adm data privacy student guide

8/12/2019 Adm Data Privacy Student Guide

1/56

2005 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

Customer DataPrivacy

in an OutsourcingEnvironment

HP Restricted

Raymond FarraroHPS Customer Privacy ManagerAllan PaullAPJ Customer Privacy Manager

November, 2005


2/56

November, 2005 HP Restricted 2

Learning Objectives

After completing this training, you should be able to:

Describe how the HP Privacy Policy applies to ManagedServices deals and operations:

Implications of the data flow model

Sharing of PII with third parties

Impact of unauthorized access of sensitive PII

Types of data transferstorage, access, Meta data

Recognize the consequences of inaction to privacyexposures

Locate resources to develop a privacy compliance strategyand answer a customers privacy questions

Incorporate a privacy compliance strategy into yourrespective account support activities


3/56


Privacy Basics

Agenda

Overview

Scenarios for Discussion and Review

Where to Get Help

Summary


4/56


Privacy Basics

Agenda

Overview


Where to Get Help

Summary


5/56


Topics

HP and Privacy

Business Case for Privacy

Privacy Hit and Misses


6/56


HP and PrivacyHP has an industry leading

privacy program. In January2005, HP was selected* as theMost Trusted Company forPrivacy based on an awardevaluation program that

included a rigorous review of thecompanys policy, procedures,and customer outreach .

It will take a concerted effort at

all levels of the company tosustain our competitiveadvantage in privacy.

*Selection was made by an expert panel led by TRUSTe and Ponemon Institute.


7/56November, 2005 HP Restricted 7

Business Case for Privacy

1. Creating TRUSTbuilds revenue potential and avoids

loss of revenue.2. Protecting privacy strengthens our BRANDand

prevents bad press and loss of our good name.

3. Country-specific LAWSexpose us to a risk of litigationand our privacy statement is legally-binding.



Privacy Hits and Misses

hpshopping.com $10.6 Billion Oversight

AOL Internal Hacker

Acxiom External Hacker

Victorias Secret Website Flaw

Choicepoint Privacy Blunder



Privacy Basics

Agenda

Overview


Getting Help

Summary



Topics

HP Privacy Policies and

Principles Data Protection

Requirements

Roles and Responsibilities

Data Transfer



HP Privacy Policies

HPs Worldwide Privacy Policies

permit the processing and exchangeof customer and employee data forbusiness purposes but they:

Require compliance with applicable

laws Are designed to meet the

expectations of HPs customers,

employees, and respective business

needsWeb address for policies:

Global Privacy Policy

WW On-Line Policy
http://www.hp.com/hpinfo/globalcitizenship/privacy/masterpolicy.htmlhttp://welcome.hp.com/country/us/en/privacy/worldwide_privacy.htmlhttp://welcome.hp.com/country/us/en/privacy/worldwide_privacy.htmlhttp://welcome.hp.com/country/us/en/privacy/worldwide_privacy.htmlhttp://welcome.hp.com/country/us/en/privacy/worldwide_privacy.htmlhttp://www.hp.com/hpinfo/globalcitizenship/privacy/masterpolicy.html



HP Privacy Principles

Tell customers what you are doing (data collectionand usage).

Obtain permission for customer contact and datasharing.

Protect data when sharing and transferring

overseas. Maintain data securely.

Provide processes for customers to view and updatedata; maintain accuracy of data across company.

Use encryption, restriction, and authentication to

protect customer data.

Measure how well you honor your customercommitments; provide dispute resolution andescalation paths.

Oversight

Onward

Transfer

Security

Choice

Notice

Access

and Accuracy



Data Protection Requirements

Racial or ethnic origin, political opinions,religious beliefs, trade union membership,health, sex life, and criminal convictions. Theprocessing of such data is subject to stricterconditions.

Sensitive personaldata/ Sensitive

information

Information that can be traced to a particularindividual, such as a name, mailing address,phone number, social security number, or emailaddress.

Special care must be taken with certain PII,such as credit card numbers and identificationnumbers.

PersonallyIdentifiable

Information (PII)

(Also referred to asPersonal Data or

PersonalInformation.)

What information is protected?


14/56November, 2005 HP Restricted 17= PII = PII if linked

*varies by local interpretation

User ID: Mike345

Name: Mike Smith

Password: 851pass392

SSN#: 555-55-5555

Credit card#: 4755-5555-5555-555

Employee#: 09099999

PIN#: 1050505

Work Address: 3000 Hanover St.,

Palo Alto, CA 94304

Work Phone: 650-587-1501

Home Address: 123 Main St.

Home Phone: 408-555-1212

Performance Rating: M

Travel Profile: special meal

Ergonomic evaluation data

You surfed CNN, ESPN and BSR.org today

You surfed CNN, LLBean, and Pottery Barn today.

You traveled to Los Angeles, Nashville, Boston,

Paris and Houston in 2002.

Your favorite color is Blue.

You have owned 3 homes in the last 20 years.

Birthday: May 19, 1965.

Drivers license number: Z5551212

email address: [email protected]

IP address: 15.222.18.101*

Your HP DeskJet printer used 10% of its inkjet

cartridge capacity last week. *

Personally Identifiable Information (PII)
mailto:[email protected]:[email protected]




Which agreements protect data?

A framework developed by the US Department ofCommerce and the European Commission thatallows the free flow of EU PII to certifiedcompanies in the US.http://www.export.gov/safeharbor/

Safe HarborAgreement

Protects PII:

HPThird Parties (logical HP)

http://legal.hp.com/legal/files/privacyPDPA.asp

Personal DataProtection

Agreement(PDPA)

Protects confidential information:

ClientHP

http://legal.hp.com/legal/files/cda_intro.asp

Non-disclosureAgreement




In the US, over 20 individual states haveenacted legislation that requires notification ofaffected individuals in the event of unauthorizedaccess of certain types of PII. Thoughrequirements vary, in some states (e.g.California), encryption of the more sensitivetypes of PII will negate the requirement fornotification.

DataEncryption

andNotification

Requirements

Why data encryption?



Roles and ResponsibilitiesHP as Data Controller

CDAPermissions

CDAPDPA

HP(Data Controller)

HP Information

Public/Restricted

Confidential Private/PII

LogicalHP

3rdParty

Outside3rd

Party

End User

End User Information Confidential PII


HPs Privacy Policy+ contract +local

requirements

+ local

requirements



Roles and ResponsibilitiesHP as DataProcessor

CDAPermissions

CDAPDPA

LogicalHP

3rdParty

Outside3rd

Party

HP(Data Processor)

Client(Data Controller)

End User

HP Information Public Restricted Confidential Private PII



Client Information Confidential

PII

Client Information Confidential

PII


Clients Privacy Policy+ local requirements

HPs Privacy Policy

+ contract +localrequirements

+ localrequirements



Data Transfer

The physical transfer of stored data, for example,a database that is moved so that it is stored inanother location.

PhysicalData

Storage

Data is not moved from a physical location butaccess from another location occurs.

Data

Access

Data that provides access to additional data; theability to grant access to data, for example, anindividual who has the information needed toreset passwords or to allow access to PII.

Ability toAccess

Data (MetaData)

In what ways can data be transferred?



Data Transfer Between Countries

What is transborder data flow?

Transborder data flow is the transfer of personal datafrom one country to another. Data transfer betweencountries raises potential privacy issues that

should be validated with local privacy experts.

Which countries have restrictions? European Union (EU) / European Economic Area (EEA) member countries

Switzerland

Israel

Emirate of Dubai Australia

South Korea

Japan



Learning

check



Personally Identifiable Information (PII)

All of the following are considered to be PII except for

which one?

a. name

b. phone number

c. social security number

d. credit card number

e. server configuration


23/56


Third PartiesHP has sub-contracted to Microsoft to provide Help Desk

support for HP customers on Microsoft Exchange. Whattype of third-party is described in this situation?

a. logical HP third party

b. outside third-party


24/56


Types of Data Transfer

A clients employee calls a Help Desk to reset their

password. As part of this process, the employee has toanswer a series of questions to confirm their identity (e.g.date of birth, last four digits of their ID number, answer toa secret question).

This Help Desk activity is being run on behalf of the clientat an HP call center in Bangalore, India. Is this considereda transfer of PII?

a. yes

b. no


25/56


Data Transfers between Countries

HP Germany is transferring personnel records containing

personal information to HP USA. What condition allowsthis transfer to proceed?

a. model contract

b. consent from HP Germany

c. HP Safe Harbor certification

d. transfer to country on adequate list


26/56


Quest ions?

*1 on your telephone keypad to ask a question


27/56


Privacy Basics

Topics / Agenda

Overview


Where to Get Help

Summary


28/56


Scenario 1 Help Desk Consolidation

A pharmaceuticals company

in Europe has contracted itsHelp Desk support to HP.

In a cost savings move, HPlater decides to consolidate

its help desk operations intoa small number of globalsites around the world,utilizing both HP-owned

sites and third-party serviceproviders. Answer the review

questions for this

scenario.


29/56


Help Desk ConsolidationBefore

Multiple HPHelp Desks In

EU

EU Customer


30/56


What type of personally

identifiable information (PII) maybe accessed in a Help Desksituation? Select all that apply.

a. passwords

b. contact information (name,address, phone number)

c. ID numbers (drivers license,social security)

d. financial information (creditcard number)

e. ability to access PII (metadata)

Questions for Review

Multiple HPHelp Desks In EU

EU Customer


31/56


32/56



Are there potential EU transborder data flow implications?

a. yes

b. no


33/56


Help Desk ConsolidationAfter

Consolidated HP HelpDesks in KL and

Bangalore

Consolidated HP HelpDesks in Bratislava and

Barcelona Outsourced to aservice provider in

India


BangaloreEU Customer

(Call)


34/56


Help Desk Consolidation Data Flow 1

Outsourced to aservice provider in

India


Bangalore


Bangalore

Consolidated HP HelpDesks in Bratislava

and Barcelona

EU Customer

(Call)


35/56




India


BangaloreConsolidated HP HelpDesks in Bratislava

and Barcelona


Bangalore

EU Customer

(Call)


36/56




India


Bangalore


Barcelona



(Call)


37/56




Bangalore


Barcelona Outsourced to aservice provider in

India



(Call)


38/56


Creating a Privacy Compliance Strategy

Identify scope of change

Which data centers? Which customers?

What type of data?

Map each customers situation Customer information and privacy maturity assessment

Utmost caution with pharmaceutical & financial companies

Data flow

Transborder data flow implications

Fulfill privacy requirements Define upfront a privacy compliance process with customer company

Where appropriate, develop contractual language and work withaffected customers to sign off

Working with HP Customer Privacy, initiate data protection authority(DPA) notifications


39/56


Scenario Take-Aways

Managed Services deals usually

put HP in a data processor role. Movement of PII from the EU to

other countries may requirecontractual language and

notification of Data ProtectionAuthorities in the EU memberstates before data transfer canlegally begin.

Transfer of PII to third partieswithin logical HP requires a

Personal Data ProtectionAgreement to be in place.

Remember ...


40/56


Scenario 2 Unauthorized Access

An Americas customer has

contracted HP to run itspayroll operations, allowingHP to transfer PII to an HPData Center in Atlanta.

Customer employees withpayroll questions or problemsare routed to consolidatedHP Help Desks in AP. In

order to assist them, theAP Help Desks have accessto the employee recordslocated in Atlanta.

Answer the review

questions for this

scenario.


41/56


Help Desk Operations Normal

AMS Client

Client ApplicationHP Data Center

in Atlanta

Consolidated HPHelp Desksin KL andBangalore

Payroll DataContact information

Identification #s

Direct Deposit information

Access to recordsAnswer end user

questions

Change requests

Password resets

Help Desk Requests

Delivery of Help Desk services


42/56



Are there transborder data flow issues with the transfer of

information between the HP Data Center in Atlanta andthe consolidated HP Help Desks in KL and Bangalore?

a. yes

b. no


43/56



Lets say that the client was a company in the EU. Would

there be any transborder data flow implications?

a. yes

b. no


44/56


Help Desk Operations Unauthorized Access

AMS Client

Client ApplicationHP Data Center

in Atlanta

Consolidated HPHelp Desksin KL andBangalore

Payroll DataContact information

Identification #s

Direct Deposit information

Access to recordsAnswer end user

questions

Change requests

Password resets

Help Desk Requests

Delivery of Help Desk services

Hacker!

Unauthorized access of

100K client records

detected. Sensitive PII

is not Encrypted.


45/56


Creating a Privacy Response Strategy

Assess scope of the unauthorized

access or disclosure How many records potentially

accessed or disclosed?

What type of data was containedin those records?

Were the records were encryptedor unencrypted

Notify client per contract

Escalate internally through Corporate IT SecurityIncident Response Team [email protected]

Take remedial actions to eliminate root causes


46/56


Scenario Take-Aways

The data flow model(s) used in a

Managed Service dealdetermines the privacycompliance strategy that shouldbe used.

Data flow from the EU to HP inthe US is covered by HPs SafeHarbor certification.

Always encrypt sensitive PIIrecords within the firewall.

Unauthorized access of sensitiveinformation can result insignificant damage to HP and itscustomers.

Remember ...


47/56


Quest ions?



48/56


Privacy Basics

Agenda

Overview


Where to Get Help

Summary


49/56


Topics

HP Privacy Contacts

Privacy Web Sites and Email Privacy References and

Tools


50/56


HP Privacy Contacts

Chief Privacy Office

Barb LawlerChief Privacy Officer

Dan Swartwood TSG Privacy

Regional ResourcesAllan Paull APJ CDP MgrDaniel Pradelles EMEA CDP MgrDan Swartwood AMS Focal Point

Ray FarraroHPS Privacy

Employee Data Privacy

Cherri GillmoreGlobal Emp. Data Privacy Mgr

Customer Data Privacy

Danielle DavenportDir. Customer Data Privacy

Regional ResourcesJacqueline Soh APJ EDP MgrWilfried Kolb EMEA EDP MgrCherri Gilmore AMS EDP Mgr

P i W b Si d E il


51/56


Privacy Web Sites and Email

Web Sites

TSG Privacy:

http://tsgonline.hp.com/operations/privacy/

HP Privacy Office:http://ca.corp.hp.com/privacy/

Customer Privacy Office:http://customerops.corp.hp.com/privacy/

Employee Privacy Office:http://edp.corp.hp.com/

Non-disclosure Agreement:http://legal.hp.com/legal/files/cda_intro.asp

Personal Data Protection Agreement (PDPA):http://legal.hp.com/legal/files/privacyPDPA.asp

Safe Harbor Agreement:http://www.export.gov/safeharbor/

Commercial Security:http://commercialsecurity.infosec.hp.com/

IT Enterprise Architecture:http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29

Email

HPs Privacy Mailbox: [email protected]

P i R f d T l
http://tsgonline.hp.com/operations/privacy/http://ca.corp.hp.com/privacy/http://customerops.corp.hp.com/privacy/http://edp.corp.hp.com/http://legal.hp.com/legal/files/cda_intro.asphttp://legal.hp.com/legal/files/privacyPDPA.asphttp://www.export.gov/safeharbor/http://commercialsecurity.infosec.hp.com/http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://commercialsecurity.infosec.hp.com/http://www.export.gov/safeharbor/http://legal.hp.com/legal/files/privacyPDPA.asphttp://legal.hp.com/legal/files/cda_intro.asphttp://edp.corp.hp.com/http://customerops.corp.hp.com/privacy/http://ca.corp.hp.com/privacy/http://tsgonline.hp.com/operations/privacy/


52/56


HP Customer Data Privacy Rulebook and Reference

Guide:http://customerops.corp.hp.com/privacy/resources/rulebook.htm

Transborder Data Flows self-paced training:http://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.pps

Customer Privacy Press Kit:http://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.html

Privacy References and Tools
http://customerops.corp.hp.com/privacy/resources/rulebook.htmhttp://customerops.corp.hp.com/privacy/resources/rulebook.htmhttp://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.ppshttp://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.ppshttp://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.htmlhttp://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.htmlhttp://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.htmlhttp://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.htmlhttp://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.ppshttp://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.ppshttp://customerops.corp.hp.com/privacy/resources/rulebook.htmhttp://customerops.corp.hp.com/privacy/resources/rulebook.htm


53/56


Privacy Basics

Agenda

Overview


Where to Get Help

Summary


54/56


Summary

Now, you should be able to:

Describe how the HP Privacy Policy applies to ManagedServices deals and operations:

Implications of the data flow model

Sharing of PII with third parties

Impact of unauthorized access of sensitive PII

Types of data transferstorage, access, Meta data

Recognize the consequences of inaction to privacyexposures

Locate resources to develop a privacy compliance strategyand answer a customers privacy questions

Incorporate a privacy compliance strategy into yourrespective account support activities


55/56


Quest ions?



56/56

adm data privacy student guide

Documents