Driving Excellence through Data Governance Personal Data Protection Seminar. Singapore, May 16, 2014

Size: px

Start display at page:

Download "Driving Excellence through Data Governance Personal Data Protection Seminar. Singapore, May 16, 2014"

Vincent Stanley
8 years ago
Views:

1 Driving Excellence through Data Governance Personal Data Protection Seminar Singapore, May 16, 2014 Address by Elizabeth Denham, Information and Privacy Commissioner for British Columbia Thank you for the kind introduction. I am honoured to have been invited here today, on the eve of the coming into force of the personal data protection provisions in Singapore s Personal Data Protection Act. This event is also a timely one. Many of you will know we have just celebrated Privacy Awareness Week, an initiative of the Asia-Pacific Privacy Authorities or APPA. APPA is an international forum of data protection Commissioners including Australia and New Zealand, Canada, Macau, Hong Kong, Korea and Mexico to name a few. The province of British Columbia is Canada s gateway to the Pacific Rim. We are an active member of APPA and we look forward to hosting an international members meeting in Vancouver later this year. Before I begin, a few words about my office: As Commissioner I oversee the personal data protection practices in the public and private sector. I oversee more than 2,900 public agencies and 380,000 businesses and organizations.

This event is also a timely one. Many of you will know we have just celebrated Privacy Awareness Week, an initiative of the Asia-Pacific Privacy Authorities or APPA.

2 Page 2 of 7 I have a range of enforcement and oversight tools I can investigate complaints, initiate audits, and comment on new technologies and programs affecting the privacy of British Columbians. I also have order-making power. If a government ministry or business is offside the law, I can order them to comply and change their practices. These Orders are enforceable by a court of law. I note that Singapore s data protection law has a similar provision, where the Directions of the Commission can be enforced in a District Court. This is an important and useful tool for regulators, in that it gives legal weight to the decisions of the Commissioner and creates an incentive for businesses to comply. Today I want to share with you my approach to regulation which is proactive and collaborative and my view that the best results are achieved when regulators, government, businesses, and industry work together to protect privacy in a comprehensive and holistic way. Privacy in Practice I want to start with this: Privacy and security practices are good for business. Good privacy practices + good security practices = good business. Businesses that take privacy and security seriously gain and retain customer trust. If you make a serious and lasting investment in privacy and security you are giving yourself a competitive edge. Privacy is important to your business, because it s important to consumers, who are deeply concerned about how their personal information is being collected and used by businesses.

I note that Singapore s data protection law has a similar provision, where the Directions of the Commission can be enforced in a District Court.

3 Page 3 of 7 A 2012 study of consumer attitudes in Canada found that 75% are concerned about the EROSION of their privacy. Privacy concerns were more important than climate change and terrorism, and were second only to a second global economic crisis. I note that this survey was completed before Edward Snowden unveiled the alleged surveillance activities of national security agencies. I would suggest that privacy concerns have persisted, and perhaps even increased, since that time. Sound Privacy and Security Practices Canadian businesses recognize this growing concern about privacy on the part of their customers. 63% of businesses surveyed identified strong privacy practices to be a significant or competitive advantage in their business. These companies recognize the opportunity to build trust and confidence thorough comprehensive privacy measures. If an investment in privacy can build trust, the inverse is also true. A privacy breach can be very costly to your bottom line and can have lasting effects. Consider the Target privacy breach, the biggest breach we ve ever seen in the retail sector, where 110 million customers had their personal data and payment information compromised. In the wake of the breach, Target s net earnings dropped 46 percent, stock prices suffered, and very recently the CEO resigned. It is important to invest in sound privacy and security practices BEFORE a data breach occurs.

I note that this survey was completed before Edward Snowden unveiled the alleged surveillance activities of national security agencies.

4 Page 4 of 7 As Singapore emerges as a leader in the information and communication fields, a lasting investment in privacy and security will give you a significant competitive advantage as you seek to develop this sector of Singapore s economy. Regulatory Strategies My role as a regulator is to ensure businesses and governments comply with data protection laws. In order to be most effective, I have to be both proactive and collaborative in my approach. Being proactive means getting out in front of privacy issues. Waiting for a complaint to come in the door before taking action simply doesn t work in a world with a rapid pace of technological change. A proactive approach is especially important with new and emerging technologies. When regulators engage businesses and government BEFORE a new technology is implemented, we can influence the development of strong privacy and security controls, and make sure the program is in compliance with the law before it is operational. Being an effective regulator also requires collaboration with other data protection authorities. This is critical in a federated state such as Canada, where oversight of the private sector includes both the national and provincial Commissioners. It is also important in the context of a global village, where more data is digital and crosses international borders. The Federal, Alberta, and British Columbia Commissioners have collaborated extensively on education and enforcement actions. Canadian commissioners took the proactive step of contacting Google at the outset of their street view imaging project. We provided them with detailed guidance for how the images could be lawfully used in Canada including blurred faces and licence plates,

In order to be most effective, I have to be both proactive and collaborative in my approach. Being proactive means getting out in front of privacy issues.

5 Page 5 of 7 and notifying communities that Google street view was on the way BEFORE any images were taken. This collaboration allowed us to send a clear message to an international company about how they needed to structure their business to comply with privacy laws across jurisdictions in Canada. Data protection Commissioners are also collaborating globally to raise concerns about the privacy implications of new technology. Last year, data protection Commissioners from Canada, Australia, New Zealand, Israel, Mexico, Switzerland and the Article 29 Working Party of the European Union, issued joint correspondence to Google about Google Glass. This was a proactive and collaborative step to seek clarity on how Glass would comply with global data protection laws, and asking what privacy and security controls the company was building into the wearable computing technology. Robust laws, Dynamic regulation Privacy regulation can be challenging, technical, and complex. As regulators, we can achieve greater compliance with robust privacy laws through dynamic regulation that is proactive and collaborative. Businesses also have the opportunity to be proactive in addressing privacy concerns. It is not good enough to be passive and await a regulator s investigation to see whether you are complying with privacy laws. Canada s privacy commissioners have developed an educational guidance document that can be used by companies to build privacy into their DNA, to promote compliance AND demonstrate to regulators, governments and customers that you take privacy seriously. It is a roadmap to a comprehensive and holistic approach to privacy and security across the organization. The publication is called getting Accountability Right with a Privacy

Data protection Commissioners are also collaborating globally to raise concerns about the privacy implications of new technology.

6 Page 6 of 7 Management Program. It is tailored to the private sector and outlines the three stepping stones to comprehensive privacy controls for your business. Getting Accountability Right The key starting point is that there is an organizational commitment that means tone from the top, and a genuine commitment to invest in privacy that is communicated by the head of the company. The foundation includes creating a Data Protection Officer role. This person should sit at the executive table and should be empowered to lead the privacy agenda for the business. Once this foundation is laid, program controls are necessary, followed by ongoing assessment and revision this is critical in light of changing threats and risks. Holistic Approach to Implementation The key is that privacy and data protection is not a one-time investment, or a one-off activity. It is an ongoing, evergreen process that MUST be done in a holistic way. If you are starting to see that sound personal data security and protection requires all of the relevant actors working simultaneously towards a common goal then you understand what my strategic approach aims to achieve. I know this is already happening here. This seminar is a prime example. And the private sector is already striving for that competitive advantage: hiring information technology professionals is up, and I see that the Direct Marketing Association has offered workshops on the personal data protection provisions so that the marketing industry can move in concert towards compliance. Creating effective data protection is a team effort between regulators, businesses, industry groups and professionals.

the head of the company. The foundation includes creating a Data Protection Officer role.

7 Page 7 of 7 I want to leave you with these questions for our discussion this afternoon: how can we each work proactively and collaboratively? What can you do in your role within your business, with other businesses in your sector, with government, with the regulator to act in concert towards ensuring that the strength of our economies and societies includes privacy principles? And how can you promote the growth of a privacy-minded community of businesses and organizations in Singapore? Thank You.

What can you do in your role within your business, with other businesses in your sector, with government, with the regulator

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister Presenter Miriam Wugmeister Morrison & Foerster LLP New York