Big Data, Big Risk? Data Management and Privacy. Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi
|
|
- Toby Reed
- 8 years ago
- Views:
Transcription
1 Big Data, Big Risk? Data Management and Privacy Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi
2 Data Management & Privacy Compliance Heather Innes Chief Privacy Officer, General Motors of Canada Limited Colonel Vihar Joshi, Q.C. -- Deputy Judge Advocate General/Administrative Law Timothy M Banks Dentons Canada LLP April 20,
3 Introductions Heather Innes General Motors of Canada Chief Privacy Officer and Corporate Counsel Also Global Process Leader for GM, International Trade Law Col. Vihar Joshi, Q.C. Canadian Armed Forces Deputy Judge Advocate General/Administrative Law Involved in drafting the Anti- Terrorism Act (2001) Timothy M. Banks Dentons Canada LLP Partner & Privacy Officer Leads Canadian Data Privacy and Security Group 3
4 Agenda Privacy Compliance Program Basics What is it? Why have one? Private Sector vs. Public Sector What is a privacy compliance program? Common themes What s a Privacy Impact Assessment? How to Create One Who should manage it / own it? Goals & objectives Governance and controls framework Gap analysis Policies & procedures Training and Evaluation Interactive Exercise 4
5 Privacy Compliance Program Basics 5
6 Privacy Compliance Programs What is a Privacy Compliance Program ( PCP )? At the core, it is a data governance strategy How does your organization collect, use, store & disclose data A method of systematically organizing, documenting and testing data management methods against defined goals across business units during development and implementation of initiatives throughout the data lifecycle Organized to meet defined operational, legal and reputational objectives May be a broader Data Governance Program or could be separate programs/policies dedicated to information management, protection, use, etc. 6
7 Why bother? Operational risks Investigations, audits and certainly breaches utilize significant internal and external resources and slow/stop operations Understand the systemic vulnerabilities in data flows and uses Data breach management Reputational risk Your organization s reputation effectively managing the crisis Your own reputation Public confidence and trust 7
8 Legal Risk Management Proactively identify and manage legal compliance issues understand which laws apply to which data sets (e.g. Provincial, Federal laws) Provide a due diligence defence & be ready to respond to Commissioner inquiries/investigations/orders Privacy Commissioners Getting Accountability Right with a Privacy Management Program CRTC Compliance and Enforcement Information Bulletin (CASL) 8
9 In the Private Sector Governance structure Chief Privacy Officer Hierarchy of command Role definition for employees, managers, and business line leaders Privacy Approach Define the legal standards and industry Controls Metrics Policies Collection and use Vendors Transfers Breach response Law enforcement Access Requests Complaints Education and Training Tools Monitoring and Enforcement 9
10 In the Public Sector Governance structure Designated Minister Heads of Government Institutions Delegated authority Employees Controls Metrics Policies Collection and use Contracting Transfers Breach response Law enforcement Access Requests Complaints Education and Training Tools Monitoring and Enforcement 10
11 Treasury Board Policies & Guidelines Policy on Privacy Protection Directive on Privacy Practices Directive on Privacy Impact Assessment Guidance on Preparing Information Sharing Agreements Involving Personal Information Guidance Document Privacy into Account Before Making Contracting Decisions Guidelines for Privacy Breaches Privacy Breach Management Toolkit 11
12 What is a PIA? Traditionally: process mandated for governmental departments and agencies to determine whether new technologies, information systems and initiatives or proposed programs and policies meet basic privacy requirements. More broadly: assists any organization to conduct a systematic gap analysis of a new or existing program, procedure or initiative encourages proactive privacy by design solutions records the organization s response to organizational, legal and reputational risks in accordance with the goals and objectives of the organization and the chosen data governance and control framework 12
13 Where does the PIA fit in? Method of systematically reviewing a program, business unit, or initiative against the chosen data governance framework Will be completed by the leader of a program, manager of a business unit or champion of an initiative Early preparation means legal does not become the Office of No Issues are self-identified and addressed before they come to Legal Privacy or data governance is not bolted on What will be Legal s role? Privacy by Design approach A record of due diligence and justification if questioned 13
14 Privacy Compliance Program Components 14
15 Who owns the PCP? Variety of Governance Models Centralized Privacy Officer or Compliance Department Localized Each business unit has privacy compliance authority Hybrid Centralized overall authority Delegated functions What s Legal s Role? Leader Manages the centralized PCP or leads a hybrid program Advisor Provides legal advice supports for PCP Participant One of stakeholders in the PCP led or managed elsewhere Internal Auditor Tests localized or hybrid PCP adequacy 15
16 What should the PCP manage? Little Data The management of our traditional online and offline data We are used to thinking about little data as limiting collection, limiting use, limiting retention, and limiting disclosure Big Data Refers to the practice of using huge sets of structured and unstructured data to find correlations to drive new insights Doesn t answer why (causality) but assists in predicting what Big Data technology thrives on: Volume lots of data sets over long periods of time Variety a variety of data types and points Velocity keep it coming to refine and refresh and retest Vistas using and combining and examining data in new ways 16
17 What laws and obligations? Traditional Personal Data Protection and Use Laws Personal Information Protection and Electronic Documents Act (PIPEDA) Privacy Act + Access to Information Act Provincial Personal Information Protection Acts Personal Health Information Protection Acts Freedom of Information and Protection of Privacy Acts (BC and Nova Scotia Personal Information International Disclosure Protection Act and New Brunswick Personal Health Information Access and Protection Act) International Personal Data Protection Legislation Expanded Broader Data Governance Emerging Tort Law and Class Actions Canada s Anti-Spam Legislation & international equivalents Unsolicited Telecommunications Rules & international equivalents Confidentiality obligations to third parties and sharing of confidential business information with third parties Service Organization Controls (SOC) Reports (completed by auditors) Payment Card Data Security Standards Criminal Code (recording / interception) 17
18 Goals and Objectives Legal compliance is, of course, an overall objective However, the type of organization and the purposes for which it uses data will affect what is emphasized as goals and objectives and what will be measured Examples of questions to ask when defining goals and objectives What is the level of our risk tolerance? What is the nature of data that we handle? Consumer, employee Sensitivity e.g. Health data, financial data How important is amassing large quantities of data for Big Data projects? Does our position in the market require us to be a most trusted brand or are we an intermediary subject to SOC assessments? Do we have public company reporting obligations? Are we a government organization held to a higher standard of public good? Is it important that we are able to transfer data around the world? 18
19 Frameworks and Controls Identify the appropriate overall Data Governance and Controls Framework The framework supplies the principles that you will deploy and measure your progress against and identify controls that should be put into place Treasury Board Canadian Standards Association Privacy Principles in PIPEDA Sectoral privacy standards such as PCI-DSS OSFI Guidance ISO 27000, ISO 27001, ISO Likely what you will require is a mix of frameworks General privacy principles and technical security principles as well as a control methodology to govern the organization as a whole Specific additional principles for certain business unit areas or functions 19
20 Data Mapping Analysis what data is collected from whom where is it stored/processed and by whom how it is used and by whom to whom is it disclosed what types of info security mechanisms/policies/procedures are in place what about data retention policies data security breach procedures level of knowledge within the organization re privacy rules what about your suppliers, advisors, reps, agents 20
21 Gap Analysis After developing the framework, you perform a gap analysis to identify missing policies, procedures, practices and controls Success is measured by identifying and closing these gaps in a way that meets the overall goals and objectives of the organization E.g. a gap analysis may reveal that transaction data is being retained indefinitely in violation of the limited retention privacy principle and exposing clients to unnecessary risk in the event of a breach. Depending on the overall goals and objectives of the organization, solutions may include purging data or investing in de-identification techniques. As discussed later, a Privacy Impact Assessment is a useful tool for conducting a gap analysis 21
22 Policies & Procedures The data governance and controls framework will assist in identifying the types of policies and procedures that are required At a minimum, every organization should have policies and procedures covering Personal information protection consent collection and notification of purposes; access to and correction of personal information; retention and disposal of personal information; complaints Use of the organization s and other organization s confidential information Use of information and information technology covering access controls; administrative, physical and technological security controls Commercial electronic communications policies covering Assessing Canadian Anti-Spam legislation obligations consent collection managing implied consent form and content requirements managing unsubscribes & complaints Breach handling procedures Third party suppliers policies specifying contractual and other safeguard requirements 22
23 Training & Evaluation A PCP should make provision for: ongoing training of employees, new employees, current employees, contract employees periodic evaluation of programs against the data governance and controls framework revisiting of the goals and objectives and the data governance and controls framework as business needs change A Privacy Impact Assessment can assist in ongoing training (learning by doing) in evaluating programs (structured assessment conducted by the employees as part of program review or design of new initiative) Identifying the need for changes to goals and objectives of the data governance and controls framework (themes may develop or tensions escalated to senior management) 23
24 Interactive Exercise 24
25 Interactive PIA Exercise Review a model PIA (handout) Interactive PIA Assessment Your client wants to start analyzing the profiles of its most valuable customers and their buying patterns They want to pull leasing data by postal code and also information about when customers purchase out the lease and the product that they lease They would also like to draw on information from contest participation and website analytics to determine whether these customers are engaged with the company online. They will do that by IP address, which they will correlate with the postal codes of the individuals that were sent promotional s How would you tackle a PIA Assessment? 25
26 Big Picture Issues Are the data elements personal information? Has the organization identified the purposes for use of the data for analytics to the individual? What type of consent was obtained - is opt-in/implied consent necessary? Is the organization going to retain the information where, how (added to profile), and for how long? If so, what would be required Is the organization going to share the information with others e.g. affiliates, dealers, business partners, and others? If so, what would be required? Others 26
27 Thank You Heather Innes E: Col. Vihar Joshi E: Timothy M Banks E: timothy.banks@dentons.com 27
INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
More informationInsights and Commentary from Dentons
dentons.com Insights and Commentary from Dentons On March 31, 2013, three pre-eminent law firms Salans, Fraser Milner Casgrain, and SNR Denton combined to form Dentons, a Top 10 global law firm with more
More informationCrawford Chondon &Partners LLP. Is your Business Ready for Canada s Anti Spam Law?
Crawford Chondon &Partners LLP Present Is your Business Ready for Canada s Anti Spam Law? By: Michael MacLellan Overview 1. What is Canada s Anti-Spam Legislation, and how will it apply? 2. What does CASL
More informationPrivacy Law in Canada
Privacy Law in Canada Federal and provincial privacy legislation has a profound impact on the way virtually all organizations carry on business across the country. Canada s privacy laws, while likely the
More information4.10 Information Management Policy
Policy Statement Information is a strategic business resource that the must manage as a public trust on behalf of Nova Scotians. Effective information management makes program and service delivery more
More informationCompliance and Enforcement Information Bulletin CRTC 2014-326
Compliance and Enforcement Information Bulletin CRTC 2014-326 PDF version Ottawa, 19 June 2014 Guidelines to help businesses develop corporate compliance programs Introduction 1. The purpose of this information
More informationAN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown
AN INTRO TO Privacy Laws An introductory guide to Canadian Privacy Laws and how to be in compliance Laura Brown Air Interactive Media Senior DMS Advisor A Publication of 1 TABLE OF CONTENTS Introduction
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationCANADA S ANTI-SPAM LEGISLATION THIRD PARTY CONTRACTS
CANADA S ANTI-SPAM LEGISLATION THIRD PARTY CONTRACTS THIRD PARTY CONTRACTS Consider what contracts your organization has which may involve a third party sending Commercial Electronic Messages (CEMs) on
More informationCLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?
CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING? Lindsey Finch Senior Global Privacy Counsel Salesforce.com lfinch@salesforce.com David T.S. Fraser Partner McInnes Cooper David.fraser@mcinnescooper.com
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationDoing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance
About Canada Dispute Resolution Forms of Business Organization Aboriginal Law Competition Law Real Estate Securities and Corporate Finance Foreign Investment Public- Private Partnerships Restructuring
More informationManaging the message. Businesses brace for new digital marketing compliance requirements
Managing the message Businesses brace for new digital marketing compliance requirements This page has been intentionally left blank. On December 4, Industry Canada released final regulations under Canada
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationCloud Computing: Privacy and Other Risks
December 2013 Cloud Computing: Privacy and Other Risks by George Waggott, Michael Reid and Mitch Koczerginski, McMillan LLP Introduction While the benefits of outsourcing organizational data storage to
More informationThe Manitoba Child Care Association PRIVACY POLICY
The Manitoba Child Care Association PRIVACY POLICY BACKGROUND The Manitoba Child Care Association is committed to comply with the legal obligations imposed by the federal government's Personal Information
More informationAN OVERVIEW OF CANADA S ANTI-SPAM LEGISLATION
AN OVERVIEW OF CANADA S ANTI-SPAM LEGISLATION These materials are provided for general information only and do not constitute legal advice. Readers are encouraged to seek legal advice for any particular
More informationCanada s New Anti-Spam Legislation: Overview and Implications for Businesses
dentons.com Focus on Communications Canada s New Anti-Spam Legislation: Overview and Implications for Businesses January, 2011 Contact Margot Patterson Dentons Canada LLP Counsel, Ottawa margot.patterson@dentons.com
More informationKEY ISSUES IN PRIVACY AND INFORMATION MANAGEMENT
OSGOODE PROFESSIONAL DEVELOPMENT The OsgoodePD Webinar Series KEY ISSUES IN PRIVACY AND INFORMATION MANAGEMENT 8 focused webinars for the latest legal developments, including: Session 1: September 16,
More informationCanada Anti-Spam Legislation: Obligations and Opportunity. Presenters: Matthew Wansink Chris Bakker
Canada Anti-Spam Legislation: Obligations and Opportunity Presenters: Matthew Wansink Chris Bakker Agenda Introduction CASL Overview CASL Nuts and Bolts CASL What is compliance? Building your business
More informationCloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1
Cloud Computing and Privacy Toolkit Protecting Privacy Online May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Table of Contents ABOUT THIS TOOLKIT... 4 What is this Toolkit?... 4 Purpose of this Toolkit...
More informationWe ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.
PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms. INTRODUCTION The Personal Health Information Act (PHIA) came into effect on December 11, 1997,
More informationAccountable Privacy Management in BC s Public Sector
Accountable Privacy Management in BC s Public Sector Contents Accountable Privacy Management In BC s Public Sector 2 INTRODUCTION 3 What is accountability? 4 Steps to setting up the program 4 A. PRIVACY
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationHow To Ensure Health Information Is Protected
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
More informationThe USA Patriot Act Government Briefing. Kirsten Tisdale, Chris Norman, Sharon Plater & Alexandra (Gina) Henley September 30, 2004
The USA Patriot Act Government Briefing Kirsten Tisdale, Chris Norman, Sharon Plater & Alexandra (Gina) Henley September 30, 2004 Agenda Background Overview of Government Responses and Approach Mitigation
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationAn Executive Overview of GAPP. Generally Accepted Privacy Principles
An Executive Overview of GAPP Generally Accepted Privacy Principles Current Environment One of today s key business imperatives is maintaining the privacy of your customers personal information. As business
More informationReport of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:
Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal
More informationPrivacy Management Program Toolkit Health Custodians Personal Health Information Act
Office of the Information and Privacy Commissioner for Nova Scotia Privacy Management Program Toolkit Health Custodians Personal Health Information Act Introduction: This toolkit was prepared by the Information
More informationPassenger Protect Program Transport Canada
AUDIT REPORT OF THE PRIVACY COMMISSIONER OF CANADA Passenger Protect Program Transport Canada Section 37 of the Privacy Act 2009 AUDIT OF PASSENGER PROTECT PROGRAM, TRANSPORT CANADA The audit work reported
More informationPrivacy Law in Canada
by PATRICIA WILSON & MICHAEL FEKETE Protection of personal information remains at the forefront of public policy debate in. Federal and provincial privacy legislation has a profound impact on the way virtually
More informationOur Commitment to You Privacy Statement
Our Commitment to You Privacy Statement Table of Contents Introduction... 3 We Respect Your Privacy... 3 How We Share Information with Companies Affiliated With Us... 3 Sharing Information With Other Third
More information3. Consent for the Collection, Use or Disclosure of Personal Information
PRIVACY POLICY FOR RENNIE MARKETING SYSTEMS Our privacy policy includes provisions of the Personal Information Protection Act (BC) and the Personal Information Protection and Electronic Documents Act (Canada),
More informationIs There Such a Thing as Internet Privacy?
Is There Such a Thing as Internet Privacy? April 13, 2015 Danielle Graff & Kristél Kriel Western Canada s Law Firm Click Agenda to edit Master title style What is Internet Privacy? Why does it matter?
More informationCOUNCIL OF THE EUROPEAN UNION. Brussels, 22 November 2006 15644/06 DATAPROTECT 45 EDPS 3
COUNCIL OF THE EUROPEAN UNION Brussels, 22 November 2006 15644/06 DATAPROTECT 45 EDPS 3 COVER NOTE from: Secretary-General of the European Commission, signed by Mr Jordi AYET PUIGARNAU, Director date of
More informationIT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system
More informationLaw Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario
PRIVACY COMPLIANCE ISSUES FOR LAW FIRMS IN ONTARIO By Sara A. Levine 1 Presented at Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario Ontario Bar Association, May 6,
More informationManaging the message Canada s new anti-spam law sets a high bar
Managing the message Canada s new anti-spam law sets a high bar According to a recent Deloitte poll, only 13% of organizations say they understand CASL requirements and have begun to apply them to their
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationPrivacy and EHR Information Flows in Canada. EHIL Webinar Series. Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway
Privacy and EHR Information Flows in Canada EHIL Webinar Series Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway March 1, 2011 Outline 1. Background 2. Infoway s privacy mandate
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationDirect Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference
Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference Chair An Independent Non-Executive Director In the absence of the Committee Chairman and an appointed
More informationPrivacy by Design Setting a new standard for privacy certification
Privacy by Design Setting a new standard for privacy certification Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure,
More informationGuidelines for Self-Employed Dietitians and Nutritionists
Introduction More and more, dietitians 1 are choosing to work in a self-employed capacity. Today, dietitians can be found working in private practice settings, as part of medical or multidisciplinary clinics,
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationDocument Management in the FIPPA Era
Document Management in the FIPPA Era Kathryn Frelick DISCLAIMER This Coffee Talk presentation is provided as an information service and is not meant to be taken as legal opinion or advice. Please do not
More informationIssue #5 July 9, 2015
Issue #5 July 9, 2015 Breach Response Plans by Lyndsay A. Wasser, CIPP/C, Co-Chair Privacy Privacy breaches can occur despite an organization s best efforts to prevent them. When such incidents arise,
More informationIndex All entries in the index reference page numbers.
Index All entries in the index reference page numbers. A Audit of organizations, 37-38, Access to personal information 162-163 by individual, 22, 31, 151-154 B assistance by organization, Biometrics, 123-125
More informationIT SECURITY POLICY (ISMS 01)
IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: 12.01.2015 Status: Final Date of Review Recommended by Approved by Information Governance Management Group Trust
More informationInhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie
Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A
More informationManaging Contracts under the FOIP Act. A Guide for Government of Alberta Contract Managers and FOIP Coordinators
Managing Contracts under the FOIP Act A Guide for Government of Alberta Contract Managers and FOIP Coordinators ISBN 978-0-7785-6102-6 Produced by Access and Privacy Service Alberta 3rd Floor, 10155 102
More informationPrivacy and Security Framework, February 2010
Privacy and Security Framework, February 2010 Updated April 2014 Our Vision Better data. Better decisions. Healthier Canadians. Our Mandate To lead the development and maintenance of comprehensive and
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationPersonal Health Information Privacy Policy
Personal Health Information Privacy Policy Privacy Office Document ID: 2478 Version: 6.2 Owner: Chief Privacy Officer Sensitivity Level: Low Copyright Notice Copyright 2014, ehealth Ontario All rights
More informationAnatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault
Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationCloud Computing: Trust But Verify
Cloud Computing: Trust But Verify 14th Annual Privacy and Security Conference February 8, 2013, Victoria Martin P.J. Kratz, QC Bennett Jones LLP Cloud Computing Provision of services available on the Internet
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationNHS Lanarkshire Information Governance Committee
INFORMATION GOVERNANCE COMMITTEE DRAFT TERMS OF REFERENCE Name Purpose NHS Lanarkshire Information Governance Committee To provide direction of and oversee the development of NHS Lanarkshire Information
More informationHow To Protect Your Privacy Online From Your Company Or Affiliates
Data Security and Privacy Proposed Threshold Questions and Initial Due Diligence Personal information means any information that can be used to identify a specific individual, for example, such individual
More informationPrivacy Breach Protocol
& Privacy Breach Protocol Guidelines for Government Organizations www.ipc.on.ca Table of Contents What is a privacy breach? 1 Guidelines on what government organizations should do 2 What happens when the
More informationPrivacy Risk Assessments
Privacy Risk Assessments Michael Hulet Principal November 8, 2012 Agenda Privacy Review Definition Trends Privacy Program Considerations Privacy Risk Assessment Risk Assessment Tools Generally Accepted
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationThe CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).
Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of
More informationOHA BACKGROUNDER Canada s Anti-Spam Legislation (CASL)
OHA BACKGROUNDER Canada s Anti-Spam Legislation (CASL) May 2014 In December 2010, the federal government passed Bill C-28, the Fighting Internet and Wireless Spam bill, referred to as Canada s Anti-Spam
More informationMISSION VALUES. The guide has been printed by:
www.cudgc.sk.ca MISSION We instill public confidence in Saskatchewan credit unions by guaranteeing deposits. As the primary prudential and solvency regulator, we promote responsible governance by credit
More informationE-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY
E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationContact: Henry Torres, (870) 972-3033
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
More informationPrivacy Policy. February, 2015 Page: 1
February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met
More informationPRIVACY MANAGEMENT ACTIVITIES
PRIVACY MANAGEMENT ACTIVITIES Designed for the privacy office to take privacy management to the next level, Nymity Templates offers a wide range of downloadable resources. Publication Date: June 2014 1.
More informationPrivacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act. Ann Cavoukian, Ph.D. Commissioner October 2005
Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act Ann Cavoukian, Ph.D. Commissioner October 2005 Information and Privacy Commissioner/Ontario Privacy Impact
More informationCASL Canada s Anti-Spam Law. Webinar One - Consent
CASL Canada s Anti-Spam Law Webinar One - Consent 1 Disclaimer The information included in this presentation may not reflect the views of Industry Canada, or the Canadian Radio-television and Telecommunications
More informationNational Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada
Introduction National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada This Privacy Policy describes the manner in which the National Association of Pharmacy
More informationPolicy Brief: Protecting Privacy in Cloud-Based Genomic Research
Policy Brief: Protecting Privacy in Cloud-Based Genomic Research Version 1.0 July 21 st, 2015 Suggested Citation: Adrian Thorogood, Howard Simkevitz, Mark Phillips, Edward S Dove & Yann Joly, Policy Brief:
More informationQuestions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA)
Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA) This document provides answers to some frequently asked questions about the The Personal Health
More informationKingsway Financial Services Inc. Privacy Policy
Kingsway Financial Services Inc. Privacy Policy Table of Contents Notice... i 1. Introduction... 1 2. Responsibility... 1 3. Personal Information... 2 4. Why Kingsway Collects & Discloses Personal Information...
More informationSection 1, Part 1. General Administration Function (Function-based arrangement)
Retention Guidelines for Common Administrative Records of the Government of Canada Section 1, Part 1 General Administration Function (Function-based arrangement) Revised, 21 April 2011 Table of Contents
More informationProtecting Saskatchewan data the USA Patriot Act
Protecting Saskatchewan data the USA Patriot Act Main points... 404 Introduction... 405 Standing Committee on Public Accounts motion... 405 Our response to the motion... 405 ITO, its service provider,
More informationHEALTH INFORMATION ACT (HIA) BILL QUESTIONS AND ANSWERS
HEALTH INFORMATION ACT (HIA) BILL QUESTIONS AND ANSWERS KEY HIA CONCEPTS AND PROVISIONS Q. What is the purpose of the legislation? To protect clients personal health information. To set rules on the collection,
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More information6.9 Social Media Policy
Policy Statement It is the policy of the to encourage clear and effective communication with all Nova Scotians using a variety of accepted tools, including social media. Social media is helping government
More informationThe Marketing Landscape since CASL: One Year Later
The Marketing Landscape since CASL: One Year Later By: Geoff Linton and Matthew Vernhout CASL is a year old this month and the good news is that not much has changed for legitimate emarketers. Email the
More informationINSTITUTE FOR SAFE MEDICATION PRACTICES CANADA
INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA PRIVACY IMPACT ASSESSMENT (PIA) ON ANALYZE-ERR AND CURRENT DATA HANDLING OPERATIONS VERSION 3.0-2 JULY 11, 2005 PREPARED IN CONJUNCTION WITH: ISMP Canada
More informationTHE RESEARCHER S GUIDE TO DATA PRIVACY
THE RESEARCHER S GUIDE TO DATA PRIVACY PAUL HANCOCK, ACCESS AND PRIVACY MANAGER, OFFICE OF THE UNIVERSITY COUNSEL KAITLYN GUTTERIDGE, LEAD PRIVACY, POLICY AND AGREEMENTS, POPULATION DATA BC Overview Introduction
More informationChangeIt Privacy Policy - Canada
ChangeIt Privacy Policy - Canada 1. Policy on Privacy of Personal Information Formulating Change Inc. ( FCI, we, us or our ) is committed to protecting the privacy and security of your Personal Information
More informationB2B Business Relations and Consent Requirements under the New Canadian Anti-Spam Law
January 2014 Privacy Bulletin B2B Business Relations and Consent Requirements under the New Canadian Anti-Spam Law Last month, the Minister of Industry announced that Canada's new Anti-Spam legislation
More informationAuditing data protection a guide to ICO data protection audits
Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit
More informationAutomating Control Frameworks: A Tool for Managing Compliance and Risk in Government Services
: A Tool for Managing Compliance and Risk in Government Services November 19, 2008 Slide 1 Agenda Problem Space Solution Space Describe the compliance and risk management problem Why is this relevant for
More informationNew Ross Credit Union Web Site Statement
Privacy New Ross Credit Union Web Site Statement YOUR PRIVACY IS OUR PRIORITY Credit unions have a history of respecting the privacy of our members. Your Board of Directors has adopted the Credit Union
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationRISK AND COMPLIANCE COMMITTEE CHARTER
1. GENERAL SCOPE AND AUTHORITY 1.1 Introduction This charter governs the operations of the Risk & Compliance Committee of Redflex Holdings Limited (RHL or Company). 1.2 Purpose The Risk & Compliance Committee
More informationCHARTER FOR THE THE REGULATORY, COMPLIANCE & GOVERNMENT AFFAIRS COMMITTEE CHARTER THE BOARD OF DIRECTORS
CHARTER FOR THE THE REGULATORY, COMPLIANCE & GOVERNMENT AFFAIRS COMMITTEE CHARTER OF THE BOARD OF DIRECTORS OF Copyright/permission to reproduce Materials in this document were produced or compiled by
More informationArizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015
This page left blank intentionally. Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved
More informationAudit of Financial Reporting Controls
Audit of Financial Reporting Controls WESTERN ECONOMIC DIVERSIFICATION CANADA Audit & Evaluation Branch February 2012 Table of Contents 1.0 Executive Summary 1 2.0 Statement of Assurance 1 3.0 Introduction
More informationPrivacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices
Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices Ann Cavoukian, Ph.D. Information & Privacy Commissioner, Ontario, Canada Purpose: This document
More information7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
More information