Privacy

1
Privacy
its Law ..
How does it impact you?

• Help Desk Institute
• April 15, 2004

2

• Divestco Inc. is ..

Mapping and Data Tools and Services.. GeoVista,
GIS Mapping, MapQ, eMapQ, Complete Oil Gas
Database, OilExpert, The Rat? Handheld Digitizer
Exploration Tools and Services .. Synthetic
Suite, CrossLOG Suite, OutRider, WinPICS Seismic
Workstations/SMAC, 2D/3D Seismic Interpretation,
Envision3D, Duplicate Seismic Line Cleaner,
Survey Audit, Seismic Data Brokerage Data and
Records Management Services .. Oil Gas
Technical Records, Corporate Records, Imaging and
Scanning, Data Archiving, Disaster Recovery
Solutions, and Privacy Services
3
What is Privacy?

• Privacy deals with the right of an individual
  to control the collection, use and disclosure of
  their personal information.
• Privacy affects all aspects of operations and
  business practices.
• All organizations maintain personal information
  about their customers, business partners and/or
  employees.
• Privacy is much more than confidentiality or
  security.
• Personal Information is information about an
  identifiable individual and includes their race,
  ethnic origin, opinions, color, age, marital
  status, religion, education, medical, criminal
  and employment or financial history, home address
  and telephone number and any numerical
  identification such as social insurance number
  and employee number.

4

• Some Horror Stories
• Telecommunications Company
• Companys Web Site

• Headlines
• Equifax
• Impark
• Calgary Police Service
• ISM

• Privacy Commissioners
• By the end of 2003 there were 223 Investigations
  and Rulings by Federal Commissioner of Canada and
  already six for 2004.
• Alberta Private Sector Team are increasing their
  staff from two to five over the next couple of
  months.

5

• PIPEDA
• Schedule 1 gives legal force to the Canadian
  Standards Associations (CSA) Model Code for the
  Protection of Personal Information

6
Policy Statements

• Privacy Policies
• Web Site
• Customer
• Employee
• Security Policy(s)
• Risk Management Policy(s)
• Business Resumption Plan including Disaster
  Recovery Plan
• Code of Conduct

7
(No Transcript)
8
Organizational Privacy Touch-Points( areas at
potential risk)

• A. Accountability and awareness of requirements
• B. Organizations compliance with all applicable
  Privacy Legislation
• C. Disclosure of policies, procedures, training
  awareness
• D. Information classification (personal and/or
  sensitive)
• E. Information collection
• F. Obtaining and tracking consent
• G. Individuals requests and complaints
• H. Information processing
• I. Storage (physical electronic) of
  information
• J. Communication and exchange of information
• K. Disposal of information
• L. Monitoring, reporting and access to
  information

9
Privacy Touch-points

• A. Accountability and awareness of requirements
• A1) Responsibility and accountability is assigned
  to a person or group to ensure privacy
  compliance.
• A2) Privacy policies are documented (in writing)
  and made readily available to internal personnel
  and third parties.
• A3) Privacy policies, procedures and the
  consequences of non-compliance with such policies
  are communicated to internal personnel.

• Technological Considerations
• Privacy policies are posted on the intranet and
  web site, including identification of to whom,
  within the organization requests and complaints
  are made.
• Training is available and tracked (E-training
  such as Polar Bear Business Solutions).
• Organizations may establish a Privacy Office /
  Officer position or combination from the business
  units/departments.

10
Privacy Touch-points

• B. Compliance with legislation
• B1) Privacy policies, disclosures and business
  practices comply with all privacy legislation
  where commercial activities are transacted
  (Provincial, Federal and Global).
• B2) Compliance is monitored and reviewed.
• B3) Instances of non-compliance with privacy
  policies, procedures are documented, reported
  and, if needed, corrective measures are taken on
  a timely basis.

• Technological Considerations
• Privacy impact assessment is imbedded in the risk
  and change management processes, including
  technology changes, the software development life
  cycle and business changes.
• Automated Control Self Assessment software and
  supporting procedures for monitoring adherence is
  in place (e.g. Securac).
• Recording and logging of privacy breaches and
  resolutions are implemented and automated.

11
Privacy Touch-points

• C. Disclosure of policies, procedures, training
  awareness
• C1) The individual is adequately advised of the
  nature and intended use and any changes to the
  nature and intended use of personal information
  collected.
• C2) The individual is adequately advised of the
  ownership and sharing and any changes to the
  ownership and sharing of personal information.
• C3) The individual receives adequate and
  appropriate training and awareness of the
  organizations privacy policies, processes and
  procedures.

• Technological Considerations
• Organizations privacy policy(s) are posted on
  the web and intranet.
• E-training is made available and participation is
  tracked. Responses provided by call centre
  personnel is consistent.
• Electronic copies of training materials and
  awareness materials are available and kept
  current. Call centre scripts are developed.
• Privacy requirements and expectations are
  embedded in any outsource agreements and third
  party contracts.

12
Privacy Touch-points

• D. Information classification (personal and/or
  sensitive)
• D1) All information is classified according to
  sensitivity. Organizations are responsible and
  obligated to know and keep track of where all
  personal information is collected, used and
  disclosed within the organization, as well as
  where information is shared externally.

• Technological Considerations
• Electronic repository of the classification
  scheme exists.
• Procedures exist to update the classification
  scheme and information inventory inclusive of
  proper authorization and approval controls.
• Privacy impact assessment is embedded into the
  organizational risk management processes.
• Data quality standards exist to ensure
  information integrity (conversions, data analysis
  and correction).

13
Privacy Touch-points

• E. Information collection
• E1) All personal information is collected for a
  specific defined and disclosed purpose.
• E2) Data capture of personal information is
  adequately protected from unauthorized or invalid
  manipulation.
• E3) The methods of collection, including the use
  of cookies or other tracking techniques, are
  documented and disclosed.

• Technological Considerations
• Applications where personal information is
  entered are adequately secured.
• An information inventory resides in an electronic
  format with appropriate and adequate security and
  authorization measures for access
  (authentication, authorization and
  administration).
• Information Security Policy(s) and Procedures
  exist, are supported by strong technical
  solutions, monitored and adhered to.
• Data exchanges (internal and external) are
  adequately and appropriately protected
  (Application Software Access Configuration,
  Firewalls, Two Factor Authentication, PKI).

14
Privacy Touch-points

• F. Obtaining tracking consent
• F1) Implicit or explicit consent is obtained from
  the individual at, or before the time personal
  information is collected or as soon as practical
  thereafter and for the disclosed purpose of the
  collection.
• F2) Implicit or explicit consent is obtained from
  the individual for personal information
  previously collected which is now to be used for
  a new purpose prior to such new use or purpose.
• F3) Explicit consent is obtained directly from
  the individual when sensitive personal
  information is collected, used or disclosed.

• Technological Considerations
• Enhancements to software to flag and track that
  consent has been provided.
• Ability to electronically modify and track when
  selection of opt in or opt out is provided by
  individuals through electronic means (web site
  and/or software application).
• Explicit and documented consent for sensitive
  personal information (financial or medical).

15
Privacy Touch-points

• G. Individuals request and complaints
• G1) Individuals have appropriate and timely
  access to view, modify or erase their personal
  information.
• G2) Individuals are informed about how they may
  obtain access to their personal information.
• G3) Individuals are informed about how and to
  whom they submit access requests and complaints.

• Technological Considerations
• Automated process exists to log and track access
  requests and complaints.
• Authentication of the individual making the
  request or complaint.
• Privacy policies and procedures including the
  organizational contact information is posted on
  the intranet and web site.
• E-mail is not secure therefore requests and
  complaints should be submitted to the
  organization in writing.

16
Privacy Touch-points

• H. Information processing
• H1) Processing of personal information is
  accurate, timely and relevant to the intended
  use.
• H2) Processing of personal information is
  adequately protected from unauthorized or invalid
  manipulation.
• H3) Processing of personal information is
  consistent with privacy disclosure.

• Technological Considerations
• ISO 17799 Security Standards.
• Availability requirements have been identified
  and a Disaster Recovery Plan (DRP) exists.
• Automated edits exist to support information
  integrity.
• Effective and efficient software, executable
  programs, and application configuration and setup
  exist and are monitored.
• Transactional and process logging and tracking
  are in place and utilized effectively.
• Ensure controls are in place for secured access,
  application security, system configuration and
  supporting manual procedures.

17
Privacy Touch-points

• I. Storage (physical electronic) of
  information
• I1) Storage of personal information is adequately
  protected from unauthorized or invalid
  manipulation.
• I2) All instances of a specific item of personal
  information can be identified in a timely manner.
• I3) Storage of personal information is consistent
  with the privacy disclosure.

• Technological Considerations
• A Business Resumption Plan (BRP) and DRP exists
  for the organization supporting the availability
  and safeguarding of information.
• Validated access to information databases, files,
  datastores, is in place.
• Adequate and appropriate authorization and
  authentication measures are in place and
  effective (e.g. Metafores Storage Solution)
• Access control administration is properly trained
  and aware of the privacy risks.
• Non-repudiation measures are in place to protect
  against individuals who deny sending or receiving
  information, especially for sensitive and
  critical information.

18
Privacy Touch-points

• J. Communication and exchange of information
• J1) Personal information exchanged electronically
  and physically, internally and to third parties
  is adequately protected from unauthorized or
  invalid manipulation.
• J2) Electronic and physical exchange of personal
  information is consistent with the privacy
  disclosure and individuals are informed of that
  disclosure.

• Technological Considerations
• Adequate and appropriate security measures are in
  place to protect data exchanges (Web site, ERP
  systems, FTP).
• Authentication and authorization procedures are
  in place and operating effectively and
  efficiently (Single Sign On, User Logs, Identity
  Repository and Authorization levels, Secure Ids,
  PKI, Digital Signatures, Encryption).
• Use of document control software (e.g.
  RightsEnforcer).

19
Privacy Touch-points

• K. Disposal of information
• K1) Disposal of personal information is
  adequately protected from unauthorized or invalid
  manipulation.
• K2) Disposal of personal information is
  consistent with the privacy disclosures.
• K3) All personal information no longer retained
  is disposed and destroyed in a timely manner that
  prevents loss, misuse or unauthorized access.

• Technological Considerations
• Retention schedules exist and are reviewed to
  ensure appropriate to the classification of
  information. Retention schedules must be set now
  for information where this was not previously
  required.
• Automated processes exist to properly archive or
  destroy personal information flagged based on the
  retention policy and schedule.
• Automated monitoring is in place and effective to
  log retention and disposition of personal
  information, e.g. Metafore Storage Solution.
• Automated controls exist for access to personal
  information , e.g. RightsEnforcer software.

20
Privacy Touch-points

• L. Monitoring, reporting and access to
  information
• L1) Reporting of personal information is
  adequately protected from unauthorized or invalid
  manipulation.
• L2) Access to view, modify or erase personal
  information is restricted on a basis consistent
  with the privacy disclosures.
• L3) Monitoring processes and procedures exist to
  ensure ongoing compliance with disclosed privacy
  policies and procedures.

• Technological Considerations
• Access to information is authorized and
  authenticated.
• Reporting processes are adequately and
  appropriately protected from unauthorized or
  invalid manipulation.
• Automated monitoring is in place and effective
  (Tivoli, Securac, RightsEnforcer).
• Assess defensive measures through network
  security audits (e.g. Metafore Assessment).

21
FOR FURTHER INFORMATION, PLEASE CONTACT
Roxanne Torok roxanne.torok_at_divestco.com 403-53
7-9892