privacy 12 th cacr workshop

© 2003 IBM Corporation

Privacy 12th CACR Workshop

Yim Y. ChanChief Privacy Officer & CIOIBM Canada Ltd.w3.ibm.com/Privacy

2 12th CACR Workshop |© 2003 IBM Corporation

Agenda

IBM Canada Privacy

IBM Enterprise Wide Policies / Management System

Privacy on demand Assessment Tool

Communication Plan

Road Map


How do we manage Privacy?IT Technology Solutions• Tools / Applications• Infrastructure• Standards

Business Process Governance Model• Corporate Guidelines / Business Controls• Education / Communication

“Why is Privacy Good Business?”Trust• Employees• Customers

Values• Processes• Guidelines


IBM Enterprise Wide Policies

Simple, but company wide, mandatory throughout enterprise

PoliciesGoverns collection from all sourcesdefines use of dataimplemented through a series of corporate instructions that established:

•principles behind IBM data practices•Internet privacy standards•requirements for handling (collection, use, disclosure, storage, security, access, transfer or other processing) of:

all employee information information from customers, prospects, suppliers and other business contacts

•specific privacy rules for Web applications


IBM Enterprise Privacy Management System

Existing Private SectorPrivacy LawsEmerging Private SectorPrivacy Laws

• Chief Privacy Officers

• Development & Research Centres

• Key Business Functions

• CIO Office


IBM CIO Governance Model

Employees

Personal Computing

Servers

Storage

Technology

Software

GlobalServicesGlobal

Financing

MarketPlanning

Customers/Suppliers

Enterprise Model

IPD ISC Procure CRMFulfill

Strategy, Architecture, Standards and Deployment Management

IBM Global Services

• Network• Client • Server• End User Assist• Privacy/Security

• P3P• Scan Mail• Web Crawler• E-mail Cleansing• Encryption IT Service Provider

Canadian Privacy Assessment on demand

Implementation• Access Control• Retention• Disclosure• Consent …


Privacy on-demand Assessment Tool

Provides on demand impact assessment analysis and reports using a holistic approach that leverages our best practices and business insights

Provides on demand Assessment, Feedback and Suggested Actions to process owners

Delivers Consistent Repeatable Results

Gap LogicCalculationsScoringAnalysis

Benefits/Risks Logic

CalculationsScoringAnalysis

Action LogicCalculationsScoringAnalysis

Logical Mapping

Orggy

ce

Business Assessment

P r a

s I


Privacy on demand Assessments - Reporting


The tool first poses general questions about

the process being assessed

The sensitivity of the personal information the process handles drives the required compliance

level


The core of the assessment is a 43-

question Questionnaire

The Questionnaire is divided into “Compliance Areas”

reflecting different privacy requirements

Answers generate a compliance gap based on the information sensitivity

The answer closest to the real situation is picked


Summary reports can be generated which roll

results up to a Business Unit or Company level


Privacy Communication InitiativesObjectives Engage employees in embracing IBM Canada’s

philosophy on privacy

Provide employees with a clear understanding of our obligations and our commitment to comply with the federal legislation as well as IBM’s policies / instructions

Strategy

Deliver the right messages to the right audiences at the right time

Executive Team• Quarterly updates

Business Process Owners and Privacy Focal Points• Process assessment• Training sessions

Targeted Employee Audiences• Procurement • CSO • ibm.com • SDC• HR• Client reps

General IBM Population Awareness Campaign• Posters• IBM Canada homepage - web articles/contest - presentation on the webTargeted Employee

Audiences• Profile Holding Managers

ongoing ongoing April – September

( 15 sessions 5785 employees)

October - November


Road Map

2002 2003 2004

Controls

Communication

Corporate Polices/Guidelines

Compliance

Business Units

Managers

Employees

Customers

Policy Statement

Privacy Tools

Architecture/Standards

Guidelines

Provincial Legislation

"Substantially Similar"

Quebec British Columbia Alberta Ontario

PIPEDA

Self-Assessments

Score-card

Privacy Health-Checks

Access Process

BRITISHCOLUMBIA

ALBERTA

SASKATCHEWAN MANITOBA

ONTARIO QUEBEC

NEWFOUNDLAND

NEWFOUNDLAND

NORTHWEST TERRITORIES

YUKON

NEW BRUNSWICK

Business Partners


In Summary …

Privacy is Good Business

• Creates trust

• Builds values

Implemented through tools and technology to

automate privacy compliance

Managed through a worldwide governance model for

privacy adherence

Tracked through processes and roadmap for privacy

improvements

privacy 12 th cacr workshop

Documents