|
By Jonathan D. Andrews & Kathleen Campbell
Illustration: John Sapsford
GETTING READY FOR THE FAST APPROACHING PRIVACY LAWS IS MORE
THAN JUST A ONE-TIME FIX FOR CORPORATIONS
Why haven't we done anything about this privacy problem?" The CEO of Pacific Preserves Inc. was in no mood for the weekly meeting. He just failed to finalize merger negotiations, as Pacific Preserves did not have a privacy compliance regime in place. "We discussed privacy in May," replied Barb, chief information officer. Kerry, a recent CA hire, joined in at this point, explaining the issue: "Privacy laws are coming into effect on January 1, 2004. Privacy is a hot issue; it's not just about compliance, it's about privacy risk management. We're now seeing companies suffering damage to their reputations as well as losing out financially because they don't have privacy policies and procedures in place."
"So, that means we need to deal with this quickly," Phil said. Barb added it was an ongoing issue and much work lay ahead and many organizations were appointing senior level privacy officers to handle it. "A team should be formed to develop a privacy program; a first step is to complete an inventory of how we handle customers' personal and sensitive, usually financial or medical, information," she said.
"So do we keep this type of information?" asked Phil. "The company's files may be holding both kinds of information. When customers purchase via the Web they provide sensitive information about allergies so we can avoid shipping products that could be potentially harmful," Barb explained. "We keep such information on file. We also collect household income information so marketing can do demographic analysis. Such information would also be considered sensitive although maybe not necessary to complete a sale."
"Under federal legislation, a company can only hold personal information for which consumers have given their consent," Kerry added. "All other personal information must be deleted; there is no grandfathering provision for personal information collected prior to, and in place, on January 1, 2004."
"We also need to change our systems to allow for new access procedures and security," Barb said, adding they could also identify potentially bad practices in data collection and retention and even improve customer relations and save money.
Staff needs to know what information is appropriate to request, how to deal with personal information and how to respond to customers when they ask why the information is needed and what it's used for. And if the company did not comply with the new legislation, it could face financial penalties as well as damage to its reputation. There is also a provision in the legislation to encourage an employee to blow the whistle on the company.
Phil realized there was plenty to do — organizing a team to build a privacy program as soon as possible, and obtaining legal advice as needed to ensure compliance.
As Kerry had pointed out, privacy risk management was the key priority. The newly introduced AICPA/CICA Privacy Framework provides privacy best practices and the CICA's Privacy Resource Guide will bring them into effect.
Developed jointly by the AICPA and the CICA, the Privacy Framework reflects best practices from around the world and provides a useful basis for developing a privacy framework and related controls. The framework contains 10 privacy components, each with a series of statements of best practice, or criteria, within the following categories:
Privacy policies containing statements of management's intent, objectives, requirements, responsibilities and standards;
Communications to individuals, internal personnel and third parties concerning the organization's privacy notices and commitments; and
Procedures and controls to implement the organization's privacy policies.
Privacy risk has a businesswide impact, and the 10 privacy components will have an impact on IT. Barb will need to work with Kerry and his team, drawing on the framework, in particular, the recommended procedures and controls.
Management
Kerry and Barb will need to review the design, acquisition, implementation, configuration and management of infrastructure, systems and procedures and any changes for consistency with the company's evolving privacy policies and procedures and address any inconsistencies.
Notice
Where information is collected from Pacific Preserves' customers through its website, privacy notices will need to be:
• readily accessible and available when personal information is first collected from the individual;
• provided at or before the time information is collected, or as soon as practical, to enable individuals to decide whether or not to submit personal information to Pacific Preserves; and
• clearly dated to allow individuals to determine whether the notice has changed since the last time they read it or since the last time they submitted personal information to the company.
In addition, Pacific Preserves will have to track previous iterations of its privacy policies and procedures, inform individuals of changes to a previously communicated privacy notice, for example, by posting the notification on its website and document that changes to privacy policies and procedures were sent out.
Choice and consent
Pacific Preserves will be able collect sensitive information only if the customer provides explicit consent; typically, this "opt in" consent would be through the use of a check box on the order form.
Collection
The types of personal information collected by Pacific Preserves and its use of cookies to help customers avoid having to input information again will need to be documented and described in the privacy notice. Customers should be advised of the consequences if the cookie is refused.
Use and retention
Pacific Preserves won't be able to retain personal information longer than needed. For example, systems and procedures will need to be in place to ensure that:
• its retention policies and disposal procedures are documented;
• records are erased or destroyed in accordance with the retention policies;
• archived and backup copies of records are retained, stored, and disposed of in accordance with its retention policies;
• personal information is not kept beyond the standard retention time unless there is a justified business reason for doing so;
• specified personal information about an individual as required (for example credit card numbers), are removed after the transaction is complete; and
• personal information no longer required for the identified purpose is regularly and systematically destroyed and erased.
Access
To address access concerns, the Pacific Preserves will have to establish systems and procedures to:
• provide personal information to the individual in a format that is understandable and in a form convenient to both the individual and the company;
• make a reasonable effort to locate the personal information requested and, if personal information cannot be found, keep sufficient records to demonstrate that a reasonable search was made;
• take reasonable precautions to ensure that information released does not identify another person, directly or indirectly;
• provide access to personal information in a time frame that is similar to the company's normal response times for other business transactions, or as permitted or required by law; and
• provide access to personal information in archived or backup systems and media.
Customers should be able to update or correct their personal information in writing, by phone, by e-mail or on the company's website.
Disclosure to third parties
Pacific Preserves will need to establish a policy that customers' personal information is not disclosed to third parties unless necessary for the completion of an individual transaction, such as the use of credit card information. Systems and procedures should also be established to:
• prevent the disclosure of personal information to third parties unless an individual has given implicit or explicit consent for the disclosure;
• document the nature and extent of personal information disclosed to third parties;
• test whether disclosure to third parties is in compliance with Pacific Preserves' privacy policies and procedures, or as specifically allowed or required by law or regulation;
• document any third-party disclosures for legal reasons.
Security
The best practices in the security section are likely to impact Barb's department the most. It will have to develop administrative, technical and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
The controls to be addressed consist of:
Logical access — to personal information is restricted by procedures that address authorization, authentication, privileges, permissions and distribution of output.
Physical access — is restricted to personal information in any form (including the components of the systems that contain or protect personal information).
Environmental safeguards — all personal information is protected against unlawful destruction, accidental loss, natural disasters, and environmental hazards.
Transmitted personal information — personal information is protected when transmitted over the Internet, public networks and by mail.
Testing security safeguards — tests of the effectiveness of the key administrative, technical, and physical safeguards protecting personal information are conducted at least annually.
Quality
In order to address concerns over quality, systems and procedures will need to be established to:
• record the date when personal information is obtained or updated;
• specify when and how personal information is to be updated and the source for the update (for example, annual reconfirmation of information held and methods for individuals to proactively update personal information);
• ensure personal information used on an ongoing basis is sufficiently accurate and complete to make decisions, unless there are clear limits to the need for accuracy;
• ensure personal information is not routinely updated, unless such a process is necessary to fulfil the purposes for which it is to be used.
The company will need to undertake periodic assessments to check the accuracy of personal information records and to correct them, as necessary.
Monitoring and enforcement
It is important that instances of noncompliance with privacy policies and procedures are documented and reported and, if needed, corrective measures are taken on a timely basis. Systems and procedures will need to be established to:
• notify employees of the need to report privacy breaches and security vulnerabilities in a timely manner;
• inform employees of the appropriate channels to report security vulnerabilities and privacy breaches;
• monitor the resolution of security vulnerabilities and privacy breaches to ensure appropriate corrective measures are taken on a timely basis.
To build a privacy program for Pacific Preserves, Kerry can use the following steps to privacy compliance from the primer Privacy Matters: An Introduction to Personal Information Protection:
1. Appoint a privacy officer to be responsible for privacy compliance throughout the company.
2. Inventory current privacy practices, identify all sources, uses, locations and all sharing, disclosure, archiving and destruction of personal information.
3. Assess the gaps between the organization's current privacy practices and fair information practices, including pertinent privacy laws, regulations and guidelines.
4. Prepare privacy policies and procedures to effectively address privacy gaps.
5. Appoint a cross-functional team to develop a detailed change management plan and make the required changes.
6. Implement the privacy program with respect to policies, procedures, information systems, contracts and other privacy-related materials.
7. Monitor and report on compliance with the organization's privacy policies and procedures in accordance with fair information practices.
The AICPA/CICA Privacy Framework and the seven steps will provide Kerry and his team with the resources to help Pacific Preserves establish its desired privacy compliance regime and get the merger back on track.
Jonathan D. Andrews, CA•IT/CISA, FCA (England & Wales) and Kathleen Campbell, CMA, of NetLearn Services Inc., in Victoria
Technical Editor: Deryck Williams, CMC, FCA, partner at PKF Hill, Toronto | 
