enterprise risk services privacy australian & new zealand university internal audit (anzuiag)...
TRANSCRIPT
ENTERPRISE RISK SERVICES
Privacy
Australian & New Zealand University Internal Audit (ANZUIAG) ConferenceSeptember 2002
©2002 by Deloitte Touche Tohmatsu All Rights ReservedNo part of this presentation may be reproduced without the express permission of Deloitte
Touche Tohmatsu.
ENTERPRISE RISK SERVICES
Presentation Highlights
Legislative Framework Privacy Overview Nature of University Data Compliance Drivers Challenges/Issues Data Privacy Case Study Relationship with IT security Privacy Methodology Best Practices Privacy Compliance Areas CPO Duties Role of Internal Audit Conclusions
ENTERPRISE RISK SERVICES
Privacy – It Does Not Get Any More Personal Than This
Favorite restaurant
Birthdate
Political beliefs
Annual salary
Sexual orientation
Medical history
Comfort Zone
ENTERPRISE RISK SERVICES
Commonwealth• Privacy Act 1988• Privacy (Private Sector)
Amendment Act 2000NSW• Privacy and Personal
Protection Act 1998Victoria• Information Privacy Act
2000Tasmania• IPP’sWA and SA • Commonwealth Law
Privacy Legislative FrameworkACT• Health Record (Access and Privacy) Act 1997Qld• Information Standard 42 (2002) plus Commonwealth LawNZ• Privacy Act 1993
ENTERPRISE RISK SERVICES
Privacy Overview
WHERE ?Is it stored ?
Who can access it ?How long do you
keep it ?Do you dispose of it ?
HOW ?Do you use it ?
What is the mainpurpose ?
WHO ?Do you share it with ?Do you disclose it to ?
WHAT ?Is received ?Where from ?
How is it collected ?What format ?
What consents ?
ENTERPRISE RISK SERVICES
Customer Sensitivity & Brand Image
– Increased Customer Sensitivityover privacy
– A high level of customer trust protects your brand name
Competitive Edge– Meeting necessary regulatory
requirements vs. being a leader in the privacy arena
– The adverse consequences of a lapse in privacy compliance
Misconceptions– The requirements don’t
apply to us since we don’t sell or otherwise share information
– The requirements only affect internet communications
Regulation– The new privacy requirements –
Privacy Act– State requirements may also apply
Regulatory Scrutiny Known brands and deep pockets are big targets
International Regulation– Global firms need a global
approach to deal with overlapping, emerging and diverse international requirements
Compliance Drivers
IssuesIssuesDrivingDriving
ComplianceCompliance
ENTERPRISE RISK SERVICES
Potential Issues How does privacy, information security and risk inter-relate? Do privacy policies and disclosures accurately reflect actual practices,
procedures and controls? Have the various requirements been identified? By jurisdiction? By
legislation? By line-of-business? How does the de-centralised organisation affect security, privacy? How do the privacy requirements affect the organisation’s “one-to-one”
marketing or student relationship management initiatives? Is there a plan to ensure that student-facing employees are adequately
trained to address student needs? Linkage to other documents – code of conduct, administration manuals
ENTERPRISE RISK SERVICES
Key Pressure Points/Challenges
Are hampered by legacy systemsConfused by distinctions between security and privacyLack understanding about their technology & systemsAre focused on “policies”
Written procedures often fail to accurately reflect actual practices. Information may be stored incorrectly. Web sites are able to record and track individual identity and
associated activities on the Internet. Current technology infrastructure may be unable to incorporate
policies and controls to comply with notice, choice and security requirements.
Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation.
ENTERPRISE RISK SERVICES
Issues & Observations
Most large firms take a “customer no-action” position that... “they do not share information with other organisations who may want to sell their products or services to you
Many organisations have begun to circulate their privacy notices and plans
There is a risk that many firms have a “procedural or internal control gap” between privacy policies/disclosures and actual procedures/ controls
The CPO role – while not uniformly established - is gaining traction and there are forums and special interest groups emerging
Regulators and litigants will become increasingly focused on privacy and the controls (information security and data management) facilitating privacy
ENTERPRISE RISK SERVICES
Nature of University Data
Hold personal information Statistical data – address, age Academic records Tax File Numbers Personal matters – medical, financial, TFN’s
Online surveys Alumni, Donors Personnel Data CCTV
ENTERPRISE RISK SERVICES
Data Privacy Case Study
A suburban insurance agent for an international insurer
Devised an Access database with client asset data
He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier)
The brother in law passed on client information to his friend at a debt collection agency
LETS BREAK THIS DOWN
ENTERPRISE RISK SERVICES
Data Privacy Case Study
A suburban insurance agent for an international insurer developed an Access database with client asset data –
Customer consent obtained?
Opt out explained?
Was is collected for the stated purpose?
Is it reasonable?
ENTERPRISE RISK SERVICES
Data Privacy Case Study
He sold client data and received on-going commission from his brother in law (a commission mortgage manager with a mortgage financier)
An unreasonable act.
Was is collected for the stated purpose?
ENTERPRISE RISK SERVICES
Data Privacy Case Study
The brother in law passed on client information to his friend at a debt collecting agency
An unreasonable act & not allowed
ENTERPRISE RISK SERVICES
A list or database sale issues-
Have all customers consented, and is there an opt out clause?
Sight evidence the list owner has notified all on the list
Is it accurate?
If all notified, do a random check for accuracy, its good business practice
Issues
An unreasonable act.
Was is collected for the stated purpose?
Data Privacy Case Study
ENTERPRISE RISK SERVICES
Is Privacy the Same as IT Security?
• An enterprise may have world-class security and no privacy.
• Without IT Security, it is impossible to have acceptable privacy.
• So, IT Security is a building block of a “privacy compliant” organisation.
ENTERPRISE RISK SERVICES
Information Life Cycle
Data Destruction
Data Acquisition
Data Usage
Data Storage
Data Distribution/
Sharing
Data Security
Mapping the information life-cycle is a requirement
ENTERPRISE RISK SERVICES
Privacy Methodology
Privacy
ComplianceComplianceAssessmentAssessment
PlanPlanDesignDesign
ProgramProgramDesignDesignBuildBuild
AwarenessAwareness
ENTERPRISE RISK SERVICES
Best Practices
Organisation Board sponsored privacy team Privacy program management office (PMO)
Assessment Defining the types of personal information gathered, stored, and processed Documenting where and how the information is stored Identifying responsibility for the information (corporate, agent, third party) Assess existing policies and practices against privacy requirements Determine any international use or exchange of personal information Develop / document areas where changes are required to comply
with regulations
ENTERPRISE RISK SERVICES
Best PracticesDesign Proposed organisation and reporting structures Framework for identifying and documenting the various privacy components Resources required (personnel, skills, technology, financial, space) Timelines, activities and deliverables
Implementation Client-Facing Behaviors; Organisational Policies, Procedures and Processes;
Rights and Obligations; and Data Classification Policies and Procedures; Advertising and Solicitations; Rights and
Obligations; and Vendor and Third Party Agreements
ENTERPRISE RISK SERVICES
Corporate DatabasesApplication Systems
Studentmgmt
E-Business
Network Infrastructure
Manual Processes Physical Records
Corporate DatabasesApplication Systems
Alumni
Manual Processes Physical Records
Corporate Entity Related Entity
PR
IVA
CY
DIS
CLO
SU
RE
E-BusinessConsent Process
Personal Information
Access to Information
PRIVACY LEGISLATION
A
B
C
D
E
E
F
F
G
G
HH
H H
I
I
J
L
Privacy Compliance Risk Areas
K K
ENTERPRISE RISK SERVICES
Duties of the Chief Privacy Officer
Organise and coordinate Privacy Task Force or Committee Commission or conduct privacy risk assessment Track privacy environment and provide reports Monitor privacy law and regulations environment Support employee privacy training Interact with student groups and regulators Provide contact point for students/staff Manage privacy dispute resolution Speak for the University and prepare executives for legislative/
testimony Conduct regular / annual privacy audits Report to top management
ENTERPRISE RISK SERVICES
Role of IA
Determine that a sufficient privacy task force has been established.
Determine that sufficient privacy policies and related operational privacy procedures and practices exist.
Assess the privacy training and awareness program Ensure that an effective privacy compliance and
monitoring program has been established.
ENTERPRISE RISK SERVICES
Conclusions
Privacy is now a major concern, in the online and offline worlds, domestically and globally.
Loss of reputation and credibility are major privacy risks but privacy issues hit the bottom-line, too: e.g. cost of change and lawsuits.
Privacy violations may be unintentional, accidental or unforeseen…the press and the public will not care.
Personalisation through profiling is a key strategy for gaining and retaining students - both online and offline.
Privacy is not the same as security. Privacy compliance officers Privacy audits
ENTERPRISE RISK SERVICES
Contact Details
Carl Gerrard – phone: 07 3308 7046 email: [email protected]
Cathy Blunt – phone: 07 3308 7041 email: [email protected]