enterprise risk services privacy australian & new zealand university internal audit (anzuiag)...

ENTERPRISE RISK SERVICES

Privacy

Australian & New Zealand University Internal Audit (ANZUIAG) ConferenceSeptember 2002

©2002 by Deloitte Touche Tohmatsu All Rights ReservedNo part of this presentation may be reproduced without the express permission of Deloitte

Touche Tohmatsu.


Presentation Highlights

Legislative Framework Privacy Overview Nature of University Data Compliance Drivers Challenges/Issues Data Privacy Case Study Relationship with IT security Privacy Methodology Best Practices Privacy Compliance Areas CPO Duties Role of Internal Audit Conclusions


Privacy – It Does Not Get Any More Personal Than This

Favorite restaurant

Birthdate

Political beliefs

Annual salary

Sexual orientation

Medical history

Comfort Zone


Commonwealth• Privacy Act 1988• Privacy (Private Sector)

Amendment Act 2000NSW• Privacy and Personal

Protection Act 1998Victoria• Information Privacy Act

2000Tasmania• IPP’sWA and SA • Commonwealth Law

Privacy Legislative FrameworkACT• Health Record (Access and Privacy) Act 1997Qld• Information Standard 42 (2002) plus Commonwealth LawNZ• Privacy Act 1993


Privacy Overview

WHERE ?Is it stored ?

Who can access it ?How long do you

keep it ?Do you dispose of it ?

HOW ?Do you use it ?

What is the mainpurpose ?

WHO ?Do you share it with ?Do you disclose it to ?

WHAT ?Is received ?Where from ?

How is it collected ?What format ?

What consents ?


Customer Sensitivity & Brand Image

– Increased Customer Sensitivityover privacy

– A high level of customer trust protects your brand name

Competitive Edge– Meeting necessary regulatory

requirements vs. being a leader in the privacy arena

– The adverse consequences of a lapse in privacy compliance

Misconceptions– The requirements don’t

apply to us since we don’t sell or otherwise share information

– The requirements only affect internet communications

Regulation– The new privacy requirements –

Privacy Act– State requirements may also apply

Regulatory Scrutiny Known brands and deep pockets are big targets

International Regulation– Global firms need a global

approach to deal with overlapping, emerging and diverse international requirements

Compliance Drivers

IssuesIssuesDrivingDriving

ComplianceCompliance


Potential Issues How does privacy, information security and risk inter-relate? Do privacy policies and disclosures accurately reflect actual practices,

procedures and controls? Have the various requirements been identified? By jurisdiction? By

legislation? By line-of-business? How does the de-centralised organisation affect security, privacy? How do the privacy requirements affect the organisation’s “one-to-one”

marketing or student relationship management initiatives? Is there a plan to ensure that student-facing employees are adequately

trained to address student needs? Linkage to other documents – code of conduct, administration manuals


Key Pressure Points/Challenges

Are hampered by legacy systemsConfused by distinctions between security and privacyLack understanding about their technology & systemsAre focused on “policies”

Written procedures often fail to accurately reflect actual practices. Information may be stored incorrectly. Web sites are able to record and track individual identity and

associated activities on the Internet. Current technology infrastructure may be unable to incorporate

policies and controls to comply with notice, choice and security requirements.

Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation.


Issues & Observations

Most large firms take a “customer no-action” position that... “they do not share information with other organisations who may want to sell their products or services to you

Many organisations have begun to circulate their privacy notices and plans

There is a risk that many firms have a “procedural or internal control gap” between privacy policies/disclosures and actual procedures/ controls

The CPO role – while not uniformly established - is gaining traction and there are forums and special interest groups emerging

Regulators and litigants will become increasingly focused on privacy and the controls (information security and data management) facilitating privacy


Nature of University Data

Hold personal information Statistical data – address, age Academic records Tax File Numbers Personal matters – medical, financial, TFN’s

Online surveys Alumni, Donors Personnel Data CCTV


Data Privacy Case Study

A suburban insurance agent for an international insurer

Devised an Access database with client asset data

He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier)

The brother in law passed on client information to his friend at a debt collection agency

LETS BREAK THIS DOWN



A suburban insurance agent for an international insurer developed an Access database with client asset data –

Customer consent obtained?

Opt out explained?

Was is collected for the stated purpose?

Is it reasonable?



He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier)

An unreasonable act.




The brother in law passed on client information to his friend at a debt collecting agency

An unreasonable act & not allowed


A list or database sale issues-

Have all customers consented, and is there an opt out clause?

Sight evidence the list owner has notified all on the list

Is it accurate?

If all notified, do a random check for accuracy, its good business practice

Issues

An unreasonable act.




Is Privacy the Same as IT Security?

• An enterprise may have world-class security and no privacy.

• Without IT Security, it is impossible to have acceptable privacy.

• So, IT Security is a building block of a “privacy compliant” organisation.


Information Life Cycle

Data Destruction

Data Acquisition

Data Usage

Data Storage

Data Distribution/

Sharing

Data Security

Mapping the information life-cycle is a requirement


Privacy Methodology

Privacy

ComplianceComplianceAssessmentAssessment

PlanPlanDesignDesign

ProgramProgramDesignDesignBuildBuild

AwarenessAwareness


Best Practices

Organisation Board sponsored privacy team Privacy program management office (PMO)

Assessment Defining the types of personal information gathered, stored, and processed Documenting where and how the information is stored Identifying responsibility for the information (corporate, agent, third party) Assess existing policies and practices against privacy requirements Determine any international use or exchange of personal information Develop / document areas where changes are required to comply

with regulations


Best PracticesDesign Proposed organisation and reporting structures Framework for identifying and documenting the various privacy components Resources required (personnel, skills, technology, financial, space) Timelines, activities and deliverables

Implementation Client-Facing Behaviors; Organisational Policies, Procedures and Processes;

Rights and Obligations; and Data Classification Policies and Procedures; Advertising and Solicitations; Rights and

Obligations; and Vendor and Third Party Agreements


Corporate DatabasesApplication Systems

Studentmgmt

E-Business

Network Infrastructure

Manual Processes Physical Records

Corporate DatabasesApplication Systems

Alumni

Manual Processes Physical Records

Corporate Entity Related Entity

PR

IVA

CY

DIS

CLO

SU

RE

E-BusinessConsent Process

Personal Information

Access to Information

PRIVACY LEGISLATION

A

B

C

D

E

E

F

F

G

G

HH

H H

I

I

J

L

Privacy Compliance Risk Areas

K K


Duties of the Chief Privacy Officer

Organise and coordinate Privacy Task Force or Committee Commission or conduct privacy risk assessment Track privacy environment and provide reports Monitor privacy law and regulations environment Support employee privacy training Interact with student groups and regulators Provide contact point for students/staff Manage privacy dispute resolution Speak for the University and prepare executives for legislative/

testimony Conduct regular / annual privacy audits Report to top management


Role of IA

Determine that a sufficient privacy task force has been established.

Determine that sufficient privacy policies and related operational privacy procedures and practices exist.

Assess the privacy training and awareness program Ensure that an effective privacy compliance and

monitoring program has been established.


Conclusions

Privacy is now a major concern, in the online and offline worlds, domestically and globally.

Loss of reputation and credibility are major privacy risks but privacy issues hit the bottom-line, too: e.g. cost of change and lawsuits.

Privacy violations may be unintentional, accidental or unforeseen…the press and the public will not care.

Personalisation through profiling is a key strategy for gaining and retaining students - both online and offline.

Privacy is not the same as security. Privacy compliance officers Privacy audits


Contact Details

Carl Gerrard – phone: 07 3308 7046 email: [email protected]

Cathy Blunt – phone: 07 3308 7041 email: [email protected]

enterprise risk services privacy australian & new zealand university internal audit (anzuiag)...

Documents

nsw privacy

privacy policiesdisclosures

privacy arena

privacy lack

privacy notices

compliance slide

enterprise technology

risk inter