1 / 20

Demonstrating Accountability

Demonstrating Accountability. Terry McQuay, CIPP, CIPP/C, CIPP/E, CIPP/G President, NYMITY Inc. Will you need to report the status of your privacy program to the Office of the Privacy Commissioner in the future?

mahsa
Download Presentation

Demonstrating Accountability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Demonstrating Accountability Terry McQuay, CIPP, CIPP/C, CIPP/E, CIPP/G President, NYMITY Inc. Will you need to report the status of your privacy program to the Office of the Privacy Commissioner in the future? Should you be able to report the status of your privacy program to internal stakeholders? Is there a cost-effective means and framework for reporting the status of my privacy program?

  2. Accountability Defined “Obligation of an individual, firm, or institution to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner” (Business Dictionary)

  3. Accountability – the Principle

  4. Future Accountability Principle

  5. United States March 2011: draft “Commercial Privacy Bill of Rights Act of 2011” co-sponsored by Senator John Kerry (D-MA)and Senator John McCain (R-AZ) • SEC. 102.ACCOUNTABILITY.Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information it collects—(1) have managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with this Act;(2) have a process for being responsive to non-frivolous complaint from individuals regarding the collection, use, transfer, or maintenance of their covered information; and(3) describe its programmatic means of compliance with the requirements of this Act upon request from the Commission or an appropriate safe harbor program.

  6. Canada Jennifer Stoddart Privacy Commissioner of Canada • When speaking on PIPEDA reform at the Centre for Law, Technology and Society of the University of Ottawa, January 19, 2011 stated: “Too many organizations are collecting too much information about too many people for us to continue to rely solely on a complaint-based system in order to assure Canadians that the organizations they deal with are accountable and compliant with PIPEDA.” • Canada is amongst the countries that signed onto the Madrid Resolution • Canada could be influenced by changes in the EU and USA

  7. What Does It Take to be Accountable? Nymity Charts: • Understand Compliance Criteria • Effective Privacy Program • Being able to demonstrate both • Every organization is accountable – it is a state • Question is: • Have you done enough? • Have you done the right things? • How well can you demonstrate it? • Are you compliant? “fulfilling the accountability principle does not necessarily mean that a data controller is in compliance with the substantive principles set forth in the Directive” 00062/10/EN WP 173

  8. Four Levels of Demonstrating Accountability • Assertions: The privacy office reports the status of the privacy program based on their knowledge gained by implementing and maintaining the privacy program within the organization and its Business Partners. • Attestations: The privacy office reports the status of the privacy program and attests to its effectiveness, possibly by conducting survey-based self-assessments from others in the organization and/or from Business Partners to obtain evidence to support the assertion. • Validation: The organization may choose to validate the status of the privacy program using a more rigorous assessment method such as an internal audit. • Verification: The organization uses an external entity to assure the effectiveness of their privacy program and optionally to provide some form of certification or Trustmark.

  9. Framework for Demonstrating Accountability • Must be Flexible • Support assertions and attestations • Scale based on risk • Scale based on deployment, for example departmental or process • Easy to use by the privacy office • Should be an International Recognized Standard

  10. AICPA/CICA Privacy maturity ModelInternational Endorsed by ISACA • Based on the Generally Accepted Privacy Principles

  11. AICPA/CICA Privacy maturity ModelInternational Endorsed by ISACA • Each Principle has Criteria

  12. AICPA/CICA Privacy maturity ModelInternational Endorsed by ISACA • Each Criteria Has a Maturity level based on:

  13. AICPA/CICA Privacy maturity ModelInternational Endorsed by ISACA • Each Criteria has an Unique Maturity Level

  14. AICPA/CICA Privacy maturity ModelInternational Endorsed by ISACA • Results – “Demonstrating Accountability”

  15. Additional Resources • AICPA/CICA Privacy Maturity Modelhttp://www.cica.ca/service-and-products/privacy/item47888.aspx • Nymity Accountability Charts and Videohttp://www.nymity.com/Free_Resources/Compliance_and_Accountability_Charts.aspx? • Free Trial Demonstrating Accountability based on AICPA/CICA Privacy Maturity Modelwww.nymity.com

More Related