Chapter 8 - Resources For Privacy Professionals
Introduction
Three resources are included in this chapter. They were carefully selected to help privacy professional develop, implement and maintain a privacy governance program.
First Resource
– Appendix One
The first resource is a paper published by Dr. Ann Cavoukian called "Privacy by
Design – The 7 Foundational Principles: Implementation and Mapping of Fair
Information Practices”.
The paper describes the “7 Foundational Principles” of Privacy by Design which were formally documented in 2009 and describes each of the Principles in greater depth and provides a comparison of the Principles of Privacy by Design to the Fair
Information Practices.
Privacy by Design refers to the philosophy and approach to embedding privacy into the design and operation of information technologies and systems, at the design state.
This is achieved by building the principles of Fair Information Practices into the design, operation and management of information processing technologies and systems thereby minimize the unnecessary collection and use of personal information data and at the same time strengthening data security. It is a valuable organizational due diligence exercise and minimizes expensive design systems changes.
Second Resource – Appendix Two
The second resource is the AICPA/CICA Privacy Maturity Model which provides entities with an opportunity to assess their privacy initiatives against criteria that reflect the maturity of their privacy program and their level of compliance with Generally
Accepted Privacy Principles. The PMM is a useful tool for management, consultants and auditors and should be considered throughout the entity’s journey to develop a strong privacy program and benchmark its progress.
Third Resource – Appendix Three
The third resource is a Sample Privacy Statement Template drafted by Thérèse
Reilly, a Toronto lawyer and is included as a guide to assist privacy professionals with the drafting of a privacy statement that must be tailored to reflect your specific business operations and meet applicable privacy and data protection laws of your respective jurisdictions.
1
Appendix One
Privacy by Design
The 7 Foundational Principles:
Implementation and Mapping of Fair Information Practices
Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario
The “7 Foundational Principles” of Privacy by Design were formally documented in
2009. Relatively quickly, it became apparent that privacy professionals as well as many business leaders and developers desired additional insight regarding application of the Principles. As a result, Dr. Cavoukian published, “ Privacy by Design – The 7
Foundational Principles: Implementation and Mapping of Fair Information Practices.”
In addition to describing each of the Principles in greater depth, this paper provides a comparison of the Principles of Privacy by Design to the Fair Information Practices.
Such an exercise enables the reader to appreciate that the universal principles of the
Fair Information Practices (FIPs) 1 are affirmed by those of Privacy by Design , but go beyond them to seek the highest global standard possible. Extending beyond FIPs, PbD represents a significant “raising” of the bar in the area of privacy protection.
These information ma nagement principles − and the philosophy and methodology they express − can apply to specific technologies, business operations, physical architectures and networked infrastructure − entire information ecosystems.
This guidance is intended to serve as a reference framework and may be used for developing more detailed criteria for application and audit/verification purposes.
Context:
With the shift from industrial manufacturing to knowledge creation and service delivery, the value of information and the need to manage it responsibly have grown dramatically. At the same time, rapid innovation, global competition and increasing system complexity present profound challenges for informational privacy.
While we would like to enjoy the benefits of innovation − new conveniences and efficiencies
− we must also preserve our freedom of choice and personal control over our data flows.
Always a social norm, privacy has nonetheless evolved over the years, beyond being viewed solely as a legal compliance requirement, to also being recognized as a market imperative and critical enabler of trust and freedoms in our present-day information society.
There is a growing understanding that innovation, creativity and competitiveness must be approached from a “design-thinking” perspective − namely, a way of viewing the world and overcoming constraints that is at once holistic, interdisciplinary, integrative, innovative, and inspiring.
1 Cavoukian, Ann, Ph.D., Information & Privacy Commissioner, Ontario, Canada. Creation of a Global
Privacy Standard (November 2006), at www.ipc.on.ca/images/Resources/gps.pdf
2
Privacy, too, must be approached from the same design-thinking perspective. Privacy must be incorporated into networked data systems and technologies, by default .
Privacy must become integral to organizational priorities, project objectives, design processes, and planning operations. Privacy must be embedded into every standard, protocol and process that touches our lives. This document seeks to make this possible by striving to establish a universal framework for the strongest protection of privacy available in the modern era.
The 7 Foundational Principles of Privacy by Design are presented below in Bold, followed by the FIPs principles that map onto each one.
1.
Proactive not Reactive; Preventative not Remedial
The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen.
PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.
Whether applied to information technologies, organizational practices, physical design, or networked information ecosystems, PbD begins with an explicit recognition of the value and benefits of proactively adopting strong privacy practices, early and consistently (for example, preventing (internal) data breaches from happening in the first place). This implies:
• A clear commitment, at the highest levels, to set and enforce high standards of privacy − generally higher than the standards set out by global laws and regulation.
• A privacy commitment that is demonstrably shared throughout by user communities and stakeholders, in a culture of continuous improvement.
• Established methods to recognize poor privacy designs, anticipate poor privacy practices and outcomes, and correct any negative impacts, well before they occur in proactive, systematic, and innovative ways.
2. Privacy as the Default Setting
We can all be certain of one thing
−
the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.
This PbD principle, which could be viewed as Privacy by Default, is particularly informed by the following FIPs:
• Purpose Specification – the purposes for which personal information is collected, used, retained and disclosed shall be communicated to the individual (data subject) at or before the time the information is collected. Specified purposes should be clear, limited and relevant to the circumstances.
3
•
Collection Limitation
– the collection of personal information must be fair, lawful and limited to that which is necessary for the specified purposes.
• Data Minimization − the collection of personally identifiable information should be kept to a strict minimum. The design of programs, information and communications technologies, and systems should begin with non-identifiable interactions and transactions, as the default. Wherever possible, identifiability, observability, and linkability of personal information should be minimized.
•
Use, Retention, and Disclosure Limitation
– the use, retention, and disclosure of personal information shall be limited to the relevant purposes identified to the individual, for which he or she has consented, except where otherwise required by law. Personal information shall be retained only as long as necessary to fulfill the stated purposes, and then securely destroyed.
• Where the need or use of personal information is not clear, there shall be a presumption of privacy and the precautionary principle shall apply: the default settings shall be the most privacy protective.
3. Privacy Embedded into Design
Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.
Privacy must be embedded into technologies, operations, and information architectures in a holistic, integrative and creative way. Holistic, because additional, broader contexts must always be considered. Integrative, because all stakeholders and interests should be consulted. Creative, because embedding privacy sometimes means re-inventing existing choices because the alternatives are unacceptable.
• A systemic, principled approach to embedding privacy should be adopted − one that relies upon accepted standards and frameworks, which are amenable to external reviews and audits. All fair information practices should be applied with equal rigour, at every step in the design and operation.
• Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks and all measures taken to mitigate those risks, including consideration of alternatives and the selection of metrics.
• The privacy impacts of the resulting technology, operation or information architecture, and their uses, should be demonstrably minimized, and not easily degraded through use, misconfiguration or error.
4. Full Functionality – Positive-Sum , not Zero-Sum
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positivesum “win-win” manner, not through a dated, zero-sum approach, where
4
unnecessary trade-offs are made. Privacy by Design avoids the pretence of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.
Privacy by Design does not simply involve the making of declarations and commitments
− it relates to satisfying all of an organization’s legitimate objectives − not only its privacy goals. Privacy by Design is doublyenabling in nature, permitting full functionality − real, practical results and beneficial outcomes to be achieved for multiple parties.
• When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and to the greatest extent possible, that all requirements are optimized.
• Privacy is often positioned in a zero-sum manner as having to compete with other legitimate interests, design objectives, and technical capabilities, in a given domain. Privacy by Design rejects taking such an approach
– it embraces legitimate non-privacy objectives and accommodates them, in an innovative positive-sum manner.
• All interests and objectives must be clearly documented, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary, in favour of finding a solution that enables multi-functionality.
Additional recognition is garnered for creativity and innovation in achieving all objectives and functionalities in an integrative, positive-sum manner. Entities that succeed in overcoming outmoded zero-sum choices are demonstrating first-class global privacy leadership, having achieved the Gold Standard.
5. End-to-End Security – Full Lifecycle Protection
Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by
Design ensures cradle to grave, secure lifecycle management of information, endto-end.
Privacy must be continuously protected across the entire domain and throughout the lifecycle of the data in question. There should be no gaps in either protection or accountability. The “Security” principle has special relevance here because, at its essence, without strong security, there can be no privacy.
• Security − Entities must assume responsibility for the security of personal information (generally commensurate with the degree of sensitivity) throughout its entire lifecycle, consistent with standards that have been developed by recognized standards development bodies.
• Applied security standards must assure the confidentiality, integrity and availability of personal data throughout its lifecycle including, inter alia , methods of secure destruction, appropriate encryption, and strong access control and logging
5
methods.
6. Visibility and Transparency – Keep it Open
Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to both users and providers alike.
Remember, trust but verify!
Visibility and transparency are essential to establishing accountability and trust. This
PbD principle tracks well to Fair Information Practices in their entirety, but for auditing purposes, special emphasis may be placed upon the following FIPs:
•
Accountabilty
– The collection of personal information entails a duty of care for its protection. Responsibility for all privacy-related policies and procedures shall be documented and communicated as appropriate, and assigned to a specified individual. When transferring personal information to third parties, equivalent privacy protection through contractual or other means shall be secured.
• Openness – Openness and transparency are key to accountability. Information about the policies and practices relating to the management of personal information shall be made readily available to individuals.
• Compliance – Complaint and redress mechanisms should be established, and information communicated about them to individuals, including how to access the next level of appeal. Necessary steps to monitor, evaluate, and verify compliance with privacy policies and procedures should be taken.
7. Respect for User Privacy – Keep it User-Centric
Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it usercentric!
The best Privacy by Design results are usually those that are consciously designed around the interests and needs of individual users, who have the greatest vested interest in the management of their own personal data.
Empowering data subjects to play an active role in the management of their own data may be the single most effective check against abuses and misuses of privacy and personal data. Respect for User Privacy is supported by the following FIPs:
• Consent – The individual’s free and specific consent is required for the collection, use or disclosure of personal information, except where otherwise permitted by law. The greater the sensitivity of the data, the clearer and more specific the quality of the consent required. Consent may be withdrawn at a later date.
• Accuracy – personal information shall be as accurate, complete, and up-to-date
6
as is necessary to fulfill the specified purposes.
•
Access
– Individuals shall be provided access to their personal information and informed of its uses and disclosures. Individuals shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
•
Compliance
– Organizations must establish complaint and redress mechanisms, and communicate information about them to the public, including how to access the next level of appeal.
• Respect for User Privacy goes beyond these FIPs, and extends to the need for human-machine interfaces to be human-centered, user-centric and user-friendly so that informed privacy decisions may be reliably exercised. Similarly, business operations and physical architectures should also demonstrate the same degree of consideration for the individual, who should feature prominently at the centre of operations involving collections of personal data.
Appendix A: The 7 Foundational Principles
1.
Proactive not Reactive; Preventative not Remedial
The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.
2. Privacy as the Default Setting
We can all be certain of one thing − the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.
3. Privacy Embedded into Design
Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered.
Privacy is integral to the system, without diminishing functionality.
4. Full Functionality –
Positive-Sum , not Zero-Sum
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positivesum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs.
security, demonstrating that it is possible to have both.
7
5. End-to-End Security – Full Lifecycle Protection
Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.
6. Visibility and Transparency – Keep it Open
Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify.
7. Respect for User Privacy – Keep it
User-Centric
Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.
Appendix B: The Global Privacy Standard
The objective of the Global Privacy Standard was to create a single harmonized set of universal privacy principles, reflecting the best of those found in various sets of fair information practices presently in existence.
The Global Privacy Standard, tabled and accepted on November 3, 2006, at the 28th
International Data Protection and Privacy Commissioners Conference, draws upon the collective knowledge and practical wisdom of the international data protection community, and presents it in a single, easily understood, standard format.
Scope
The Global Privacy Standard (GPS) reinforces the mandate of privacy and data protection authorities by:
• focusing attention on fundamental and universal privacy concepts;
• widening current privacy awareness and understanding;
• stimulating public discussion of the effects of new information and communication technologies, systems, standards, social norms, and laws, on privacy; and
• encouraging ways to mitigate threats to privacy.
The GPS informs developers and users of new technologies and systems that manage or process information. The GPS may be particularly useful when developing information
8
and communication technology standards, specifications, protocols, and associated conformity assessment practices.
The GPS can assist public policymakers when considering laws, regulations, programs and the use of technologies that may impact privacy. The GPS can equally assist businesses and developers of technology that may have an impact on privacy and personally identifiable information.
The GPS addresses privacy concerns for decision-makers in any organization that may have an impact on the way in which personal information is collected, used, retained, and disclosed.
The GPS is intended to complement not pre-empt or contradict any existing laws or legal requirements bearing upon privacy and personal information, in various jurisdictions.
GPS Privacy Principles
1. Consent
The individual’s free and specific consent is required for the collection, use or disclosure of personal information, except where otherwise permitted by law. The greater the sensitivity of the data, the clearer and more specific the quality of the consent required.
Consent may be withdrawn at a later date.
2. Accountability
Collection of personal information entails a duty of care for its protection. Responsibility for all privacy related policies and procedures shall be documented and communicated as appropriate, and assigned to a specified individual within the organization. When transferring personal information to third parties, organizations shall seek equivalent privacy protection through contractual or other means.
3. Purposes
An organization shall specify the purposes for which personal information is collected, used, retained and disclosed, and communicate these purposes to the individual at or before the time the information is collected. Specified purposes should be clear, limited and relevant to the circumstances.
4. Collection Limitation
The collection of personal information must be fair, lawful and limited to that which is necessary for the specified purposes.
Data Minimization − The collection of personal information should be kept to a strict minimum. The design of programs, information technologies, and systems should begin with non-identifiable interactions and transactions as the default. Wherever possible, identifiability, observability, and linkability of personal information should be minimized.
5. Use, Retention, and Disclosure Limitation
Organizations shall limit the use, retention, and disclosure of personal information to the
9
relevant purposes identified to the individual, except where otherwise required by law.
Personal information shall be retained only as long as necessary to fulfill the stated purposes, and then securely destroyed.
6. Accuracy
Organizations shall ensure that personal information is as accurate, complete, and upto-date as is necessary to fulfill the specified purposes.
7. Security
Organizations must assume responsibility for the security of personal information throughout its lifecycle consistent with the international standards that have been developed by recognized standards development organizations. Personal information shall be protected by reasonable safeguards, appropriate to the sensitivity of the information (including physical, technical and administrative means).
8. Openness
Openness and transparency are key to accountability. Information about the policies and practices relating to the management of personal information shall be made readily available to individuals.
9. Access
Individuals shall be provided access to their personal information and informed of its uses and disclosures. Individuals shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Compliance
Organizations must establish complaint and redress mechanisms, and communicate information about them to the public, including how to access the next level of appeal.
Organizations shall take the necessary steps to monitor, evaluate, and verify compliance with their privacy policies and procedures. www.ipc.on.ca/images/Resources/gps.pdf
10
Appendix C: The Mapping of FIPs onto the 7 Foundational Principles
Privacy by Design
Foundational Principles
Fair Information Practice
Principle (GPS)
Extended Principles
1. Proactive not
Reactive;
Preventative not
Remedial
2. Privacy as the Default
Setting
3.
4.
5.
Purpose Specification
Collection Limitation,
Data Minimization
Use, Retention and Disclosure
Limitation
Privacy as the default starting point for designing and operating information technologies and systems represents the maximum personal privacy that one can have. That is, privacy becomes the prevailing condition - without the data subject ever having to ask for it - no action required.
Demonstrable commitment to set and enforce high privacy standards.
Evidence that methods to recognize poor privacy designs, to anticipate poor privacy practices and outcomes, and to correct the negative impacts proactively are established
3. Privacy Embedded into Design
4. Full Functionality –
Systemic program or methodology in place to ensure that privacy is thoroughly integrated into operations. It should be standards-based and amenable to review and validation
All privacy threats and risks should be identified and mitigated to the fullest extent possible in a documented action plan.
All legitimate non-privacy
11
Privacy by Design
Foundational Principles
Positive-Sum, not
Zero-Sum
Fair Information Practice
Principle (GPS)
Extended Principles interests and objectives are identified early, desired functions articulated, agreed metrics applied, and unnecessary trade-offs rejected in favour of achieving multifunctional solutions
5. End-to-End Security
–
Full Lifecycle
Protection
7. Security
6. Visibility and
Transparency – Keep it Open
2.
8.
10.
Accountability
Openness
Compliance
7. Respect for
User Privacy – Keep it User-Centric
1.
6.
9.
Consent
Accuracy
Access
12
Appendix Two
AICPA/CICA Privacy Maturity Model User Guide
Excerpted from the AICPA/CICA Privacy Maturity Model. Reproduced with permission.
1 INTRODUCTION
Privacy related considerations are significant business requirements that must be addressed by organizations that collect, use, retain and disclose personal information about customers, employees and others about whom they have such information.
Personal information is information that is about, or can be related to, an identifiable individual, such as name, date of birth, home address, home telephone number or an employee number. Personal information also includes medical information, physical features, behaviour and other traits.
Privacy can be defined as the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.
Becoming privacy compliant is a journey. Legislation and regulations continue to evolve resulting in increasing restrictions and expectations being placed on employers, management and boards of directors. Measuring progress along the journey is often difficult and establishing goals, objectives, timelines and measurable criteria can be challenging. However, establishing appropriate and recognized benchmarks, then monitoring progress against them, can ensure the organization’s privacy compliance is properly focused.
2
The American Institute of Certified Public Accountants (AICPA) and the Canadian
Institute of Chartered Accountants (CICA) have developed tools, processes and guidance based on Generally Accepted Privacy Principles (GAPP) to assist organizations in strengthening their privacy policies, procedures and practices. GAPP and other tools and guidance such as the AICPA/CICA Privacy Risk Assessment Tool, are available at www.aicpa.org/privacy and www.cica.ca/privacy .
Generally Accepted Privacy Principles (GAPP)
Generally Accepted Privacy Principles has been developed from a business perspective, referencing some but by no means all significant local, national and international privacy regulations. GAPP converts complex privacy requirements into a single privacy objective supported by 10 privacy principles. Each principle is supported by objective, measurable criteria (73 in all) that form the basis for effective management of privacy risk and compliance. Illustrative policy requirements, communications and controls, including their monitoring, are provided as support for the criteria.
GAPP can be used by any organization as part of its privacy program. GAPP has been developed to help management create an effective privacy program that addresses privacy risks and obligations as well as business opportunities. It can also be a useful tool to boards and others charged with governance and the provision of oversight. It includes a definition of privacy and an explanation of why privacy is a business issue and not solely a compliance issue. Also illustrated are how these principles can be applied to
13
outsourcing arrangements and the types of privacy initiatives that can be undertaken for the benefit of organizations, their customers and related persons.
The ten principles that comprise GAPP:
Management. The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.
Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
Collection. The entity collects personal information only for the purposes identified in the notice.
Use, retention and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
Access. The entity provides individuals with access to their personal information for review and update.
Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
Quality. The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
Since GAPP forms the basis for the Privacy Maturity Model (PMM), an understanding of
GAPP is required. In addition, an understanding of the entity’s privacy program and any specific privacy initiatives is also required. The reviewer should also be familiar with the privacy environment in which the entity operates, including legislative, regulatory, industry and other jurisdictional privacy requirements.
Privacy Maturity Model
Maturity models are a recognized means by which organizations can measure their progress against established benchmarks. As such, they recognize that: becoming compliant is a journey and progress along the way strengthens the organization, whether or not the organization has achieved all of the requirements;
in certain cases, such as security-focused maturity models, not every organization, or every security application, needs to be at the maximum for the organization to achieve an acceptable level of security; and
creation of values or benefits may be possible if they achieve a higher maturity level.
14
The AICPA/CICA Privacy Maturity Model 2 is based on GAPP and the Capability Maturity
Model (CMM) which has been in use for almost 20 years.
The PMM uses five maturity levels as follows:
1. Ad hoc – procedures or processes are generally informal, incomplete, and inconsistently applied.
2. Repeatable – procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects.
3. Defined – procedures and processes are fully documented and implemented, and cover all relevant aspects.
4. Managed – reviews are conducted to assess the effectiveness of the controls in place.
5. Optimized
– regular review and feedback are used to ensure continuous improvement towards optimization of the given process.
In developing the PMM, it was recognized that each organization’s personal information privacy practices may be at various levels, whether due to legislative requirements, corporate p olicies or the status of the organization’s privacy initiatives. It was also recognized that, based on an organization’s approach to risk, not all privacy initiatives would need to reach the highest level on the maturity model.
Each of the 73 GAPP criteria is broken down according to the five maturity levels. This allows entities to obtain a picture of their privacy program or initiatives both in terms of their status and, through successive reviews, their progress.
3 ADVANTAGES OF USING THE PRIVACY MATURITY MODEL
The PMM provides entities with a useful and effective means of assessing their privacy program against a recognized maturity model and has the added advantage of identifying the next steps required to move the privacy program ahead. The PMM can also measure progress against both internal and external benchmarks. Further, it can be used to measure the progress of both specific projects and the entity’s overall privacy initiative.
4 USING THE PRIVACY MATURITY MODEL
The PMM can be used to provide:
the status of privacy initiatives
a comparison of the organization’s privacy program among business or geographical units, or the enterprise as a whole
a time series analysis for management
a basis for benchmarking to other comparable entities.
To be effective, users of the PMM must consider the following:
maturity of the entity’s privacy program
ability to obtain complete and accurate information on the entity’s privacy initiatives
agreement on the Privacy Maturity assessment criteria
2 This model is based on Technical Report, CMU/SEI-93TR-024 ESC-TR-93177, “Capability Maturity Model SM for Software, Version 1.1,”
Copyright 1993 Carnegie Mellon University, with special permission from the Software Engineering Institute. Any material of Carnegie Mellon
University and/or its Software Engineering Institute contained herein is furnished on an “as-is” basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. This model has not been reviewed nor is it endorsed by Carnegie Mellon University or its
Software Engineering Institute. Capability Maturity Model, CMM, and CMMI are registered in the U.S. Patent and Trademark Office by Carnegie
Mellon University.
15
level of understanding of GAPP and the PMM.
Getting Started
While the PMM can be used to set benchmarks for organizations establishing a privacy program, it is designed to be used by organizations that have an existing privacy function and some components of a privacy program. The PMM provides structured means to assist in identifying and documenting current privacy initiatives, determining status and assessing it against the PMM criteria.
Start-up activities could include:
identifying a project sponsor (Chief Privacy Officer or equivalent)
appointing a project lead with sufficient privacy knowledge and authority to manage the project and assess the findings
forming an oversight committee that includes representatives from legal, human resources, risk management, internal audit, information technology and the privacy office
considering whether the committee requires outside privacy expertise
assembling a team to obtain and document information and perform the initial assessment of the maturity level
managing the project by providing status reports and the opportunity to meet and assess overall progress
providing a means to ensure that identifiable risk and compliance issues are appropriately escalated
ensuring the project sponsor and senior management are aware of all findings
identifying the desired maturity level by principle and/or for the entire organization for benchmarking purposes.
Document Findings against GAPP
The maturity of the organization’s privacy program can be assessed when findings are:
documented and evaluated under each of the 73 GAPP criteria
reviewed with those responsible for their accuracy and completeness
reflective of the current status of the entity’s privacy initiatives and program. Any plans to implement additional privacy activities and initiatives should be captured on a separate document for use in the final report.
As information on the status of the entity’s privacy program is documented for each of the
73 privacy criteria, it should be reviewed with the providers of the information and, once confirmed, reviewed with the project committee.
Assessing Maturity Using the PMM
Once information on the status of the entity’s privacy program has been determined, the next task is to assess that information against the PMM.
Users of the PMM should review the descriptions of the activities, documents, policies, procedures and other information expected for each level of maturity and compare them to the status of the organization’s privacy initiatives.
In addition, users should review the next-higher classification and determine whether the entity could or should strive to reach it.
It should be recognized that an organization may decide for a number of reasons not to be at maturity level 5. In many cases a lower level of maturity will suffice. Each
16
organization needs to determine the maturity level that best meets their needs, according to its circumstances and the relevant legislation.
Once the maturity level for each criterion has been determined, the organization may wish to summarize the findings by calculating an overall maturity score by principle and one for the entire organization. In developing such a score, the organization should consider the following:
sufficiency of a simple mathematical average; if insufficient, determination of the weightings to be given to the various criteria
documentation of the rationale for weighting each criterion for use in future benchmarking.
5 PRIVACY MATURITY MODEL REPORTING
The PMM can be used as the basis for reporting on the status of the entity’s privacy program and initiatives. It provides a means of reporting status and, if assessed over time, reporting progress made.
In addition, by documenting requirements of the next-higher level on the PMM, entities can determine whether and when they should initiate new privacy projects to raise their maturity level. Further, the PMM can identify situations where the maturity level has fallen and identify opportunities and requirements for remedial action.
Privacy maturity reports can be in narrative form; a more visual form can be developed using graphs and charts to indicate the level of maturity at the principle or criterion level.
The following examples based on internal reports intended for management use graphical representations.
Figure 1 – Privacy Maturity Report by GAPP Principle
Figure 1 shows a sample graph that could be used to illustrate the maturity of the organization’s privacy program by each of the 10 principles in GAPP.
The report also indicates the desired maturity level for the enterprise.
Reports like this are useful in providing management with an overview of the entity’s privacy program and initiatives.
17
Figure 2 – Maturity Report by Criteria within a Specific GAPP Principle
Figure 2 shows the maturity of each criterion within a specific principle – in this case, the
‘Notice’ principle.
The report indicates the actual maturity level for each criterion.
The report also indicates the actual and desired maturity level for the principle as a whole.
Reports like this provide useful insight into specific criteria within a privacy principle.
Figure 3 – Maturity Report by Criteria within a GAPP Principle Over Time
Figure 3 shows the maturity of each criterion within the
‘Collection’ principle for three time periods.
The report indicates the actual maturity level for each criterion for three different time periods.
Reports like this provide useful insight into progress being made by the entity’s privacy initiatives over time.
18
6 SUMMARY
The AICPA/CICA Privacy Maturity Model provides entities with an opportunity to assess their privacy initiatives against criteria that reflect the maturity of their privacy program and their level of compliance with Generally Accepted Privacy Principles.
The PMM can be a useful tool for management, consultants and auditors and should be considered throughout the entity’s journey to develop a strong privacy program and benchmark its progress.
19
Appendix Three
Sample Privacy Statement Template
Index
What this Privacy Statement Covers
Accountability
Safe Harbour and Truste Certification
What is Personal Information?
Collection of Personal Information
How we use your personal information
How we share your personal information
Consent
How we obtain Your Consent
Withdrawing Consent
Children’s Privacy
Your Choices
Consent to Transfer
Access to and accuracy of your Personal Information
We Respond Promptly
Retention
Safeguards
Cookies
Links to Third Party Sites
Use of Social Media
IP addresses and information about your computer and mobile device
Changes to this Privacy Statement
How to Reach Us
20
Sample Privacy Statement Template 3
Written by M . Thérèse Reilly, Barrister and Solicitor, BA, LLB, LLM, CIPP/C
Protecting your privacy and the confidentiality of your personal information has always been an important aspect of our operations. The collection and use of customers' personal information is fundamental to our day-to-day business operations. [Company name], subsidiaries and affiliates, hereinafter called “us” or “we”, respect your privacy.
We take your privacy seriously and share your concerns about privacy and the protection of your personal information.
The purpose of this Privacy Statement (“Policy”) is to inform you how we collect, use, disclose and protect your personal information.
What This Privacy Statement Covers 4
This Policy applies to our collection, use and disclosure of your personal information in
Canada. It applies to all subsidiaries, affiliates and owned websites and domains and the websites and domains of our wholly owned subsidiaries ("website").
All our employees, board members, and contracted parties working on our behalf must comply with these policies, even if local law is less restrictive. Specific practices are tailored to meet the legal, regulatory, and cultural requirements of the countries and regions where we operate.
Accountability
We take our commitment to securing your privacy very seriously. Each employee and representative is responsible for the personal information under his or her control. Our employees are informed about the importance of privacy and receive information periodically to update them about our Policy and related practices and processes.
In addition to establishing this Policy, we have appointed a member of our Executive as our Chief Privacy Officer who is responsible for analyzing all personal information handling practices and ensuring that our privacy policy is up-to-date and in force at all times.
Safe Harbour
3
This document is a sample template provided for information purposes only. It is not provided for nor should it be construed as legal advice.
It is meant to serve as a guide to assist you with developing or formulating your own privacy statement which is to be customized to your specific business and operations taking into account the applicable privacy and data protection laws of your respective jurisdictions.
4 Customize each section and clause based on your specific business or operations. Your privacy statement must be tailored to meet your specific business and the requirements, laws and business practices of your respective jurisdiction. The clauses throughout are provided only as a sample to serve as a guide in drafting your privacy statement. This
Privacy Statement and selected clauses is provided for information purposes only. Include a particular clause only if applicable to you (for example, the Safe Harbour clause)
21
We participate in the EU Safe Harbour Privacy Framework as set forth by the United
States Department of Commerce and have also self-certified our privacy practices as consistent with U.S.-E.U. Safe Harbour principles: Notice, Choice, Onward Transfer,
Access and Accuracy, Security, Data Integrity and Enforcement. As part of our participation in the Safe Harbour Privacy Framework, we have agreed to TRUSTe dispute resolution for disputes relating to our compliance with it.
TRUSTe Certification
We were awarded TRUSTe’s Privacy Seal signifying that this privacy policy and practices have been reviewed by TRU STe for compliance with TRUSTe’s program requirements including transparency, accountability and choice regarding the collection and use of personal information. TRUSTe is an independent organization whose mission is to enable individuals and organizations to establish trusting relationships based on respect for personal identity and information by promoting the use of fair information practices.
What is Personal Information?
Personal information is any piece of information, either factual or subjective, about an identifiable individual. Personal information does not include the name, title, business address, or telephone number of an employee of an organization.
The types of personal information we collect may include contact information such as your name, address, telephone number, cell number, email address; financial information such as your credit card number; and other unique information such as user
IDs and passwords, billing and transaction information, product and service preferences, contact preferences, educational and employment background, and job interest data.
Collection of Personal Information
Personal information may be collected from you through a variety of means, including, as examples, websites, other ordering channels, and service or employment processes.
We may also obtain personal information about covered individuals from other publicly or commercially available sources we deem credible.
Either before or when we collect information about you, we will explain how we intend to use it. We will limit the information we collect to what we need for those purposes, and we will use it only for those purposes. We will obtain your consent if we wish to use your information for any other purpose. We collect information by fair and lawful means.
We may collect information during your visit to our website via such tools as Web beacons, cookies and clickstreaming. These tools collect certain traffic information that your browser sends to a website, such as your browser type and language, access times, and the address of the website from which you arrived . They may also collect information about your Internet Protocol (IP) address, click stream behavior and product information. An IP address is a number that is automatically assigned to your computer whenever you are surfing the Web, allowing Web servers to locate and identify your computer.
Clickstreaming is a technology that allows a website operator to track the paths that surfers take as they access a website and look at the site's pages, and as they use links to other sites.
22
Web Beacons are small graphic images that allows a website operator to collect certain information and monitor user activity on its website. A web beacon is a very small pixel which is invisible to the user.
Web site traffic information is monitored and analyzed in order to determine which features and services are popular and useful to visitors, so that we can improve our services.
How we use your information 5
The information we collect to understand your needs and interests help us deliver a consistent and personalized experience. For example, we may use your information to:
to facilitate your registration options including emailing you your personalized membership number;
assist you in completing a transaction or order; prevent and detect security threats, fraud or other malicious activity; communicate with you about products and services; provide service and support; update you on new services and benefits; provide personalized promotional offers; select content to be communicated to you; personalize our websites; measure performance of marketing initiatives, ads, and websites “powered by” another company on our behalf;
allow you to participate in contests and surveys;
contact you regarding our products or services; send you periodic newsletters and mailings you request; help us manage operations and risk; satisfy valid information requests from regulators and other organizations or individuals who are legally entitled to make such requests; monitor and/or record your telephone discussions with our representatives for our mutual protection; and, enhance customer service and to confirm our discussions with you.
5 Select as appropriate
23
How we Share Your Information
We do not provide directly all the services related to your relationship with us. We may use third party service providers to process or handle personal information on our behalf.
Some of our service providers are located outside of Canada and subject to foreign legislation. Whenever we share your personal information with these trusted service providers, they work under confidentiality agreements. Suppliers and service providers are required by contract to keep confidential the information received on our behalf and may not use it for any purpose other than to carry out the services they are performing for us.
We may provide your information to other persons in situations where:
we have your consent;
we are required or permitted to do so by law or applicable regulators and selfregulatory organizations;
we provide the product or service you have requested.
As we continue to develop and grow, we may buy or sell parts of our businesses. As our businesses consist primarily of our customer relationships, personal customer information and information regarding the particular account or service being purchased or sold would generally be one of the transferred business assets.
Consent
We will only collect, use or disclose your personal information with your consent, except as permitted or required by law. We may be required or permitted under statute or regulation to collect, use or disclose personal information without your consent, for example in response to a court order or subpoena, to comply with local or federal regulations, or to collect a debt owed to us.
How we obtain your consent
It is important to understand the different ways that we may obtain your consent to collect, use, disclose and share your personal information.
Consent to the collection, use and disclosure of personal information may be given in various ways depending on the situation and the sensitivity of the information.
Consent can be express (for example, orally, electronically or on a form you may sign describing the intended uses and disclosures of personal information) or implied (for example, when you provide information necessary for a service you have requested or in some circumstances where notice has been provided to you about our intentions with respect to your personal information and you have not withdrawn your consent for an identified purpose, such as by using an "opt-out" option provided.
Implied consent may be also obtained through your use of a product, or when you approach us to obtain products or services from us. Generally, by providing us with personal information, we will assume that you consent to our collection, use and disclosure of such information for the purposes identified or as described in this privacy policy, if applicable, or otherwise at the time of collection.
Consent may be given by your authorized representative (such as a legal guardian or a person having a power of attorney).
24
We will not make your consent a condition of obtaining a product or service, unless it is reasonably or legally required, and we will clearly indicate when this is the case.
Withdrawing Consent
You may withdraw your consent to our collection, use and disclosure of personal information at any time, subject to contractual and legal restrictions and reasonable notice. Note that if you withdraw your consent to certain uses of your personal information, we may no longer be able to provide certain of our products or services.
Children's Privacy 6
We do not knowingly collect information from children under the age of 13 and does not target its websites to children under 13. We encourage parents and guardians to take an active role in their children's online activities and interests.
Your Choices
We give you the choice of receiving a variety of information that complements our products and services. You can subscribe to receive certain product and service specific information and also choose to receive general communications. We give you a choice regarding delivery of general communications by postal mail, email, telephone, and mobile device 7 .
Under no circumstances do we sell customer lists or other personal information to third parties for marketing purposes.
Consent to Transfer
This website is operated in Canada. If you are located in the United States of America,
European Union or elsewhere outside of Canada, please be aware that any information you provide to us will be transferred to Canada. By using this site and participating in any of our services and/or providing us with your information, you consent to this transfer.
Access to and Accuracy of Your Information
We strive to keep your personal information accurately recorded. We have implemented technology, management processes and policies to help maintain data accuracy. We provide individuals with reasonable access to personal information that they provided to us and the reasonable ability to review and correct it or deletion, as applicable.
6
Notwithstanding the foregoing, we may from time to time conduct, sponsor, co-sponsor or participate in contests and/or promotions that may be open to entrants of all ages, including children under the age of 13. During any such contest and/or promotions we will make a special effort to encourage children to consult with their parents before furnishing data and in each case parental consent must be obtained in order for any such entry or participation to be valid.
We believe that parents should supervise their children's online activities and consider using parental control tools available from online services and software manufacturers that help provide a child-friendly online environment.
7 Provide information and opportunity to select privacy preferences .
25
We have policies and procedures to help us maintain the accuracy of your information.
For most updates, we rely on you for information. You can help by keeping us informed of any changes, such as if you move or change telephone numbers. If you find any errors in our information about you, let us know and we will make the corrections immediately, and make sure they are conveyed to anyone we may have misinformed.
To protect your privacy and security, we will also take reasonable steps to verify your identity, such as requiring a password and user ID, before granting access to your data.
You can check your information to verify, update and correct it, and to have any obsolete information removed. There is no charge for verifying or correcting your information.
If you have a sensory disability, we will do our best to give you access to your personal information in any alternative format you request if we already have it in that format or if its conversion into that format is reasonable and necessary in order for you to be able to exercise your rights under applicable legislation.
If you ask, we will let you know the names of outside companies or organizations we have given information to. This may include information given to outside companies we have used to do work for us, such as mailing houses.
We Respond to Your Request Promptly
We will respond to your request for access to your personal information within 30 days of receiving your written request. If however we need to extend the time, or we have to refuse your request, we will tell you why, subject to any legal restrictions and we will notify you of the new deadline, the reasons for the extension, and your rights under applicable legislation respecting the extension.
We cannot provide information from our records which contains references to other persons, is subject to legal privilege, contains confidential information proprietary to us, relates to an investigation of a breach of agreement or contravention of laws, or cannot be disclosed for other legal reasons.
Retention
We will retain your information only for the time it is required for the purposes we describe and as permitted by applicable law.
The length of time we retain information varies depending on the product or service and the nature of the information. This period may extend beyond the end of your relationship with us but only for so long as it is necessary for us to have sufficient information to respond to any issue that may arise at a later date. When your personal information is no longer required, it is destroyed or made anonymous.
Safeguards
We protect your personal information using physical, electronic or procedural security measures appropriate to the sensitivity of the information in our custody or control, including safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
We take seriously the trust you place in us. To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of the
26
information, we utilize appropriate physical, technical and administrative procedures to safeguard the information we collect.
The personal information you provide us is stored on computer systems located in controlled facilities which have limited access. When we transmit highly confidential information (such as credit card number or password) over the internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
We audit our procedures and security measures regularly to ensure that they are being properly administered and that they remain effective and appropriate to the sensitivity of the information.
Access to personal information is authorized only for our employees, representatives and service providers who require access in the performance of their duties, to any person granted access by the individual through the consent process and to those otherwise authorized by law.
When providing information to service providers acting on our behalf, we will require such organizations or individuals to abide by our Privacy Policy or to have their own policy which gives generally equivalent protection. We will give them only the information necessary to perform the services for which they are engaged, and will require that they not store, analyze or use that information for purposes other than to carry out those services.
Our computer systems, including portions of our websites, are password-secured and constructed in such a way that only authorized individuals can access secure systems and databases. To safeguard against unauthorized access to your personal information via the Internet, you are required to "sign on" to certain secure areas of our websites using an individual, confidential password.
Cookies
A cookie is a small file containing certain pieces of information that a website creates when you visit the site. It can track how and when you use a site, which site you visited immediately before, and it can store that information about you.
There are two common types of cookies, "session cookies" and "persistent cookies".
Session cookies store information only for the length of time that you are connected to a website - they are not written onto your hard drive. Once you leave the website, the originator of the cookie no longer has the information that was contained on it.
We use session cookies as an additional security feature for its online services. For example, when you login to any web service and are authenticated through your login ID and password, a cookie will store the identification number of your browser. Throughout your session, the cookie acts as a type of digital signature to identify your current session to the web server.
We also use session cookies to track your visits within our site. We use that information to determine the type of information that you are looking for in our site and to improve our site. We use information about the site you visited immediately prior to our site to assess the viability of links to our site that we have created on third party sites.
27
The information stored in "persistent cookies" is written onto your hard drive and remains there until the expiry date of the cookie. We use persistent cookies to store non-sensitive information that you are aware of and have agreed to.
We also employ persistent cookies, in order to provide you with a more comfortable online experience. A persistent cookie is placed on your computer's hard drive to remember your language preference and ensure you are always presented with the appropriate language.
All persistent cookies used by us are encrypted for additional security.
Currently, most browsers do not distinguish between session cookies and persistent cookies. For web services to operate, your browser must be set to accept cookies. If you are concerned about having your browser enabled to accept cookies while you are surfing other websites, we recommend that you enable your browser to notify you when it is receiving a cookie. This gives you the ability of accepting or rejecting any cookie presented by the web server you are visiting.
You can disable cookies using your Internet browser's settings. Please consult your browser's help function for information on how to disable cookies. Note that if you disable cookies, certain features of our website will not function properly.
Links to third party websites
Our website may provide links to third-party websites for your convenience and information. If you access those links, you will leave our website. We do not control those sites or their privacy practices, which may differ from our practices. We do not endorse or make any representations about third-party websites. The personal data you choose to provide to or that is collected by these third parties is not covered by this
Privacy Statement. We encourage you to review the privacy policy of any company before submitting your personal information.
Use of Social Media Sites
We may also provide social media features on our website that enable you to share information with your social networks and to interact with us on various social media sites. Your use of these features may result in the collection or sharing of information about you, depending on the feature. We encourage you to review the privacy policies and settings on the social media sites with which you interact to make sure you understand the information that could be shared by those sites.
If you post, comment or share personal information, including photographs, to any public forum on one of our sites, social network, blog, or other such forum, please be aware that any personal information you submit can be read, viewed, collected, or used by other users of these forums, and could be used to contact you, send you unsolicited messages, or for purposes that neither you nor we have control over. We are not responsible for the personal information you choose to submit in these forums.
IP addresses and information about your computer and mobile device
Due to the communications standards on the internet, when you visit our website we automatically receive the URL of the site from which you came and the site to which you are going.. We al so receive the internet protocol (“IP”) address of your computer (or the proxy server you use to access the World Wide Web), your computer operating system
28
and type of web browser you are using, email patterns, mobile device operating system
(if you are accessing our website using a mobile device), as well as the name of your
ISP or your mobile carrier. We use this information to analyze overall trends to help improve the service. The linkage between your IP address and your personally identifiable information is not shared with third parties without your permission.
Changes to this Privacy Statement
We may amend this Privacy Statement from time to time. If we change our privacy statement, we will post the revised statement here, with an updated revision date. You acknowledge that we may amend this agreement from time to time to take into consideration changes in legislation or other issues that may arise. If we make any substantial changes, we will notify you by sending a notice to the primary email address specified in your account or by posting the revised policy on this website. We may also send it to you by mail.
Language
The parties have expressly requested and required that this Privacy Statement and all other related documents be drawn up in the English language. Les parties conviennent et exigent expressement que ce Politique et tous les documents qui s’y rapportent soient rédiges en anglais.
How to Reach Us
If you have comments or questions about our privacy statement, please send them to our Privacy Office or write to us.
If you have a request to change your information or concerns regarding our personal information practices and/or our Privacy Policy, please contact us [insert appropriate telephone number or address or email].
29