Download - Managing Privacy Incidents (HK & Macao)
Managing Privacy Incidents (HK & Macao)
Compliance, Hong Kong 2016 February
strong reliable trustworthy forward-thinking
Training Content
1. Privacy Policy Framework
2. Hong Kong and Macau Procedures
3. What is Privacy Incident?
4. Why is it important?
5. How to handle Privacy Incidents
6. Who to report / Contact?
2
strong reliable trustworthy forward-thinking
1. Privacy Policy Framework
MFC Code of Business Conduct & Ethics Everyone’s obligation to protect personal and confidential
information
Statement of Corporate Privacy Principles
Global/Local Privacy Risk Management Policy
Other Related Policies Information Security Policy Records Management Policy Outsourcing Policy Email Management Guidance
3
strong reliable trustworthy forward-thinking
2. Hong Kong (including Macau) Procedures
Relevant Procedures Privacy Risk Management Program – Procedures for
Hong Kong Operations Procedures for Privacy Incident Response – Hong Kong
Operations
4
strong reliable trustworthy forward-thinking
3. What is Privacy Incident? Definition: A privacy incident is a circumstance or event that has or may result in an actual or possible unauthorized access to or collection, use or disclosure of personal information. The risk of a privacy incident is that it may compromise the security, confidentiality, or integrity of an individual’s personal information, and may also create potential reputation risk for Manulife. Examples: Records improperly disposed of (unlocked recycle bin) or destroyed (not
shredded) and accessible by the public. Misdirected communications (e.g. mail, fax, email sent to wrong recipient). Leakage of customer data. Insider fraud. Loss or theft of laptop, portable media (e.g. thumb drive), documents or other
written materials containing company and customer information. Inappropriate use or access of customer personal information by an employee, a
financial advisor or service provider acting on behalf of the Company.
5
strong reliable trustworthy forward-thinking
4. Why is it important?
Possible Consequences of Privacy Incidents Tarnish Manulife’s reputation. Lead to credit problems and other damaging outcomes for
Manulife customers and employees, our valued stakeholders.
Damage relationships with our partners. Erode the trust of regulators. Negatively impact sales, earnings and Manulife’s stock
price. Violate the law.
6
strong reliable trustworthy forward-thinking
5. How to handle Privacy Incidents
7
strong reliable trustworthy forward-thinking
Escalation Pyramid (Risk based) Global Privacy Risk Management Policy
Hong Kong Privacy Officer
Senior Management
Business Unit Privacy Officer (BUPO) & BUPO Supporting Staff
Global Privacy Officer
Incident
Reported
Business Unit Customer Outside Party
Rapid Response Team (comprises of BUPO from each BU •BUPO (Leader) •Compliance •Legal •HR •IT •Other affected Business Units •Corporation Communication •Customer Service
(Not to Scale)
RISK ASSESSMENT
Low Risk – the likelihood of adverse exposure to the customer and/or Company is minimal. Medium Risk – there is the potential for a number of customers to be impacted. High Risk – many customers may be affected by authorized access to their Non-public personal information.
Low
Medium
High /M
edium (M
aterial Breach)
Divisional Privacy Officer
CEO, HK
8
strong reliable trustworthy forward-thinking
Business Unit Workflow
BUPO decides if more investigation/
info is required Investigate, collect &
Document facts
Privacy Issue Identified
Response
Develop and execute action plan(s)
Record Keeping (using Compliance Database System)
Reporting and Monitoring
Escalate?
Risk assessment and classification
Staff reports to BU Privacy Officer (BUPO) & BUPO Support Staff
BUPO (& staff) follow up with internal contacts as required to close Issue
Examples are: • Records improperly
disposed of or destroy and accessible by the public.
• Loss/ theft of laptop or documents containing customer information.
• Etc.
Risk Classification: • Low Risk • Medium Risk • High Risk
• Compliance Issue, and/or
• Compliance Requirement
Inform: HKPO Rapid ResponseTeam Senior Management
Internal Record
Keeping
BUPO (& staff) to coordinate, implement and validate new
controls/ procedure
BUPO decides if changes to controls/ procedure is required
BUPO decides if
Issue needs to be logged
Yes
Yes
Yes
Yes
No
No No
No
9
strong reliable trustworthy forward-thinking
How Do You Escalate? Global Privacy Risk Management Policy - Privacy Incident
Examples are: • Records improperly
disposed of or destroy and accessible by the public.
• Loss/ theft of laptop or documents containing customer information.
• Etc.
Privacy Issue Identified
STAFF reports to BU Privacy Officer (BUPO) & BUPO Support Staff
BUPO decides if more investigation/
info is required
BUPO & supporting staff to follow up with internal contacts as required
to close Issue
Investigate, collect & document facts
Yes
No
10
strong reliable trustworthy forward-thinking
6. Who to Report / Contact?
If you become aware of a privacy incident, please report it immediately to one of the following personnel:
Chief Compliance Officer (CCO) Hong Kong Privacy Officer (HKPO) Business Unit Privacy Officer (BUPO)
= Business Unit Compliance Officer (BUCO)
BUPO Supporting Staff (who will report the incident to the BUPO)
11
strong reliable trustworthy forward-thinking
6. Who to Report / Contact?
If you have any questions about the Privacy Policy & Statement, and our Local Privacy Risk Management Procedures, or if you have a privacy concern, please do not hesitate to contact:
BUPO = Business Unit Compliance Officer HKPO = HK Privacy Officer Chief Compliance Officer
12
strong reliable trustworthy forward-thinking
Employee Responsibilities
It is our responsibility to protect information/ data and other details about customer and about our fellow colleagues. Protecting these information/ data begins with YOU!
13
strong reliable trustworthy forward-thinking
Thank you
14