Go Beyond Compliance to Competitive Advantage: Make Privacy Pay Off
-
Upload
kaden-hood -
Category
Documents
-
view
21 -
download
2
description
Transcript of Go Beyond Compliance to Competitive Advantage: Make Privacy Pay Off
www.ipc.on.ca
Go Beyond Compliance to Go Beyond Compliance to Competitive Advantage: Make Competitive Advantage: Make
Privacy Pay OffPrivacy Pay Off
Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario
IFB Toronto Fall Summit
Toronto
November 2, 2004
www.ipc.on.cawww.ipc.on.ca Slide 2
Impetus for Change
Growth of Privacy as a Global Issue
EU Directive on Data Protection
Increasing amounts of personal data collected, consolidated, aggregated
Consumer Backlash; heightened consumer expectations
www.ipc.on.cawww.ipc.on.ca Slide 3
Information Privacy Defined
Information Privacy: Data Protection
• Freedom of choice; control; informational self-determination
• Personal control over the collection, use and disclosure of any recorded information about an identifiable individual
www.ipc.on.cawww.ipc.on.ca Slide 4
What Privacy is Not
Security Privacy
www.ipc.on.cawww.ipc.on.ca Slide 5
AuthenticationData IntegrityConfidentialityNon-repudiation
Privacy; Data ProtectionFair Information Practices
Privacy and Security: The Difference
Security: Organizational control
of information through information systems
www.ipc.on.cawww.ipc.on.ca Slide 6
Fair Information Practices:A Brief History
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
EU Directive on Data Protection
CSA Model Code for the Protection of Personal Information
Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
www.ipc.on.cawww.ipc.on.ca Slide 7
Summary of Fair Information Practices
AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,
Disclosure, RetentionAccuracy
SafeguardsOpennessIndividual AccessChallenging
Compliance
www.ipc.on.cawww.ipc.on.ca Slide 8
The Ten Commandments
Accountability– for personal information
– designate an individual(s) accountable for compliance
Identifying Purposes– purpose of collection must be clear at or before
time of collection
Consent– individual has to give consent to collection, use,
disclosure of personal information
www.ipc.on.cawww.ipc.on.ca Slide 9
The Ten Commandments
Limiting Collection– collect only information required for the identified
purpose; information shall be collected by fair and lawful means
Limiting Use, Disclosure, Retention– consent of individual required for all other purposes
Accuracy– keep information as accurate and up-to-date as
necessary for identified purpose Safeguards
– protection and security required, appropriate to the sensitivity of the information
www.ipc.on.cawww.ipc.on.ca Slide 10
The Ten Commandments
Openness– policies and other information about the management of personal
information should be readily available
Individual Access– upon request, an individual shall be informed of the existence, use
and disclosure of his or her personal information and be given access to that information, be able to challenge its accuracy and completeness and have it amended as appropriate
Challenging Compliance– ability to challenge all practices in accord with the above
principles to the accountable body in the organization.
www.ipc.on.cawww.ipc.on.ca Slide 11
Federal Privacy Legislationin Canada
Personal Information Protection and Electronic Document Act (PIPEDA)
Staggered implementation:
• Federally regulated businesses, 2001
• Federal health sector, 2002
• Provincially regulated private sector, 2004
www.ipc.on.cawww.ipc.on.ca Slide 12
Extension of PIPEDA
As of January 1, 2004, PIPEDA was extended to:
all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations (including insurance companies and independent insurance adjusters)
unless a substantially similar provincial privacy law is in force
www.ipc.on.cawww.ipc.on.ca Slide 13
Provincial Private-Sector Privacy Laws
Québec: Act respecting the protection of personal information in the private sector
B.C.: Personal Information Protection Act
Alberta: Personal Information Protection Act
Ontario: draft Privacy of Personal Information Act, 2002 – not introduced…so PIPEDA applies
www.ipc.on.cawww.ipc.on.ca Slide 14
Ontario’s Health Information Protection Act, 2003 (HIPA)
Ontario government introduced health privacy bill (Bill 31) on December 17, 2003
Received Third Reading and Royal Assent in May, 2004
Comes into effect November 1, 2004
www.ipc.on.cawww.ipc.on.ca Slide 15
The Bottom Line
Privacy should be viewed as a business issue, not a
compliance issue
www.ipc.on.cawww.ipc.on.ca Slide 16
The Promise
Electronic Commerce projected to reach $220 billion by 2001 WTO, 1998
Electronic Commerce projected to reach $133 billion by 2004Wharton Forum on E-Commerce, 1999
Estimates revised downward to reflect lower expectations
www.ipc.on.cawww.ipc.on.ca Slide 17
Privacy is affecting E-Commerce
United States: e-commerce sales were only 1.6% of total sales, $54.9 billion in 2003
-U.S. Dept. of Commerce Census Bureau, February 2004
Canada: Online sales were only 0.6% of total revenues – $13.7 billion in 2002
Statistics Canada, April 2003
www.ipc.on.cawww.ipc.on.ca Slide 18
Lack of Privacy = Lack of Sales
“Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.”
Forrester Research, September 2001
“Privacy and security concerns could cost online sellers almost $25 billion by 2006.”
Jupiter Research, May 2002
www.ipc.on.cawww.ipc.on.ca Slide 19
The Business Case
“Our research shows that 80% of our customers would walk away if we mishandled their personal information.”
CPO, Royal Bank of Canada, 2003
Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.
www.ipc.on.cawww.ipc.on.ca Slide 20
How The Public Divides on Privacy
26
64
10
0 20 40 60 80
Feb 2003(%)
PrivacyUnconcerned
PrivacyPragmatists
PrivacyFundamentalists
The “Privacy Dynamic” - Battle Dr. Alan Westinfor the minds of the pragmatists
www.ipc.on.cawww.ipc.on.ca Slide 21
Privacy and Customers
“The 1:1 enterprise, operating in an interactive environment, relies not just on information about customers, but on information from them.”
“It is absolutely imperative for the 1:1 enterprise to take into account the issue of protecting individual customer privacy.”
Enterprise One to One: Tools for Competing in the
Interactive Age – Don Peppers and Martha Rogers, Ph.D.
www.ipc.on.cawww.ipc.on.ca Slide 22
Permission-Based Marketing:The Personal Touch
Essential premise: persuade consumers
to volunteer their attention
Puts control in the hands of consumers• Makes consumers active recipients of
marketing information
• “Permission marketing is just like dating.”
Seth Godin
www.ipc.on.cawww.ipc.on.ca Slide 23
A Privacy-Sensitive Motto for Customer Relations Management
The old way • Know everything about your customer.
The new way• Know everything that your customers want you
to know.
• CRM or CMR (customer managed relationship)?
• Assume nothing – always ask!
www.ipc.on.cawww.ipc.on.ca Slide 24
Develop a Corporate Culture of Privacy
Demonstrate that privacy issues affect everything and everyone – COMMUNICATE
Focus on partnership development – ORGANIZE
Develop a cross-functional team committed to CPOs mandate – MANAGE, TRAIN
Persuade and proselytize every division and employee, leave no stone unturned – EDUCATE
www.ipc.on.cawww.ipc.on.ca Slide 25
Make Privacy a Corporate Priority
An effective privacy program needs to be integrated into the corporate culture
It is essential that privacy protection become a corporate priority throughout all levels of the organization
Senior Management and Board of Directors’ commitment is critical
www.ipc.on.cawww.ipc.on.ca Slide 26
STEPS: The Context
Terrorist attacks 9/11
Government concerns over public safety
Patriot and anti-terrorist legislation
Polarized debate for Security/Privacy
Resurgence of Privacy concerns by public
www.ipc.on.cawww.ipc.on.ca Slide 27
A Shift in Paradigms
The Old Paradigm: Zero Sum Game
The New Paradigm: Security + Privacy = Democracy
Privacy and Security are both necessary components: both are essential to freedom and liberty
www.ipc.on.cawww.ipc.on.ca Slide 28
The Challenge forPrivacy Experts
Expand the discourse: Privacy and Security are not polar opposites
Engage government and industry in demonstration projects to promote STEPs
http://www.ipc.on.ca/docs/steps.pdf
www.ipc.on.cawww.ipc.on.ca Slide 29
The Challenge for Solution Developers
Introduce privacy into the concept, design and implementation of technology solutions
Recognize and promote existing STEP solutions: 3-D Holographic Scanner: respecting physical
privacy while enhancing security Biometric encryption
www.ipc.on.cawww.ipc.on.ca Slide 30
Technology and Privacy
“The most effective means to counter technology’s
erosion of privacy is technology itself.”
Alan Greenspan, Federal Reserve Chairman
www.ipc.on.cawww.ipc.on.ca Slide 31
Privacy By Design: Build It In
Build in privacy – up front, in the design specifications
Minimize collection, use of personally identifiable information – use aggregate information if possible
Wherever possible, encrypt personal information
Think about anonymity and pseudonymity
Assess privacy risks: privacy impact assessment
www.ipc.on.cawww.ipc.on.ca Slide 32
Final Thought
“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”
Forrester Research, March 5, 2001
www.ipc.on.ca
How to Contact UsHow to Contact Us
Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: [email protected]