Effective Privacy Training: Building Accountability

Fazila Nurani, B.A.Sc. (E.Eng.), LL.B., CIPP/C, CISA

IAPP Canada Privacy Symposium

Networking Session

May 8, 2014

Empowering Organizations to Minimize Privacy Risks

Objectives

• In this session we will discuss:

Privacy training in the context of the accountability

framework.

The adult learner and learning styles.

A learner-centric approach to privacy training.

The buy-in required to effectively roll out privacy e-

learning.

Practical tips for raising privacy awareness – beyond

formal training.

Empowering Organizations to Minimize Privacy Risks

Accountability Framework

Empowering Organizations to Minimize Privacy Risks

Training is Key to Building Accountability

“In order for a privacy management program to be

effective, employees must be actively engaged in

privacy protection. They need to be educated in

privacy protection generally, and for those who handle

personal information directly, they will need additional

training specifically tailored to their roles. Training

and education need to be recurrent, and the content of

the program needs to be periodically revisited and

updated to reflect changes.”

Empowering Organizations to Minimize Privacy Risks

The Adult Learner

• Autonomous and self-directed.

• Goal oriented.

• Have accumulated life experiences and

knowledge.

• Relevancy oriented.

• Practical.

Empowering Organizations to Minimize Privacy Risks

Understanding Learning Styles

Empowering Organizations to Minimize Privacy Risks

Make No Assumptions…

Empowering Organizations to Minimize Privacy Risks

The Four Critical Elements of Learning

1. Motivation.

2. Reinforcement.

3. Retention.

4. Transference.

Empowering Organizations to Minimize Privacy Risks

E-Learning vs. Classroom Training

Interactive Accessible

Customized Standardized

Experiential Efficient

Enjoyable, social Cost savings

FOCUSED ATTENTION PRACTICAL

Consider using blended learning opportunities…

Empowering Organizations to Minimize Privacy Risks

Buy-in Required for E-Learning

INSTRUCTOR (provides strong

content)

COURSE DEVELOPER

(addresses e-learning

principles)

ORGANIZATION (funds development of

the course)

HIRING ENTITY

(recognizes training via e-

learning)

STUDENT

(willingly takes the course)

Empowering Organizations to Minimize Privacy Risks

Privacy “Awareness”

Beyond formal training:

• Fun privacy awareness initiatives.

• Targeted messaging based on areas of risk.

• Contests, quizzes, awards.

• Lunch and learns, awareness weeks…

Empowering Organizations to Minimize Privacy Risks

Privacy Posters (Leaking Information)

infosecuritylab.com

Empowering Organizations to Minimize Privacy Risks

Privacy Posters (Strong Passwords)

Empowering Organizations to Minimize Privacy Risks

Other Security Related Posters

Empowering Organizations to Minimize Privacy Risks

The Learning Pyramid

Empowering Organizations to Minimize Privacy Risks

Assessment of Learning

• What do you want the learning outcomes to be?

• How success will be measured is an important

part of program development.

• Indicators: Short term – the learning occurs.

Medium term – there is a change in behaviour.

Long term – there is a change in culture.

Resource: Complete Guide to Security and

Privacy Metrics by Debra S. Herrmann

Empowering Organizations to Minimize Privacy Risks

To Sum Up Adult Learning

• Blended learning to avoid frustration/boredom.

• Adult learning programs should: Meet the needs of the learner.

Enable learners to share their experiences.

Enable learners to learn from each other.

- Sharan Merriam

Professor of Adult Education, University of Georgia

Empowering Organizations to Minimize Privacy Risks

The Learner-Centered Approach

“It is not whether we can meet the same learning outcomes with technology, but how do we use the technologies to enrich the experience, and go beyond what can be done in the face-to-face environment.” Source: No Significant Difference Phenomenon (2001) By: Thomas L. Russell Visit: http://www.nosignificantdifference.org/

Empowering Organizations to Minimize Privacy Risks

Useful Links

• Sample e-learning courses: • PrivaTech privacy e-learning course (licensing model):

• http://www.privalearn.ca

• Sunnybrook Health Sciences Centre: • http://podcasts.sunnybrook.ca/ClinicalClerks/EPR_Course/player.html

• Course authoring tools to start from scratch: • www.udutu.com

• www.articulate.com

• www.suddenlysmart.com

Questions…?

Empowering Organizations to Minimize Privacy Risks

Contact:

Fazila Nurani

905-886-0751

fnurani@privatech.ca