1 / 33

Go Beyond Compliance to Competitive Advantage: Make Privacy Pay Off

Go Beyond Compliance to Competitive Advantage: Make Privacy Pay Off. Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario IFB Toronto Fall Summit Toronto November 2, 2004. Impetus for Change. Growth of Privacy as a Global Issue EU Directive on Data Protection

kaden-hood
Download Presentation

Go Beyond Compliance to Competitive Advantage: Make Privacy Pay Off

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Go Beyond Compliance to Competitive Advantage: Make Privacy Pay Off Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario IFB Toronto Fall Summit Toronto November 2, 2004

  2. Impetusfor Change • Growth of Privacy as a Global Issue • EU Directive on Data Protection • Increasing amounts of personal data collected, consolidated, aggregated • Consumer Backlash; heightened consumer expectations

  3. Information Privacy Defined • Information Privacy: Data Protection • Freedom of choice; control; informational self-determination • Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

  4. What Privacy is Not Security  Privacy

  5. Authentication Data Integrity Confidentiality Non-repudiation Privacy; Data Protection Fair Information Practices Security: Organizational control of information through information systems Privacy and Security: The Difference

  6. Fair Information Practices:A Brief History • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data • EU Directive on Data Protection • CSA Model Code for the Protection of Personal Information • Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

  7. Summary of Fair Information Practices • Accountability • Identifying Purposes • Consent • Limiting Collection • Limiting Use, Disclosure, Retention • Accuracy • Safeguards • Openness • Individual Access • Challenging Compliance

  8. The Ten Commandments • Accountability • for personal information • designate an individual(s) accountable for compliance • Identifying Purposes • purpose of collection must be clear at or before time of collection • Consent • individual has to give consent to collection, use, disclosure of personal information

  9. The Ten Commandments • Limiting Collection • collect only information required for the identified purpose; information shall be collected by fair and lawful means • Limiting Use, Disclosure, Retention • consent of individual required for all other purposes • Accuracy • keep information as accurate and up-to-date as necessary for identified purpose • Safeguards • protection and security required, appropriate to the sensitivity of the information

  10. The Ten Commandments • Openness • policies and other information about the management of personal information should be readily available • Individual Access • upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and be given access to that information, be able to challenge its accuracy and completeness and have it amended as appropriate • Challenging Compliance • ability to challenge all practices in accord with the above principles to the accountable body in the organization.

  11. Federal Privacy Legislationin Canada • Personal Information Protection and Electronic Document Act(PIPEDA) • Staggered implementation: • Federally regulated businesses, 2001 • Federal health sector, 2002 • Provincially regulated private sector, 2004

  12. Extension of PIPEDA • As of January 1, 2004, PIPEDA was extended to:  all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations (including insurance companies and independent insurance adjusters)  unless a substantially similar provincial privacy law is in force

  13. Provincial Private-Sector Privacy Laws Québec: Act respecting the protection of personal information in the private sector B.C.: Personal Information Protection Act Alberta:Personal Information Protection Act Ontario: draft Privacy of Personal Information Act, 2002 – not introduced…so PIPEDA applies

  14. Ontario’s Health Information Protection Act, 2003 (HIPA) • Ontario government introduced health privacy bill (Bill 31) on December 17, 2003 • Received Third Reading and Royal Assent in May, 2004 • Comes into effect November 1, 2004

  15. The Bottom Line Privacy should be viewed as a business issue, not a compliance issue

  16. Electronic Commerce projected to reach $220billion by 2001 WTO, 1998 Electronic Commerce projected to reach $133 billion by 2004 Wharton Forum on E-Commerce, 1999 The Promise Estimates revised downward to reflect lower expectations

  17. Privacy is affecting E-Commerce United States: e-commerce sales were only 1.6% of total sales, $54.9 billion in 2003 -U.S. Dept. of Commerce Census Bureau, February 2004 Canada: Online sales were only 0.6% of total revenues – $13.7 billion in 2002 Statistics Canada, April 2003

  18. Lack of Privacy = Lack of Sales “Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.” Forrester Research, September 2001 “Privacy and security concerns could cost online sellers almost $25 billion by 2006.” Jupiter Research, May 2002

  19. The Business Case • “Our research shows that 80% of our customers would walk away if we mishandled their personal information.” CPO, Royal Bank of Canada, 2003 • Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.

  20. How The Public Divides on Privacy The “Privacy Dynamic” - Battle Dr. Alan Westin for the minds of the pragmatists

  21. Privacy and Customers “The 1:1 enterprise, operating in an interactive environment, relies not just on information about customers, but on information from them.” “It is absolutely imperative for the 1:1 enterprise to take into account the issue of protecting individual customer privacy.” Enterprise One to One: Tools for Competing in the Interactive Age – Don Peppers and Martha Rogers, Ph.D.

  22. Permission-Based Marketing:The Personal Touch • Essential premise: persuade consumers to volunteertheir attention • Puts control in the hands of consumers • Makes consumers activerecipients of marketing information • “Permission marketing is just like dating.” Seth Godin

  23. A Privacy-Sensitive Motto for Customer Relations Management • The old way • Know everything about your customer. • The new way • Know everything that your customers want you to know. • CRM or CMR (customer managed relationship)? • Assume nothing – always ask!

  24. Develop a Corporate Culture of Privacy • Demonstrate that privacy issues affect everything and everyone – COMMUNICATE • Focus on partnership development – ORGANIZE • Develop a cross-functional team committed to CPOs mandate – MANAGE, TRAIN • Persuade and proselytize every division and employee, leave no stone unturned – EDUCATE

  25. Make Privacy a Corporate Priority • An effective privacy program needs to be integrated into the corporate culture • It is essential that privacy protection become a corporate priority throughout all levels of the organization • Senior Management and Board of Directors’ commitment is critical

  26. STEPS: The Context • Terrorist attacks 9/11 • Government concerns over public safety • Patriot and anti-terrorist legislation • Polarized debate for Security/Privacy • Resurgence of Privacy concerns by public

  27. A Shift in Paradigms • The Old Paradigm: Zero Sum Game • The New Paradigm: Security + Privacy = Democracy • Privacy and Security are both necessary components: both are essential to freedom and liberty

  28. The Challenge forPrivacy Experts • Expand the discourse: Privacy and Security are not polar opposites • Engage government and industry in demonstration projects to promote STEPs • http://www.ipc.on.ca/docs/steps.pdf

  29. The Challenge for Solution Developers • Introduce privacy into the concept, design and implementation of technology solutions • Recognize and promote existing STEP solutions: • 3-D Holographic Scanner: respecting physical privacy while enhancing security • Biometric encryption

  30. Technology and Privacy “The most effective means to counter technology’s erosion of privacy is technology itself.” Alan Greenspan, Federal Reserve Chairman

  31. Privacy By Design: Build It In • Build in privacy – up front, in the design specifications • Minimize collection, use of personally identifiable information – use aggregate information if possible • Wherever possible, encrypt personal information • Think about anonymity and pseudonymity • Assess privacy risks: privacy impact assessment

  32. Final Thought “Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.” Forrester Research, March 5, 2001

  33. How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: commissioner@ipc.on.ca

More Related