal entities?

No – 5

Yes - 0

10 50


Do you rent this data to other legal entities?

No – 5

Yes - 0

8 40


Do you let consumer see this data after collection? If yes, what is the mechanism used? (Online, Written forms by mail, etc.)

No – 0

Yes, need to provide written paper requests – 2

Yes, need to provide written online requests – 3

Yes -

5 25

of 33

immediately after collection, free of charge - 5


Do you let the consumer update/remove this data? If yes, what is the mechanism used? (Online, Written forms by mail, etc.) What is the turnaround time?

No – 0



Yes - immediately online, anytime, free of charge - 5

8 40

Data Privacy Score – Category 1

Do you have a defined retention period for this data once the customer is no longer in business with you? (yes/no)

No – 0

Yes, three plus years - 3

Yes, less than three years - 4

Yes - six months or less - 5

5 25

7.6.2 Category 2 - Customer Basic static (master) augmented data by harvesting methods.

This is additional data obtained by the organization but it is not directly given by the individual. It is captured or derived mostly by other means. For example, by tapping into website logs or mobiles phones used by the individual, using sophisticated algorithms available in the industry or r purchased from other sources in the industry. Most companies do not consider this as customer data as it is not provided by the customer. Examples of this data category

Income bracket of the customer

Relations of customer with other customers,

Number of household members.

of 33

Customer segmentations & groupings. Clearly, ownership is with the organization and maintenance is the responsibility of the organization. The same team that answers Category 1 can answer these questions too. We consider this a separate category due to these features,

1. This data is NOT given by customer directly. It is inferred via logistical methods or using electronic devices and industry algorithms.

2. Accuracy/Factuality varies 3. Not considered PII mostly. 4. This doesn’t qualify as basic data or PII but in most cases is linked with it and

becomes a part of extended basic customer information 5. Unclear legalities about the ownership of this data. Maintenance is the

responsibility of the organization. 6. Changes to this data are usually infrequent.



(1 to 5 points max)

Importance of


important)




Question)

1


Do you let customers know that you are capturing this information?

Yes – 5

No - 0

10 50

2


Do you provide examples for such information?

Yes – 5

No - 0

5 25

3


Do you explain the purpose of collection of the data while collecting it?

Yes – 5

No - 0

5 25

4

Data Privacy Score –


No – 5

Yes - 0

10 50

of 33

Category 2

5



No – 5

Yes - 0

8 40

6


Do you let consumer see this data after collection? If yes, What is the mechanism used? (Online, Written forms by mail, etc.)

No – 0



Yes - immediately after collection, free of charge - 5

5 25

7


Do you let the consumer update/remove this data? If yes, what is the mechanism used? (Online, Written forms by mail, etc.) What is the turnaround time?

No – 0




8 40

8



No – 0




5 25

of 33

7.6.3 Category 3 - Customer business (transactional) data

This data represents the day to day business operations and interactions. This data is expected to be owned by the organization and is expected to be factual data. We consider this a separate category due to these features,

1. This data is provided by the customer directly or with active participation of the customer.

2. This data is not considered PII for most data elements, except for some key data elements like billing account number, purchase order, shipment number, etc.

3. Unclear legalities about the ownership of this data. Maintenance is the responsibility of the organization

4. Changes to this data are usually not applicable after the transaction. 5. Mostly point to time specific. 6. Not common to entire enterprise. Ie; various types of data are scattered

across the organization, mostly with ownership under different departments. They are mostly managed by specific lines of business. So one type of transaction data (ie.: shipment) may follow a set of rules while another type follow a different set of rules.

7. Very factual information. Examples of this data category

Orders, Purchases & history

Shipments & history

Bill and payment history,

trouble tickets raised

Surveys and responses



(1 to 5 points max)

Importance of


important)




Question)

1 Data Privacy


No – 5

Yes - 0 10 50

of 33

Score – Category 3

2



No – 5

Yes - 0

8 40

3


Do you let consumer see this data after collection? If yes, What is the mechanism used? (Online, Written forms by mail, etc.)

No – 0



Yes, immediately after collection, free of charge - 5

5 25

4



No – 0




5 25

7.6.4 Category 4 - Customer’s Augmented Transactional Data

Customers’ factual data obtained from users during transactions or interactions with customers but not directly input by customers mostly captured by websites, mobile phones or such electronic devices used by the consumers. Any information received during the interaction which is not directly given by customer is usually captured by the electronic medium used by the customer. The teams that answer category 2 can answer this category also. Examples of this data category

Channels viewed by customers while browsing TV channels.

Frequency and usage of TV channels & mobile devices.

of 33

Clickstream information.

Location history obtained via tracking mechanisms like GPS.

Time spent by customer of each web page. Same questions and points as in Data Category 2 (Augmented master data).

7.6.5 Category 5 - External people/prospect basic data obtained from external sources.

This type of data is usually from external organizations like social media data collectors such as: (facebook, linkedin), AC Neilson, WPP, Harte Hanks, etc. Examples of this data category

Names, addresses, phone, email etc. of people collected by publicly available information, surveys, etc.


(1 to 5 points max)

Importance of


important)




Question)

1


Do you let the prospects know of the existence of this information voluntarily?

Yes – 5

No – 0 10 50

2


Do you resell this data to other legal entities?

No – 5

Yes - 0 10 50

3 Data Privacy


No – 5

Yes - 0 8 40

of 33

Score – Category 5

4


Do you let consumers see this data? If yes, what is the mechanism used? (Online, Written forms by mail, etc.)

No – 0



Yes - immediately after collection, free of charge - 5

5 25

5


Do you let the consumer update/remove this data? If yes, what is the mechanism used and the turnaround time?

No – 0




8 40

6



No – 0




5 25

7.6.6 Category 6 - External transactional data of people/prospects.

This category data represents the actions of the prospects made available to the organization via external sources. Prospects are any entity the organization has data on but do not have a current account with the organization. Examples of this data category

Facebook ‘like’s

Events joined in Facebook.

of 33

GPS travel history

Phone call records metadata

Same questions as in Category 5, externally obtained basic data.

7.6.7 Category 7 - External analytics information

There is a proliferation in the IT industry for tools and algorithms that analyse social media data to derive conclusions. A lot of research is happening in this area. This data category represents the derived data outputs (aka analytics outputs) bought by the organization from external sources. The accuracy of inferences is owned by the external entity performing the analytics on the data obtained from external sources. Same questions as in Category 5, externally obtained basic data.

7.6.8 Category 8 - Internal analytics information

This data category represents all the analytics/derived information. Ie; outputs of data warehouses, data analytic programs, any information generated in the organization that could be linked to customer records, information which can used to segment and classify information, market to customers, etc. This analytics could be performed on a mix of internal data and externally obtained data like social media data, location data, etc. Same questions as in Category 2 (customer transactional data).

7.6.9 Category 9 - Non-Customer data

This data category represents specific entities which cannot be linked to a customer or prospect in any meaningful way. Ie: Data that cannot be statically or dynamically assigned to customer records at any point in time. Ie: Data about a new building the organization is constructing. Heating and cooling information in the data centres of the organization. Shipment of inventory from one location to another and details about it.

of 33

1


Provide same representative examples of data considered as Non-Customer data

Free form

N/A N/A

This type of data is documented for transparency purposes on what data the organization assumed in this section as not belonging to customers. Industry standard models can be used to bring in some boundaries here.

8 ‘Special Domains Privacy Scores’ Section

This area scores specific areas of specialised significance, technology or approach used by the organizations and is of considerable impact to people’s privacy. Some of these domains may be relevant to the given organization and some may not. Some important domains

1. Big Data 2. Cloud 3. Location Based Services 4. CCTV 5. IoT (M2M) 6. Employee Data (This is an important aspect of organizational privacy but a specialised

field due to contractual and work relations) These domains vary over time. Ie: Location based services and privacy around that was not a significant issue ten years ago but it is a totally different situation now. So these are specialised

While adopting this, quite possibly different portions of an organization would have to score separately and then average

out an organizational score.

of 33

scores specific to such domains. Another example: RFIDs privacy may be important for a retail chain but may not relevant for a software organization. For a retail chain, CCTV data may be very important with a privacy aspect but IoT may not be. But, for a network gear manufacturer it could be the other way. So, we let the organizations choose from the superset of domains identified in this section. However, all the questions, answers, choices and scores for them should be standard. All the answers are expected to be available for verification, if necessary (see the verification section for details) in case a conflict arises. It is also understood that the data mentioned here is a subset of the data mentioned in the data domain section. This is acceptable as we are scoring for the technology domain here, not the data itself. This eventually helps organizations focus on their practices in a few,certain areas if their score is found to be less than industry average in that domain.

9 Overall ‘Organizational Privacy Score’ calculation

Overall organizational privacy scores are calculated simply by adding the weighed points (points obtained for the answer * importance number of the question) obtained for all questions.

Based on the need and industry interest, questionnaires for such domains can be developed on an as and when needed basis.

Organizations considering adopting this 'organizational privacy score' concept are advised to focus on the Basic privacy score and Data

privacy score and summarise that to an Organizational privacy score for now

of 33

It is very usual that different parts of large organizations treat the same data differently. Also, there will be multiple copies of the same data which are treated differently in multiple systems which could lead to contradicting scores from different parts of the organization. These can only be overcome by taking averages. However, scoring per application becomes a very complex and time consuming task as this would soon become a permanent part of the organization and a part of the data governance program, if one is available. As part of this, each data store can maintain a privacy score, and finally the organizational average can average out the final results. This could be nice but it may be overdoing it too. The optimal way would be to create scores by major business units in the organization or the entire organization. Or an organization can initially do it on a general basis with the participation of centralised IT teams and derive a score with a ‘best guess’ approach. And, later, can be done at more micro levels to identify privacy issues and resolve them. There are many industries like healthcare which have strict privacy requirements, this survey is not intended to consider those aspects with special weight.

As the points and importance are given in above questions, an organization can get a maximum of 2245 points. This is calculated by simply adding the maximum points obtained for all questions in

the Basic Privacy and Data Privacy sections. Basic privacy score sections get a maximum of 370 points and Data privacy sections get

1875 points but have to accommodate for changes in questions, points and importance, questions for specific domains sections, etc. So these numbers are ratified to a 0.0 to 10.0 scale for consistancy.

This can be put into different grades as is done in a credit score of individuals and organizations and conclusions can be derived, if

required. But the points remain constant. The major difference is the score for each section and that the area can be visible and that

actions can be taken to improve the specific area.

of 33

10 Survey Sheet

This provides a simple excel sheet in a survey format which will automatically calculate the organizational privacy score, using the questions and calculation mentioned above. If surveys are done separately in multiple parts of the organization, they need to be done separately and averaged out manually.

11 Verification of privacy scores and the role of third parties

The major tool in verification is transparency. Any organization that is publishing the organizational privacy score using this method is expected to make available the entire questions and answers along with the score. External agencies can cross check this if need be. External organizations or individuals can also facilitate this scoring if specific organizations do not have enough understanding in doing this scoring themselves. Currently, the verification is on an honour system. There would need to be external agencies if they needed audits on these scores. External, neutral agencies can also consolidate these scores from organizations in an anonymous fashion. Then, publish reports of comparison by industry, country, continents, etc.

12 Privacy Dashboard – Some Sample Views

12.1 Detailed View - Numerical

BASIC PRIVACY

SCORE

BASIC PRIVACY

SCORE

Category 1

data

Category 2

data

Category 3

data

Category 4

data

Category 5

data

Category 6

data

Category 7

data

Category 8

data

Big

Data

Clou

d

Locati

on

Base

d

Servi

ces CCTV

IoT/

M2M

Emplo

yee

Privacy

Organization Score 5 6 5 4 5 2 6 5 5 3 8 5 4 2 6

Country Average 3 5 4 6 8 5 8 6 6 2 3 2 5 3 6

Industry Average 4 5 3 7 6 4 5 4 4 2 6 2 6 5 6

Global Average 3 4 4 7 7 4 3 3 3 3 5 2 6 6 5

DATA PRIVACY SCORE SPECIAL DOMAINS PRIVACY SCORES

of 33

12.2 Summary View - Numerical

13 APPENDIX

Federal Trade Commission, USA : Protecting Consumer Privacy Online http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-bureau-consumer-protection-preliminary-ftc-staff-report-protecting-consumer/101201privacyreport.pdf

US Commerce Department : Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework http://www.ntia.doc.gov/files/ntia/publications/iptf_privacy_greenpaper_12162010.pdf

Carnegie Mellon Study on Hours Needed to Read Privacy Policies http://www.aleecia.com/authors-drafts/readingPolicyCost-AV.pdf

Stanford Encyclopedia of Philosophy http://plato.stanford.edu/entries/privacy/

Book: Privacy and Big Data (A very comprehensive research on privacy today) http://www.amazon.com/Privacy-Big-Data-Terence-Craig/dp/1449305008/ref=sr_1_2?ie=UTF8&qid=1391102330&sr=8-2&keywords=privacy+and+big+data

GAPP (Generally Accepted Privacy Principles) by North American CPAs.

Many graphical views like charts, competitor comparison diagrams etc. can be developed using the above type of base data as required by the audience

http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-bureau-consumer-protection-preliminary-ftc-staff-report-protecting-consumer/101201privacyreport.pdf



http://www.ntia.doc.gov/files/ntia/publications/iptf_privacy_greenpaper_12162010.pdf

http://www.aleecia.com/authors-drafts/readingPolicyCost-AV.pdf

http://plato.stanford.edu/entries/privacy/

http://www.amazon.com/Privacy-Big-Data-Terence-Craig/dp/1449305008/ref=sr_1_2?ie=UTF8&qid=1391102330&sr=8-2&keywords=privacy+and+big+data



of 33

http://www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/RESOURCES/PRIVACY/GENERALLYACCEPTEDPRIVACYPRINCIPLES/Pages/default.aspx

Dow Jones Sustainability Index questionnaire ( Section 1.7 is for privacy) http://www.robecosam.com/images/sample-questionnaire.pdf



http://www.robecosam.com/images/sample-questionnaire.pdf

privacy score for organizations - a whitepaper

Data & Analytics