Big Data, Big Risk? Data Management and Privacy. Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi

Transcription

1 Big Data, Big Risk? Data Management and Privacy Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi

2 Data Management & Privacy Compliance Heather Innes Chief Privacy Officer, General Motors of Canada Limited Colonel Vihar Joshi, Q.C. -- Deputy Judge Advocate General/Administrative Law Timothy M Banks Dentons Canada LLP April 20,

3 Introductions Heather Innes General Motors of Canada Chief Privacy Officer and Corporate Counsel Also Global Process Leader for GM, International Trade Law Col. Vihar Joshi, Q.C. Canadian Armed Forces Deputy Judge Advocate General/Administrative Law Involved in drafting the Anti- Terrorism Act (2001) Timothy M. Banks Dentons Canada LLP Partner & Privacy Officer Leads Canadian Data Privacy and Security Group 3

4 Agenda Privacy Compliance Program Basics What is it? Why have one? Private Sector vs. Public Sector What is a privacy compliance program? Common themes What s a Privacy Impact Assessment? How to Create One Who should manage it / own it? Goals & objectives Governance and controls framework Gap analysis Policies & procedures Training and Evaluation Interactive Exercise 4

5 Privacy Compliance Program Basics 5

6 Privacy Compliance Programs What is a Privacy Compliance Program ( PCP )? At the core, it is a data governance strategy How does your organization collect, use, store & disclose data A method of systematically organizing, documenting and testing data management methods against defined goals across business units during development and implementation of initiatives throughout the data lifecycle Organized to meet defined operational, legal and reputational objectives May be a broader Data Governance Program or could be separate programs/policies dedicated to information management, protection, use, etc. 6

7 Why bother? Operational risks Investigations, audits and certainly breaches utilize significant internal and external resources and slow/stop operations Understand the systemic vulnerabilities in data flows and uses Data breach management Reputational risk Your organization s reputation effectively managing the crisis Your own reputation Public confidence and trust 7

8 Legal Risk Management Proactively identify and manage legal compliance issues understand which laws apply to which data sets (e.g. Provincial, Federal laws) Provide a due diligence defence & be ready to respond to Commissioner inquiries/investigations/orders Privacy Commissioners Getting Accountability Right with a Privacy Management Program CRTC Compliance and Enforcement Information Bulletin (CASL) 8

9 In the Private Sector Governance structure Chief Privacy Officer Hierarchy of command Role definition for employees, managers, and business line leaders Privacy Approach Define the legal standards and industry Controls Metrics Policies Collection and use Vendors Transfers Breach response Law enforcement Access Requests Complaints Education and Training Tools Monitoring and Enforcement 9

10 In the Public Sector Governance structure Designated Minister Heads of Government Institutions Delegated authority Employees Controls Metrics Policies Collection and use Contracting Transfers Breach response Law enforcement Access Requests Complaints Education and Training Tools Monitoring and Enforcement 10

11 Treasury Board Policies & Guidelines Policy on Privacy Protection Directive on Privacy Practices Directive on Privacy Impact Assessment Guidance on Preparing Information Sharing Agreements Involving Personal Information Guidance Document Privacy into Account Before Making Contracting Decisions Guidelines for Privacy Breaches Privacy Breach Management Toolkit 11

12 What is a PIA? Traditionally: process mandated for governmental departments and agencies to determine whether new technologies, information systems and initiatives or proposed programs and policies meet basic privacy requirements. More broadly: assists any organization to conduct a systematic gap analysis of a new or existing program, procedure or initiative encourages proactive privacy by design solutions records the organization s response to organizational, legal and reputational risks in accordance with the goals and objectives of the organization and the chosen data governance and control framework 12

13 Where does the PIA fit in? Method of systematically reviewing a program, business unit, or initiative against the chosen data governance framework Will be completed by the leader of a program, manager of a business unit or champion of an initiative Early preparation means legal does not become the Office of No Issues are self-identified and addressed before they come to Legal Privacy or data governance is not bolted on What will be Legal s role? Privacy by Design approach A record of due diligence and justification if questioned 13

14 Privacy Compliance Program Components 14

15 Who owns the PCP? Variety of Governance Models Centralized Privacy Officer or Compliance Department Localized Each business unit has privacy compliance authority Hybrid Centralized overall authority Delegated functions What s Legal s Role? Leader Manages the centralized PCP or leads a hybrid program Advisor Provides legal advice supports for PCP Participant One of stakeholders in the PCP led or managed elsewhere Internal Auditor Tests localized or hybrid PCP adequacy 15

16 What should the PCP manage? Little Data The management of our traditional online and offline data We are used to thinking about little data as limiting collection, limiting use, limiting retention, and limiting disclosure Big Data Refers to the practice of using huge sets of structured and unstructured data to find correlations to drive new insights Doesn t answer why (causality) but assists in predicting what Big Data technology thrives on: Volume lots of data sets over long periods of time Variety a variety of data types and points Velocity keep it coming to refine and refresh and retest Vistas using and combining and examining data in new ways 16

17 What laws and obligations? Traditional Personal Data Protection and Use Laws Personal Information Protection and Electronic Documents Act (PIPEDA) Privacy Act + Access to Information Act Provincial Personal Information Protection Acts Personal Health Information Protection Acts Freedom of Information and Protection of Privacy Acts (BC and Nova Scotia Personal Information International Disclosure Protection Act and New Brunswick Personal Health Information Access and Protection Act) International Personal Data Protection Legislation Expanded Broader Data Governance Emerging Tort Law and Class Actions Canada s Anti-Spam Legislation & international equivalents Unsolicited Telecommunications Rules & international equivalents Confidentiality obligations to third parties and sharing of confidential business information with third parties Service Organization Controls (SOC) Reports (completed by auditors) Payment Card Data Security Standards Criminal Code (recording / interception) 17

18 Goals and Objectives Legal compliance is, of course, an overall objective However, the type of organization and the purposes for which it uses data will affect what is emphasized as goals and objectives and what will be measured Examples of questions to ask when defining goals and objectives What is the level of our risk tolerance? What is the nature of data that we handle? Consumer, employee Sensitivity e.g. Health data, financial data How important is amassing large quantities of data for Big Data projects? Does our position in the market require us to be a most trusted brand or are we an intermediary subject to SOC assessments? Do we have public company reporting obligations? Are we a government organization held to a higher standard of public good? Is it important that we are able to transfer data around the world? 18

19 Frameworks and Controls Identify the appropriate overall Data Governance and Controls Framework The framework supplies the principles that you will deploy and measure your progress against and identify controls that should be put into place Treasury Board Canadian Standards Association Privacy Principles in PIPEDA Sectoral privacy standards such as PCI-DSS OSFI Guidance ISO 27000, ISO 27001, ISO Likely what you will require is a mix of frameworks General privacy principles and technical security principles as well as a control methodology to govern the organization as a whole Specific additional principles for certain business unit areas or functions 19

20 Data Mapping Analysis what data is collected from whom where is it stored/processed and by whom how it is used and by whom to whom is it disclosed what types of info security mechanisms/policies/procedures are in place what about data retention policies data security breach procedures level of knowledge within the organization re privacy rules what about your suppliers, advisors, reps, agents 20

21 Gap Analysis After developing the framework, you perform a gap analysis to identify missing policies, procedures, practices and controls Success is measured by identifying and closing these gaps in a way that meets the overall goals and objectives of the organization E.g. a gap analysis may reveal that transaction data is being retained indefinitely in violation of the limited retention privacy principle and exposing clients to unnecessary risk in the event of a breach. Depending on the overall goals and objectives of the organization, solutions may include purging data or investing in de-identification techniques. As discussed later, a Privacy Impact Assessment is a useful tool for conducting a gap analysis 21

22 Policies & Procedures The data governance and controls framework will assist in identifying the types of policies and procedures that are required At a minimum, every organization should have policies and procedures covering Personal information protection consent collection and notification of purposes; access to and correction of personal information; retention and disposal of personal information; complaints Use of the organization s and other organization s confidential information Use of information and information technology covering access controls; administrative, physical and technological security controls Commercial electronic communications policies covering Assessing Canadian Anti-Spam legislation obligations consent collection managing implied consent form and content requirements managing unsubscribes & complaints Breach handling procedures Third party suppliers policies specifying contractual and other safeguard requirements 22

23 Training & Evaluation A PCP should make provision for: ongoing training of employees, new employees, current employees, contract employees periodic evaluation of programs against the data governance and controls framework revisiting of the goals and objectives and the data governance and controls framework as business needs change A Privacy Impact Assessment can assist in ongoing training (learning by doing) in evaluating programs (structured assessment conducted by the employees as part of program review or design of new initiative) Identifying the need for changes to goals and objectives of the data governance and controls framework (themes may develop or tensions escalated to senior management) 23

24 Interactive Exercise 24

25 Interactive PIA Exercise Review a model PIA (handout) Interactive PIA Assessment Your client wants to start analyzing the profiles of its most valuable customers and their buying patterns They want to pull leasing data by postal code and also information about when customers purchase out the lease and the product that they lease They would also like to draw on information from contest participation and website analytics to determine whether these customers are engaged with the company online. They will do that by IP address, which they will correlate with the postal codes of the individuals that were sent promotional s How would you tackle a PIA Assessment? 25

26 Big Picture Issues Are the data elements personal information? Has the organization identified the purposes for use of the data for analytics to the individual? What type of consent was obtained - is opt-in/implied consent necessary? Is the organization going to retain the information where, how (added to profile), and for how long? If so, what would be required Is the organization going to share the information with others e.g. affiliates, dealers, business partners, and others? If so, what would be required? Others 26

27 Thank You Heather Innes E: Col. Vihar Joshi E: Timothy M Banks E: timothy.banks@dentons.com 27