1 Information Resource Management Association of Canada December 18, 2002 An IRM Perspective on Privacy Compliance K a r e n S p e c t o r B.Sc., Ed.M

1

Information Resource Management Association of Canada

December 18, 2002

An IRM Perspective on Privacy Compliance

K a r e n S p e c t o rB.Sc., Ed.M. (Harvard), LL.B.

2

Topics

• Why IRMAC members need to know about

privacy

• An overview of relevant privacy legislation

• Some “IRM” issues

• Privacy compliance

• Summary

3

Why IRMAC members need to know about privacy

Privacy legislation applies to

organizationsthat collect, use, and disclose

personal information

and

to the organizations

with whom they enter into transactions or contracts.

5

Personal Information

Any information• recorded or not,• about, or relating to, an identifiable individual.

– employee, patient, contract staff, associate, supplier, customer, subscriber, prospective client, consultant, and member of the public.

6


Examples of personal information• name• residential address and telephone number• date of birth and date of death• unique identifying numbers (SIN, OHIP)• income and salary• credit records and loan records• intentions (for example to acquire goods/services or change jobs)• opinions of others relating to the individual• biometrics• membership in a union• personal health information (blood type, medical records, DNA)• predictive genetic information

7


What’s “out”– Contact information in business, official, professional, or

employment context (name, title, professional designation, address, telephone number, email address)

– An individual’s professional or official responsibilities and the manner in which an individual carries out those responsibilities

– De-identified, anonymized or aggregated information– Publicly-available information

8

Why IRMAC Members Need to Know about Privacy

Manage personal information for:• organizations that carry on commercial activities

• federal works, undertakings, or businesses

• the public sector

• organizations that enter into contracts with any of the

above

• employers

9

Overview of

Relevant Privacy Legislation

10


1988

1991

2001

• Freedom of Information and Protection of Privacy Act applies to Ontario public sector

• Municipal Freedom of Information and Protection of Privacy Act applies to municipal institutions in Ontario

• Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to commercial activities in federal works, undertakings and businesses and to inter-provincial and international transfers for consideration

11


2002

2004

• Protection of Personal Information Act, 2002 (“Draft PPIA”) - Ontario’s Consultation Draft is issued in February

• “Substantially similar” Ontario legislation will apply to organizations or PIPEDA will apply to all private sector commercial activities within Ontario.

Common Privacy Principles

Basis for both PIPEDA (Federal)

and the

Draft PPIA (Ontario)

13


• Accountability• Identifying Purposes• Consent• Limiting Collection• Limiting, Use,

Disclosure and Retention

• Accuracy• Safeguards• Openness• Individual Access• Challenging

Compliance

14


Accountability• An organization is responsible for personal information under

its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the privacy principles.

Identifying Purposes• The purposes for which personal information is collected shall

be identified by the organization at or before the time the information is collected.

15


Consent• The knowledge and consent of the individual are

required for the collection, use, or disclosure of personal information, except where inappropriate.

Limiting Collection• The collection of personal information shall be

limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

16


Limiting Use, Disclosure, and Retention• Personal information shall not be used or disclosed for

purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Accuracy• Personal information shall be as accurate, complete, and up-

to-date as is necessary for the purposes for which it is to be used.

17


Safeguards• Personal information shall be protected by security

safeguards appropriate to the sensitivity of the information.

Openness• An organization shall make available to individuals

specific information about its policies and practices relating to the management of personal information.

18


Individual Access• Upon request, an individual shall be informed of the

existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging Compliance• An individual shall be able to address a challenge concerning

compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

19

Differences between PIPEDA and Draft PPIA

PIPEDA• Applies only to commercial

activities.

• Oversight by Privacy Commissioner of Canada who can write reports.

• Same rules for personal information and personal health information.

Draft PPIA• No commercial activities

requirement.

• Oversight by Information and Privacy Commissioner/Ontario who can issue orders.

• Specific rules for personal health information in the custody or control of “health information custodians”.

20

What the Ontario Government is saying . . .

• In an August 2002 Consultation Update, the Ministry of Consumer and Business Services (“MCBS”) indicated that the draft legislation is expected to be introduced into the Legislative Assembly later this fall.

• In the most recent version of its Business Plan, MCBS' key strategies and commitments for 2001-2002 included introducing privacy legislation.

• At a meeting of the Board of Trade on October 31, 2002, Minister Clement (Ministry of Health and Long Term Care) stated that he was urging Minister Hudak (MCBS) to proceed with the legislation.

21

Privacy Compliance

22

Privacy-Compliance: Deadline

• Generally, organizations in the private sector that collect, use, or disclose personal information will need to comply with privacy legislation no later than January 1, 2004.

• Compliance will involve making changes to information management systems, both human and technological.

• Organizations that act now will minimize the burden of privacy compliance and also, the potential risks of non-compliance.

23

Impact of Privacy Compliance

Depends on factors including:– Which legislation applies (federal or provincial)– Quantity and nature of personal information– Number of employees, members . . .– Third parties with whom information is shared– Whether transfers of personal information are intra-, inter-,

or extra-provincial (and whether or not for consideration)– Current information management practices– Resources– Corporate culture

24

Compliance

Steps• Designate accountable individual(s)• Define the privacy framework• Assess information management practices• Develop privacy policies• Implement the privacy policies• Monitor and enforce• Update or amend

“IRM” Issues

Electronic signatures

Mergers and acquisitions Smart cards

Identity Theft

26

Electronic Signatures

• Complaints to the Privacy Commissioner of Canada because a courier company demanded electronic signatures from parcel recipients upon delivery and then posted the signatures in the tracking section of the company website without consent.– Paper receipt not an option– Recipients’ name and address also posted with

signature– Not possible to remove electronic signatures from

online tracking system due to company policy

27


Commissioner’s investigation:• Courier can use parcel identification number (PIN) to access

customer’s personal information on the website • Courier can use PIN variants to access other customers’

personal information• Courier had not informed the complainants of its intention to use

their electronic signatures for online tracking purposes or sought their consent

• Courier’s staff believed electronic signatures to be mandatory• According to Courier’s policy, signatures could not be removed

from the online tracking system.

28


Courier’s position• Access to online tracking system is protected by a PIN• Variants only work 21 percent of the time• Integrity of electronic signatures is protected by computer-

generated distortion• Company policy allows “alternate” electronic signatures and

paper signatures• Changed policy: individuals can have signatures removed on

request

29


Complaints were well-founded:

• A reasonable person would not have considered using

electronic signatures in an online tracking to be appropriate in

any circumstances, especially given the potential for

unauthorized disclosure of the signatures through simple

manipulation of PINs.

• The electronic signatures had not been required to fulfil explicitly

specified and legitimate purposes and the Courier had therefore

not been justified in demanding them as a condition of service.

30

Mergers & Acquisitions

• In addition to liability, organizations that do not consider privacy-related issues are exposed to two risk areas:

• reputation• integration

31


Reputation

• Goodwill loss can undermine merger efficiencies.• Must assess the risk targetco has violated consumer

privacy.• Analyze targetco’s privacy policy and security

measures, as well as attitude of employees.

32


Integration

• Pre-merger due diligence is necessary to assure a smooth transition and helps maintain customer relationships.

• Need plan for integrating old data with new.

• Some privacy obligations will survive the merger.

• Need to assess targetco’s compliance with governing law.

• Need plan for security and privacy architecture at combined entity.

33


Transition Planning

• Buyers and sellers should be aware of the applicability of privacy laws and the targetco’s privacy policies to the sharing of data during the due diligence phase.– Employees’ personal (health) information– Customers’ personal information– Requirements re consent and notice– Transfers or disclosures to third parties

34

Mergers & AcquisitionsSample Due Diligence Questions re Targetco• What are the applicable laws? regulations? codes?

• Amount and type of personal information? medical? financial?

• How and from whom is personal information collected?

• How is personal information stored? retrieved? safeguarded? destroyed?

• Did Targetco obtain consent? If so, to which uses and disclosures?

• Does Targetco sell, trade, transfer, or barter personal information?

• Privacy policies?

• Privacy practices?

• Privacy breaches?

• Which privacy obligations survive the merger?

• Has Targetco been investigated by the Commissioner?

• Has Targetco been sued for privacy breaches?

35

Smart Cards

They are secure.• Although the microprocessor and memory are

contained on the same chip, there is no means of directly accessing data stored on a smart card from the outside.

• Data is segregated into separate silos, which are individually locked.

• Readers have different levels of access.

36

Smart Card Systems

But, is the personal information protected?• Multi-use distinct identifiers may facilitate:

– Data linkage through the storing of personal information in centralized databases or by linking unrelated databases

– Data sharing, profiling, or transaction monitoring

– Dataveillance (monitoring of activities or communications)

• Systems designed for one purpose, such as, expediting workers’ access to a job site are extended over time to other purposes not originally intended, such as, tracking attendance. (“Function creep”)

37

Identity Theft More Often an Inside Job*

• Threat more likely to come from insiders - employees with access to large financial databases who can loot personal accounts.– Shift by identity thieves from going after single individuals to

going after a mass amount of information. – Half of all cases come from thefts of business databanks

that aren’t properly safeguarded.– Employee sold personal information (credit card numbers

and chequing account information) on 30,000 people to scam artists for $60 per name. (2.7 million in losses so far.)

* Washington Post, December 3, 2002

38

Identity Theft More Often an Inside Job

• Privacy experts estimates that there are now one million cases of identity theft a year. (Security experts say half that.)– Los Angeles County Sheriff’s Department expects 6000

cases in 2002.– Federal Trade Commission received 70,000 complaints

about identity theft during the first six months of 2002.

• Businesses being created to respond to concerns about identity theft.

39

Summary

• IRMAC members need to know about privacy because their organizations collect, use, and disclose personal information. Some of these organizations are already regulated by public sector or federal privacy laws.

• The privacy-compliance deadline is January 1, 2004.

• The Commissioner is watching.

• Law enforcement is watching.

• The public is watching.

• Your competitors are watching.