ined workshop on data protection and data...
TRANSCRIPT
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
INED Workshop on Data Protection and Data Privacy.Peter KooNational Leader of Security Privacy and ResilienceDeloitte Touche Tohmatsu
31 January 2013
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Agenda
• Recent Privacy and Data Loss Incidents
• Some Common Traps in Data Privacy
• How would you protect your business from data leakage?
• How does the Law Protect/Monitor Personal Data Privacy?
• Data Privacy Protection Methodology
• Final Thoughts
• Q&A
2 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Hypatia’s Galaxy 2012 Research
“Deloitte, like many of the consultancies we assessed, is agnostic in working with software vendors, but differentiates itself by tightly integrating its proprietary Risk Intelligence methodology framework with various GRC solutions.”
3
“Deloitte takes a top-down and bottoms-up approach to enterprise governance, risk, compliance and security offerings. True to it’s matrix-based, multi-service delivery model- an estimated 20,000 resources from the firm’s robust enterprise risk, tax, and audit capabilities are part of this comprehensive offering.”
“Specifically among the Big Four, the firm’s risk advisory and IT consulting service breadth and depth is unparalleled. As one of the only consultancies not to divest part of its consulting operation, it has been able to build on its lead instead of trying to play catch-up. Deloitte’s multi-service is paying off – its business model effectively positions them to capture growth and build market share in this service line.”
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte4
Video
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte5
Recent Privacy and Data Loss Incidents
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Personal Data Leakage Incidents
6 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Complaints Received by PCPD
7
Source: PCPD- PCPD 2011-2012 Annual Report
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Complaints Received by PCPD
8
Source: PCPD- PCPD 2011-2012 Annual Report
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte9
Some Common Traps in Data Privacy
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Common Issues in Direct Marketing
Common Issues:Statement on the Collection of Personal Data• Font is too Small and Line Spacing is too Tight• The Definition is Unclear, or is Merged within the Service Provisions
• Use of Terminology that is Difficult to Understand
10 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Direct Marketing: Personal Information Collection Statements
11 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Consent
• Data user must not use personal data in direct marketing without data subject’s consent (S35E)
• Consent could be provided in various forms, such as− Opt-in− Opt-out− Implied
• For Example:
12
I do not object to use/sale of my personal data for direct marketing purposesþ
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Monitoring and Personal Data Privacy at Work
• If Using Pinhole Cameras to Perform Monitoring • If the Employee is Unaware of the Monitoring, This Type of Monitoring can be
Highly Intrusive • Avoid Monitoring in Areas where Employees have a Reasonable Expectation
of Privacy (e.g. Toilets and Changing Rooms)
13
Source: Apple daily
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte14
How would you protect your business from data leakage?
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Data Leakage Happens
In business, well-intentioned employees simply getting their jobs done may inadvertently put information at risk, sometimes resulting in data leakage.
15 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Data Management Life Cycle
The intrinsic and contextual value of data and associated ownership risk vary throughout the data life cycle and throughout the value chain of health plans
16 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Implementing the Data Loss Protection Framework
17
Branch Offices
Remote EmployeesWAN
WAN
WWW
VPN
OutsourcedDevelopment
Enterprisee-mail
Business Analytics
Customer Portal
Production Data
Data warehouse
Staging
File Server
DR
Back up disk
Back up tape
Disk storage
Customers
Partners
DLP IAMEncryption Data Redaction Archive
Set Policy
(People)
Deploy Controls(Process)
Enforce and Monitor Controls
(Technology)
17 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte18
How does the Law Protect/Monitor Personal Data Privacy?
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Privacy and Data Protection Laws
19
AustraliaFederal Privacy Amendment BillState Privacy Bills in Victoria, New South Wales and Queensland, new e-mail spam and privacy regulations
Numerous State LawsBreach Notification40 states from CA to NY
European UnionEU Data Protection Directive and Member States Data Protection Laws
South AfricaElectronic Communications and Transactions Act
U.S. FederalGLBA, HIPAA, COPPA, Do Not Call, Safe Harbor
Hong KongPersonal Data (Privacy) Ordinance
Canada Federal/ProvincialPIPEDA, FOIPPA, PIPA
ChileLaw for the Protection of Private Life
South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection
New ZealandPrivacy Act
ArgentinaPersonal Data Protection Law, Confidentiality of Information Law
PhilippinesData Privacy Law proposed by ITECC
TaiwanComputer-Processed Personal Data Protection Law
JapanPersonal Information Protection Act
IndiaLaw pending currently under discussion
UKData Privacy Act
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Personal Data (Privacy) Ordinance (“PDPO”)
20
Principle 1: Purpose and manner of collection§ This provides for the lawful and fair collection of personal data and sets out the information a
data user must give to a data subject when collecting personal data from that subject.
Principle 2: Accuracy and duration of retention § This provides that personal data should be accurate, up-to-date and kept no longer than
necessary.
Principle 3: Use of personal data § This provides that unless the data subject gives consent otherwise personal data should be
used for the purposes for which they were collected or a directly related purpose.
Principle 4: Security of personal data§ This requires appropriate security measures to be applied to personal data (including data in
a form in which access to or processing of the data is not practicable).
Principle 5: Information to be generally available § This provides for openness by data users about the kinds of personal data they hold and the
main purposes for which personal data are used.
Principle 6: Access to personal data § This provides for data subjects to have rights of access to and correction of their personal
data.
PDPO Data Protection Principles
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Some Relevant Guidelines and Codes of Practice issued by PCPD
• Code of Practice on the Identity Card Number and Other Personal Identifiers
• Code of Practice on Human Resources Management
• Code of Practice on Consumer Credit Data
• Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators
• Privacy Guidelines: Monitoring and Personal Data Privacy at Work
• Guidance on the Collection and Use of Personal Data in Direct Marketing
• Guidance on Data Breach Handling and the Giving of Breach Notifications
• Guidance on the Use of Portable Storage Devices
• Guidance for Data User on the Collection and Use of Personal Data through the Internet
• Guidance on Personal Data Erasure and Anonymisation
• Guidance and Leaflet Published to Prepare Businesses and Consumers for New Regulatory Regime on Data Protection in Direct Marketing
• Guidance on Proper Handling of Data Correction Request by Data Users
• More…
21 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Personal Data (Privacy) (Amendment) Ordinance 2012
22
The Ordinance enacted in 1996
The Ordinance Amendment in 2012
Use and Provision of Personal Data in Direct Marketing
Section 34 Section 35
Data Processing N/A Schedule 1, Section 2(3), (4)
Penalties and Enforcement Notice Section 47Section 50(1)
Section 47(2A)Section 50(1) (repeal)Section 50A and 50B
Due Diligence Exemption N/A Section 63B
Legal assistance for individuals N/A Section 66B
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte23
Data Privacy Protection Roadmap
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Privacy and Data Protection Roadmap
24
Maintain and Audit
Evolution
Formulate Data Protection Strategy
Define Policy, Procedures and
Guidelines
Establish Data Classification
Conduct Awareness
Program and Workshops Invest in
Technology
Communication and Training
Priv
acy
Cap
abili
ty
Perform Privacy Impact
Assessment
Establish Privacy Governance Structure
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Data Loss / Privacy Prevention Approach
25
WhoHuman Resources
Customer Service
Finance
Accounting
Legal
Sales
Marketing
Technical Support
Engineering
WhatSource Code
Business Plans
M&A Plans
Employee Salary
Patient Record
Financial Report
Customer Records
Technical Doc
Competitive Info
WhereBenefits Provider
Online Storage
Blog
Customer
Removable Media
Spyware Site
Business Partner
Competitor
Analyst
HowFile Transfer
Instant Messaging
Peer-to-Peer
Web
Confirm
Notify
Remove
Audit
Quarantine/Encrypt
Block
File Copy
Copy/Paste
Print Screen
Action
Ad hoc Encrypt
Block
Notify
Source: WebSense DLP
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Data Loss / Privacy Prevention Approach
26
Source: WebSense DLP
©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte27
Final Thoughts
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
Key Takeaways…
1. People, Process and Technology are the keys to a successful privacy framework (e.g. How to automate the Data Loss Protection?)
2. Privacy = key components on both business and IT strategies
3. Privacy Assessment and Continuous Monitoring minimizes the privacy risk in system development
4. Consult, Consult and Consult………..
28 ©2013 Deloitte Touche Tohmatsu
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.Deloitte29
Q&A
©2010 Deloitte Touche Tohmatsu Limited. All rights reserved.©2013 Legal name and branch name
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cn/en/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.
About Deloitte in Greater ChinaWe are one of the leading professional services providers with 21 offices in Beijing, Hong Kong, Shanghai, Taipei, Chongqing, Dalian, Guangzhou, Hangzhou, Harbin, Hsinchu, Jinan, Kaohsiung, Macau, Nanjing, Shenzhen, Suzhou, Taichung, Tainan, Tianjin, Wuhan and Xiamen in Greater China. We have nearly 13,500 people working on a collaborative basis to serve clients, subject to local applicable laws.
About Deloitte ChinaIn the Chinese Mainland, Hong Kong and Macau, services are provided by Deloitte Touche Tohmatsu, its affiliates, including Deloitte Touche Tohmatsu Certified Public Accountants LLP, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is a member firm of Deloitte Touche Tohmatsu Limited (DTTL).
As early as 1917, we opened an office in Shanghai. Backed by our global network, we deliver a full range of audit, tax, consulting and financial advisory services to national, multinational and growth enterprise clients in China.
We have considerable experience in China and have been a significant contributor to the development of China's accounting standards, taxation system and local professional accountants. We provide services to around one-third of all companies listed on the Stock Exchange of Hong Kong.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.
©2013 Deloitte Touche Tohmatsu