Private practices
By Robert G. Parker
Illustration: Greg Stadler
 CAs and CPAs now have a framework that helps create privacy compliance strategies that work
It's the summer of 2001, US pharmaceutical giant Eli Lilly made a bit of a boo-boo. Its product marketing arm inadvertently released the e-mail addresses of more than 700 Prozac customers. The fine for this gaffe was a token $160,000, but the toll on consumer confidence remains incalculable. The worldwide media outcry muted an Eli Lilly spokesperson’s chastened promise to beef up internal policies and get a system of checks and balances in place. Only a year earlier, DoubleClick Corp., the world’s largest Internet advertising company, proudly disclosed it had the technology to track Web users’ online shopping habits. Denunciation in US Congress and a US$14 billion loss to its US$15-billion market cap convinced the company that it may have erred when it came to judging the privacy concerns of its customers.
Clearly, these prominent corporations had suffered a significant disconnect between their equally prominent privacy policies and the real-world implementation of those policies. Whether by design, accident or terrible judgment, they join an ever-growing list of businesses in desperate need of a set of practical, no-nonsense tools to apply and manage legislated and voluntary privacy policies.
To date, there have been very few private sector initiatives developed to specifically respond to this challenge. In 2001, the Canadian Institute of Chartered Accountants collaborated with the American Institute of Certified Public Accountants on the creation of the AICPA/CICA Privacy Framework. By late 2003, they had created an initiative that establishes a single global privacy standard to help businesses and their advisers navigate the minefield of privacy requirements in a wide variety of jurisdictions.
In Canada, for example, completion of the phased implementation of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) confirmed, as of January 1, 2004 that privacy was now a compliance issue for all Canadian organizations engaged in commercial activities. PIPEDA had simply ratified in law that privacy would become a key factor in the cost of doing business in the 21st century.
And it’s not just electronic records or e-business transactions. Privacy legislation covers personal information in various forms, including: faxes, photocopies, letters, voice mail, file and videotape, to mention a few.
Yet, despite the high profile of privacy protection in law, confusion continues to reign around standards, procedures and consistency. Most organizations have adopted privacy policies based on either PIPEDA or provincial and/or international regulations, but few have ensured that their privacy standards are supported by systems and infrastructure that provide guidance and direction to employees and management in dealing with privacy, as well as creating a standard to measure the effectiveness of their compliance.
The power of the AICPA/CICA Privacy Framework is its ability to provide businesses and their third-party advisers, such as CAs and CPAs, with a comprehensive set of measurable, objective criteria that can be used to create privacy compliance strategies that work in real-world scenarios. These include providing a recognized foundation upon which to build privacy policies, procedures and guidelines that address the issue on a global basis. The framework not only speaks to PIPEDA and US privacy law but also provides tools for compliance within the interconnected world economy.
This pioneering privacy framework allows CAs to develop privacy initiatives in order to become privacy compliant and provide a baseline against which an independent audit can be performed. Only through a comprehensive and indepen-dent third-party audit can a firm assure all stakeholders that its privacy practices appropriately address legislative requirements. For the first time, policy and practice can be accurately measured against both law and day-to-day work scenarios.
“When the CICA came to me with this framework, I was thrilled with it,” says Ann Cavoukian, Ontario’s Information and Privacy Commissioner and author of The Privacy Payoff. As the framework developed, the CICA kept close counsel with Cavoukian’s considerable expertise in the complex world of privacy standards and compliance. “It’s a most progressive move on the part of the profession and much needed,” she says. “For months, businesses have been asking me what tools are available to them to assess whether privacy practices are effective and legally compliant. I was delighted to help the CICA get [the framework] up and running.”
Cavoukian is hard-pressed to think of another profession more suited to providing third-party reviews and assessments of a company’s privacy policies and practices. “It seems to me that CAs fit hand-in-glove with this independent role,” she says. “They’re already in there doing financial audits; they already have that analytical mind-set that allows them to determine how the company is structured, where flaws between policy and actual practice may or may not exist.” With the new framework, she agrees, CAs now have a methodology from which to offer concrete and effective solutions.
The unique attributes of the CA, coupled with the framework, help address a number of key elements in the creation of a successful privacy strategy. A CA’s privacy assessment plan will quite specifically identify, document, validate and advise on privacy practices from an enterprise-wide basis down to a single department or geographic area. No matter what the scope, the CA will have the tools to validate processes on the collection, use and disclosure of personal information; identify and document business processes where sensitive information is involved; prepare or evaluate privacy policies and procedures; assess and manage privacy risk; and, ultimately, recommend the implementation of a privacy program that meets or exceeds the rigours of prevailing legislation.
These tools are based on the following 10-component AICPA/CICA Privacy Framework of internationally recognized fair information privacy practices. They are the key to initiating a successful privacy audit and allowing CAs to assess, advise and train their clients in the complexities of compliance.
Management The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.
Notice The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
Choice and consent The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
Collection The entity collects personal information only for the purposes identified in the notice.
Use and retention The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information only for as long as necessary to fulfill the stated purposes.
Access The entity provides individuals with access to their personal information for review and update.
Disclosure to third parties The entity dis- closes personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
Security The entity protects personal information against unauthorized access.
Quality The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
Monitoring and enforcement The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
For Cavoukian, the joint initiative’s greatest challenge was the creation of these 10 components for privacy compliance. “At first, I wasn’t sure whether they could successfully translate the privacy principles of [PIPEDA] into truly measurable criteria that works and can be analyzed in the real world,” she says. “But now, even when you go abroad with the framework, its 10 components work wonderfully with the eight privacy principles enacted by the OECD.” And the European regulatory language is packed with even more legalese. “It really is something,” she says, “that a CA can work in any jurisdiction and not fear that he or she will have a major conflict with the laws of that jurisdiction. It’s quite an accomplishment, since fair information practices form the basis of all privacy laws.”
The privacy framework was developed primarily because of the professional and practical difficulties inherent in auditing and assessing directly against legislation, including PIPEDA. Professionally, expressing an opinion on a specific piece of legislation is traditionally the purview of legal advisers. Practically, though, subjective interpretation of legislation requires complete, measurable, relevant and objectively determined criteria. The framework provides the necessary practicable tools based on the law.
The framework itself is presented in a comprehensive 72-page document, which includes background, definitions and prac-tical information such as techniques to effectively meet privacy objectives, as well as sample audit reports and comparisons of international privacy legislation. When information in the framework is combined with the methodology and guidance, tools and checklists provided in the personal information Privacy Resource Guide developed by the AICPA/CICA Privacy Task Force and available from the CICA (www.icca.ca/index.cfm/ci_id/21792/la_id/1.htm) or the AICPA, the framework becomes the basis for implementing a robust program for privacy compliance.
The bulk of the framework document is devoted to the actual framework’s three-column matrix. The first column contains relevant, objective, complete and measurable criteria for evaluating an entity’s privacy policies, communications and procedures and controls in each of the components. The second column provides illustrations and explanations of the criteria, and the third column provides additional considerations (see “Explicit consent for sensitive information” ).
CAs can use the framework to provide a variety of advisory services. Initially, clients may need assistance in addressing the strategic, diagnostic, implementation and sustaining/managing implications of privacy using the framework principle, components and criteria. Subsequently, when their clients become privacy compliant, CAs may be called upon to use the criteria to provide an opinion on that compliance.
Two issues often come into play once the CA determines an organization is privacy compliant. The client must ensure it has systems and procedures to maintain that status. It must also be able to demonstrate that status to third parties.
Again, the framework plays an important role. The establishment of a professional standard, exposed to review and critique in the public arena — and its formal adoption by the Assurance Services Executive Committee of the AICPA and the Assurance Services Development Board of the CICA — allows the framework to form the basis of a direct report based on a publicly available comparable standard. Third-party processors, application service providers and other organizations wanting to assure their customers that their privacy practices meet a recognized standard will be able to do so through the new audit reporting features of the framework.
With the convergence of new legislation, increased customer demand and a realization of the complex technical nature of some elements of privacy protection, it is not surprising that the value of a privacy audit is gaining wide acceptance. In the absence of professional assistance, most organizations would likely struggle with the following privacy requirements:
Security — providing the appropriate levels of security throughout the organization based upon a business risk assessment and the additional requirements placed on organizations by various pieces of privacy legislation such as PIPEDA. An organization can have good security without meeting privacy requirements, however, it cannot have good privacy without having good security.
Authentication — in an attempt to provide good customer service, many orga-nizations seem to have difficulty in providing a consistent level of authentication, when access is requested through different channels or technologies (Internet, e-mail, regular mail, in person, and call centres).
Individual access — inability to obtain all the relevant information about the data subject. Many organizations experience difficulty in simply locating relevant personal information in all media — video, hard copy, electronic files and e-mail — as well as in distinguishing original documents from copies.
As organizations evaluate these (and less technical) criteria, a privacy review of policies, standards and practices is often recommended. Such reviews are useful when organizations want a status report of their compliancy progress, as well as in developing future plans and budgets. The privacy review can be conducted as an internal audit review, an external consulting review or an external privacy diagnostic assessment — all of which may result in a report consisting of a series of observations and recommendations.
Although privacy audits, reviews and assessments should encompass all 10 components of the framework, including all the relevant criteria and adhere to prevailing jurisdictional statutes, they need not always be enterprise-wide in scope. However, the scope must include all systems and processes involving personal information within the process under assessment. For example, a privacy audit may only address selected branch office locations, but if personal information relating to customers was being addressed, the scope must include all occurrences of personal information related to those customers, such as tombstone demographics, sales transactions, payment history, cor-respondence and any profiles developed by the client to assess or market to those customers.
For example, a client’s IT department — in most cases the central repository for personal information — is often singled out when a privacy audit is considered. Yet personal information is pervasive throughout the organization — on notebook computers and PDAs, in filing cabinets, desk drawers and wastepaper baskets. Practices regarding its collection, use and disclosure may be very informal and low tech — the sharing of photocopies without consent, or the use of scrap paper. Imagine a child bringing home a drawing created at daycare that contains an identifiable individual’s medical record on the reverse. This example illustrates why it is essential that privacy be addressed beyond the high-tech information repositories of a client’s enterprise.
The benefits achieved from a privacy audit range from minimal legal compliance to valuable business and product differentiation. At present, though, there is limited data available to determine the effect of privacy compliance as it relates to return-on-investment. It is simply too new an issue for any accurate long-term projections on the bottom-line dollar value and cost of compliance.
A few studies and polls on the impact of privacy have recently been conducted, and all confirm the power of privacy in today’s marketplace. A Jupiter Communications Inc. study of online business calculated that the Internet had lost more than US$18 billion in 2002 because consumers lacked confidence in e-businesses’ privacy practices. Even more impressive is a 2003 Harris Interactive study that found 83% of consumers polled would cease doing business with any company found to have misused their personal information, and 91% claimed they would be more likely to do business with companies that offered to verify that their privacy practices were vetted by an auditing firm.
Microsoft chief privacy strategist Peter Cullen performed one of the only nuts-and-bolts analyses of the value of privacy for RBC Financial, his former employer. His study of retail commercial banking suggested that privacy accounts for an estimated 14% of overall brand value, and 7% of overall shareholder value.
The impact of privacy on business should not be thought to be a problem particular to the Internet and banking systems, says Cavoukian. “There is enough evidence to clearly show that privacy concerns effect business across the board,” she says. In The Privacy Payoff, Cavoukian asserts that companies must view privacy as a business issue to be exploited to their competitive advantage. “If you key on the limited perspective that it’s only a legal or statute-driven issue,” she says, “then you lose the notion that good privacy practices can boost brand recognition, foster customer trust and, overall, become a critical driver for increased commerce.”
From this viewpoint of privacy as an economic opportunity, rather than a challenge, one can see why Cavoukian is so pleased with the AICPA/CICA Privacy Framework. “Their work offers both the CA and his or her client an excellent chance at a payoff for being sensitive to consumers’ privacy concerns,” she says. “It’s just the sort of initiative that CA privacy auditors and the organizations’ privacy officers need to refer to as they go about making good business.”
As they seek to improve their organization’s capacity for protecting identifiable personal information, privacy officers are faced with a series of challenges. They must convince management that privacy is an issue that goes beyond minimal legislative compliance. They must ensure that an adequate and appropriate response to privacy requirements is crafted and implemented — one that identifies all occurrences of personal information and addresses security, education and training, business processes, monitoring and enforcement. They must be able to exhibit due diligence throughout the organization and to third parties. Finally, they must ensure that once implemented, the privacy program will ensure compliance through a number of internal and external activities. With the introduction of the privacy framework, these responsibilities have become significantly less daunting.
Privacy is a global phenomenon, and the AICPA/CICA Privacy Framework is a solution of commensurate proportions. It allows organizations to address personal information privacy on a systematic basis that will result in meeting the requirements of most privacy legislation around the world, and one that will allow them to provide independent assurance to business partners and customers.
Robert Parker, MBA, FCA, CA• CISA, CMC, is partner, enterprise risk, at Deloitte in Toronto
|
|
|
