ined workshop on data protection and data...

©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.

INED Workshop on Data Protection and Data Privacy.Peter KooNational Leader of Security Privacy and ResilienceDeloitte Touche Tohmatsu

31 January 2013


Agenda

• Recent Privacy and Data Loss Incidents

• Some Common Traps in Data Privacy

• How would you protect your business from data leakage?

• How does the Law Protect/Monitor Personal Data Privacy?

• Data Privacy Protection Methodology

• Final Thoughts

• Q&A

2 ©2013 Deloitte Touche Tohmatsu


Hypatia’s Galaxy 2012 Research

“Deloitte, like many of the consultancies we assessed, is agnostic in working with software vendors, but differentiates itself by tightly integrating its proprietary Risk Intelligence methodology framework with various GRC solutions.”

3

“Deloitte takes a top-down and bottoms-up approach to enterprise governance, risk, compliance and security offerings. True to it’s matrix-based, multi-service delivery model- an estimated 20,000 resources from the firm’s robust enterprise risk, tax, and audit capabilities are part of this comprehensive offering.”

“Specifically among the Big Four, the firm’s risk advisory and IT consulting service breadth and depth is unparalleled. As one of the only consultancies not to divest part of its consulting operation, it has been able to build on its lead instead of trying to play catch-up. Deloitte’s multi-service is paying off – its business model effectively positions them to capture growth and build market share in this service line.”

©2013 Deloitte Touche Tohmatsu

©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte4

Video


Recent Privacy and Data Loss Incidents


Personal Data Leakage Incidents



Complaints Received by PCPD

7

Source: PCPD- PCPD 2011-2012 Annual Report



Complaints Received by PCPD

8

Source: PCPD- PCPD 2011-2012 Annual Report



Some Common Traps in Data Privacy


Common Issues in Direct Marketing

Common Issues：Statement on the Collection of Personal Data• Font is too Small and Line Spacing is too Tight• The Definition is Unclear, or is Merged within the Service Provisions

• Use of Terminology that is Difficult to Understand



Direct Marketing: Personal Information Collection Statements



Consent

• Data user must not use personal data in direct marketing without data subject’s consent (S35E)

• Consent could be provided in various forms, such as− Opt-in− Opt-out− Implied

• For Example:

12

I do not object to use/sale of my personal data for direct marketing purposesþ



Monitoring and Personal Data Privacy at Work

• If Using Pinhole Cameras to Perform Monitoring • If the Employee is Unaware of the Monitoring, This Type of Monitoring can be

Highly Intrusive • Avoid Monitoring in Areas where Employees have a Reasonable Expectation

of Privacy (e.g. Toilets and Changing Rooms)

13

Source: Apple daily



How would you protect your business from data leakage?


Data Leakage Happens

In business, well-intentioned employees simply getting their jobs done may inadvertently put information at risk, sometimes resulting in data leakage.



Data Management Life Cycle

The intrinsic and contextual value of data and associated ownership risk vary throughout the data life cycle and throughout the value chain of health plans



Implementing the Data Loss Protection Framework

17

Branch Offices

Remote EmployeesWAN

WAN

WWW

VPN

OutsourcedDevelopment

Enterprisee-mail

Business Analytics

Customer Portal

Production Data

Data warehouse

Staging

File Server

DR

Back up disk

Back up tape

Disk storage

Customers

Partners

DLP IAMEncryption Data Redaction Archive

Set Policy

(People)

Deploy Controls(Process)

Enforce and Monitor Controls

(Technology)



How does the Law Protect/Monitor Personal Data Privacy?


Privacy and Data Protection Laws

19

AustraliaFederal Privacy Amendment BillState Privacy Bills in Victoria, New South Wales and Queensland, new e-mail spam and privacy regulations

Numerous State LawsBreach Notification40 states from CA to NY

European UnionEU Data Protection Directive and Member States Data Protection Laws

South AfricaElectronic Communications and Transactions Act

U.S. FederalGLBA, HIPAA, COPPA, Do Not Call, Safe Harbor

Hong KongPersonal Data (Privacy) Ordinance

Canada Federal/ProvincialPIPEDA, FOIPPA, PIPA

ChileLaw for the Protection of Private Life

South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection

New ZealandPrivacy Act

ArgentinaPersonal Data Protection Law, Confidentiality of Information Law

PhilippinesData Privacy Law proposed by ITECC

TaiwanComputer-Processed Personal Data Protection Law

JapanPersonal Information Protection Act

IndiaLaw pending currently under discussion

UKData Privacy Act



Personal Data (Privacy) Ordinance (“PDPO”)

20

Principle 1: Purpose and manner of collection§ This provides for the lawful and fair collection of personal data and sets out the information a

data user must give to a data subject when collecting personal data from that subject.

Principle 2: Accuracy and duration of retention § This provides that personal data should be accurate, up-to-date and kept no longer than

necessary.

Principle 3: Use of personal data § This provides that unless the data subject gives consent otherwise personal data should be

used for the purposes for which they were collected or a directly related purpose.

Principle 4: Security of personal data§ This requires appropriate security measures to be applied to personal data (including data in

a form in which access to or processing of the data is not practicable).

Principle 5: Information to be generally available § This provides for openness by data users about the kinds of personal data they hold and the

main purposes for which personal data are used.

Principle 6: Access to personal data § This provides for data subjects to have rights of access to and correction of their personal

data.

PDPO Data Protection Principles



Some Relevant Guidelines and Codes of Practice issued by PCPD

• Code of Practice on the Identity Card Number and Other Personal Identifiers

• Code of Practice on Human Resources Management

• Code of Practice on Consumer Credit Data

• Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators

• Privacy Guidelines: Monitoring and Personal Data Privacy at Work

• Guidance on the Collection and Use of Personal Data in Direct Marketing

• Guidance on Data Breach Handling and the Giving of Breach Notifications

• Guidance on the Use of Portable Storage Devices

• Guidance for Data User on the Collection and Use of Personal Data through the Internet

• Guidance on Personal Data Erasure and Anonymisation

• Guidance and Leaflet Published to Prepare Businesses and Consumers for New Regulatory Regime on Data Protection in Direct Marketing

• Guidance on Proper Handling of Data Correction Request by Data Users

• More…



Personal Data (Privacy) (Amendment) Ordinance 2012

22

The Ordinance enacted in 1996

The Ordinance Amendment in 2012

Use and Provision of Personal Data in Direct Marketing

Section 34 Section 35

Data Processing N/A Schedule 1, Section 2(3), (4)

Penalties and Enforcement Notice Section 47Section 50(1)

Section 47(2A)Section 50(1) (repeal)Section 50A and 50B

Due Diligence Exemption N/A Section 63B

Legal assistance for individuals N/A Section 66B



Data Privacy Protection Roadmap


Privacy and Data Protection Roadmap

24

Maintain and Audit

Evolution

Formulate Data Protection Strategy

Define Policy, Procedures and

Guidelines

Establish Data Classification

Conduct Awareness

Program and Workshops Invest in

Technology

Communication and Training

Priv

acy

Cap

abili

ty

Perform Privacy Impact

Assessment

Establish Privacy Governance Structure



Data Loss / Privacy Prevention Approach

25

WhoHuman Resources

Customer Service

Finance

Accounting

Legal

Sales

Marketing

Technical Support

Engineering

WhatSource Code

Business Plans

M&A Plans

Employee Salary

Patient Record

Financial Report

Customer Records

Technical Doc

Competitive Info

WhereBenefits Provider

Online Storage

Blog

Customer

Removable Media

Spyware Site

Business Partner

Competitor

Analyst

HowFile Transfer

Instant Messaging

Peer-to-Peer

Print

Email

Web

Confirm

Notify

Remove

Audit

Quarantine/Encrypt

Block

File Copy

Copy/Paste

Print Screen

Action

Ad hoc Encrypt

Block

Notify

Source: WebSense DLP



Data Loss / Privacy Prevention Approach

26

Source: WebSense DLP



Final Thoughts


Key Takeaways…

1. People, Process and Technology are the keys to a successful privacy framework (e.g. How to automate the Data Loss Protection?)

2. Privacy = key components on both business and IT strategies

3. Privacy Assessment and Continuous Monitoring minimizes the privacy risk in system development

4. Consult, Consult and Consult………..



Q&A

©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.©2013 Legal name and branch name

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cn/en/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.

About Deloitte in Greater ChinaWe are one of the leading professional services providers with 21 offices in Beijing, Hong Kong, Shanghai, Taipei, Chongqing, Dalian, Guangzhou, Hangzhou, Harbin, Hsinchu, Jinan, Kaohsiung, Macau, Nanjing, Shenzhen, Suzhou, Taichung, Tainan, Tianjin, Wuhan and Xiamen in Greater China. We have nearly 13,500 people working on a collaborative basis to serve clients, subject to local applicable laws.

About Deloitte ChinaIn the Chinese Mainland, Hong Kong and Macau, services are provided by Deloitte Touche Tohmatsu, its affiliates, including Deloitte Touche Tohmatsu Certified Public Accountants LLP, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is a member firm of Deloitte Touche Tohmatsu Limited (DTTL).

As early as 1917, we opened an office in Shanghai. Backed by our global network, we deliver a full range of audit, tax, consulting and financial advisory services to national, multinational and growth enterprise clients in China.

We have considerable experience in China and have been a significant contributor to the development of China's accounting standards, taxation system and local professional accountants. We provide services to around one-third of all companies listed on the Stock Exchange of Hong Kong.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.


http://www.deloitte.com/cn/en/about

ined workshop on data protection and data...

Documents