educational event spring 2015 -...
TRANSCRIPT
EducationalEventSpring2015
Integrating Privacy by Design with a Corporate Records ProgramMary Ellen Callahan, JD, CIPP Mary Sherwin, CRM, IGP, CIPP/US
Objectives1. Apply the principles of Privacy by Design (PbD) into the
design and implementation of an electronic records management system
2. Apply the five steps for a PbD program into your records management life cycle
3. Conduct a gap analysis of your privacy policies 4. Communicate to the C‐suite the need for collaboration
between the RIM, Information Security, and Privacy functions
5. Implement the data retention periods for personal information and other record types in your corporate computer system
6. Use the Privacy Checklist tool to apply PbD
3
Overview• Information Governance• PbD
– Brief history– Why adopt PbD (what’s in it for me/us)?– Five steps to PbD
• Integrating PbD with RIM• Privacy Checklist• Take‐aways
5
Information Governance• Understanding the who, what, where, when, or for how long of your data– Holistic approach to privacy and information governance– Not knowing your information assets – and liabilities –may be your biggest risk (“Big Data”)
– Legacy databases– Social media and user‐generated content
• Management of information through entire life cycle (collection, use, storage, deletion)
7
History of PbD
• 2008 Hustinx EU privacy paper• 2008 Cavoukian white paper• Article 29 working group• FTC privacy report
9
History of PbD• Dual issues
–Privacy rights (transparency, access, control, etc.)
– Safeguarding information from unauthorized access, use, and processing
• PbD at the Department of Homeland Security
10
PbD vs. Remedial Measures
• What’s the main difference?
• PbD is incorporated into all stages of designing new systems or developing a new product, starting with brainstorming
• Information Governance
11
Why Adopt PbD?• Potentially applicable legal requirements
– Potential EU requirement for privacy impact assessments
– U.S. government entities (like DHS) must conduct privacy impact assessments; best practice includes privacy threshold analyses
– Some U.S. regulated entities may be required to undertake specific PbD steps
• Obligation to oversee service providers expressly imposed under Gramm‐Leach Bliley Act and Massachusetts regulations
12
Five Steps to Privacy by Design (1)
1. Initiate a PdD program– Gap analysis
2. Privacy steering committee– C‐suite communication strategy– Buy‐in throughout organization
3. Assessment / remediation– Proactive v. reactive
13
Five Steps to Privacy by Design (2)
4. PbD guidelines / checklists / training– Internal documentation
5. Accountability / tools– Confirming you are doing what you promised
14
Seven Elements of a PbD Program1. Proactive, not reactive2. Privacy as default setting3. Full functionality4. Privacy embedded into the design (checklists,
etc.)5. End‐to‐end security6. Visibility and transparency 7. Respect for user privacy
15
Integrating PbD into RIM (1)
• Initiation phase – PbD and RIM – Team with the chief privacy officer – Add records appraisal questions into the privacy questionnaire or vice‐versa
• Privacy steering committee– Gain a seat at the table as the records manager– Possible dual use of records and privacy coordinators
17
Integrating PbD into RIM (2)
• Assessment / remediation:
Use the records appraisal to identify personal information in electronic record locations, including cross border, or other privacy concerns– Review and revise retention schedule to match privacy requirements
– Include a classification for personal information
18
Integrating PbD into RIM (3) • PbD guidelines / checklists / training
– Build alliances: • Identify the business units that are working with personal information
• Work with IT and Information Security to ensure that RIM issues are addressed at every phase of the Systems Development Lifecycle (SDLC)
• Align with the CPO and CISO
– Cross‐reference:• The organization’s retention policy with the privacy policy • Privacy and records retention training
19
Integrating PbD into RIM (4) • Accountability / tools
–Annual review – include review of privacy requirements
– Ensure that any database containing privacy data is managed per the retention schedule
–Make sure that retention can be managed while keeping database integrity
20
Design
Retention/Disposition
Store/Maintain
ShareDistribution
/Use
Create/ Collect
26
Use the information lifecycle for incorporating PbD and records retention in the system
Key use of privacy checklists
Create / Collect• Data and purpose specification: Know what personal data you are collecting and how you are collecting it, and why
• Data minimization: Collect only as much personal data as reasonably necessary to fulfill a legitimate business function
• Consider whether you need to collect or retain sensitive personal data
27
Distribution / Use• Disclose how personal information will be used
28
• Certain uses may trigger additional obligations
Using data for electronic marketing
Using data for online behavioral advertising
Share• When personal data will be shared with service providers or business partners, understand the data‐handling practices of these entities.
What data will they receive?How will they use the data?Will the data be shared?How will it be protected?
• Be aware of the contractual and technical restrictions required by the legal department
29
Store / Maintain / Protect• Security is key! • Employ reasonable physical, technical, and administrative safeguards to protect the information
• Implement robust systems to detect security breaches
• Be aware of cross‐border data transfers and international requirements
30
Retention / Disposition• Implement reasonable records retention and records disposal policies and procedures
• Securely delete or anonymize data when it is no longer needed or required
• Some sensitive personal data may require secure disposal practices
• Ensure that the records retention schedule reflects all personal information privacy requirements
31
Verify / Audit / Reassess • Follow the privacy policies and procedures in place
• Examples:
Target data breach
33
Practical Steps (1)• Build alliances:
– Audit– Compliance & Risk– Finance– Information Privacy– Information Security– Information Technology– RIM– Security
• Use the KISS principle when designing checklists
36
Practical Steps (2)
• Conduct an inventory of personal information in all computer systems, and apply security and retention controls
• For legacy and existing systems, use the same concepts of PbD and retention requirements integration when updating / upgrading
• Privacy and retention evangelism go hand‐in‐hand
• Always check with Legal
37
Things to Remember • Look for personal information
in the least obvious places • Follow the process• Work with the subject matter
experts in all areas• Audit and control• Check with your Law
Department
38
Audience Poll
• Does your organization have or is working towards a formalized privacy program?
• Is privacy currently integrated with your records and information management program?
40
Audience Poll• What strikes you as the most convincing reason for implementing PbD and incorporating it into your RIM programs (or vice‐versa)? A. From a reputational perspective, it is a selling point for
consumers / customersB. Good story to tell regulators if and when something goes
wrongC. Opportunity to reduce legal compliance costs in the long
termD. Reduces risk with respect to legal obligationsE. All of the above
41
Looking Ahead
• Mobile applications contain records and personal information.
• Many organizations are transitioning to managing information in the cloud.
42
Additional Resources• Book: The Checklist Manifesto: How to Get Things Right by Atul Gawande• IAPP – International Association of Privacy Professionals ‐
www.privacyassociation.org • Privacy by Design Website – Information and Privacy Commissioner of Ontario
www.privacybydesign.ca• NIST – National Institute of Standards and Technology ‐ Privacy and Cloud
Computing: ‐www.nist.gov/itl/cloud/publications.cfm• American Institute of Chartered Public Accountants (AICPA) ‐ www.aicpa.org• Chartered Public Accountants – Canada ‐ www.cica.ca• Article: “Records Management – Integrating Privacy Using Generally Accepted
Privacy Principles” – AICPA/CICA Privacy Task Force November 2009
http://www.cica.ca/resources‐and‐member‐benefits/privacy‐resources‐for‐firms‐and‐organizations/item34634.pdf
44
Thank YouMary Ellen Callahan, JD, CIPP, Partner and Chair, Privacy and Information Governance Practice, Jenner & Block [email protected]
Mary Sherwin, CRM, IGP, CIPP/USDirector, Records ManagementCBS Corporation Law [email protected]
45