adm data privacy student guide
TRANSCRIPT
-
8/12/2019 Adm Data Privacy Student Guide
1/56
2005 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Customer DataPrivacy
in an OutsourcingEnvironment
HP Restricted
Raymond FarraroHPS Customer Privacy ManagerAllan PaullAPJ Customer Privacy Manager
November, 2005
-
8/12/2019 Adm Data Privacy Student Guide
2/56
November, 2005 HP Restricted 2
Learning Objectives
After completing this training, you should be able to:
Describe how the HP Privacy Policy applies to ManagedServices deals and operations:
Implications of the data flow model
Sharing of PII with third parties
Impact of unauthorized access of sensitive PII
Types of data transferstorage, access, Meta data
Recognize the consequences of inaction to privacyexposures
Locate resources to develop a privacy compliance strategyand answer a customers privacy questions
Incorporate a privacy compliance strategy into yourrespective account support activities
-
8/12/2019 Adm Data Privacy Student Guide
3/56
November, 2005 HP Restricted 3
Privacy Basics
Agenda
Overview
Scenarios for Discussion and Review
Where to Get Help
Summary
-
8/12/2019 Adm Data Privacy Student Guide
4/56
November, 2005 HP Restricted 4
Privacy Basics
Agenda
Overview
Scenarios for Discussion and Review
Where to Get Help
Summary
-
8/12/2019 Adm Data Privacy Student Guide
5/56
November, 2005 HP Restricted 5
Topics
HP and Privacy
Business Case for Privacy
Privacy Hit and Misses
-
8/12/2019 Adm Data Privacy Student Guide
6/56
November, 2005 HP Restricted 6
HP and PrivacyHP has an industry leading
privacy program. In January2005, HP was selected* as theMost Trusted Company forPrivacy based on an awardevaluation program that
included a rigorous review of thecompanys policy, procedures,and customer outreach .
It will take a concerted effort at
all levels of the company tosustain our competitiveadvantage in privacy.
*Selection was made by an expert panel led by TRUSTe and Ponemon Institute.
-
8/12/2019 Adm Data Privacy Student Guide
7/56November, 2005 HP Restricted 7
Business Case for Privacy
1. Creating TRUSTbuilds revenue potential and avoids
loss of revenue.2. Protecting privacy strengthens our BRANDand
prevents bad press and loss of our good name.
3. Country-specific LAWSexpose us to a risk of litigationand our privacy statement is legally-binding.
-
8/12/2019 Adm Data Privacy Student Guide
8/56November, 2005 HP Restricted 8
Privacy Hits and Misses
hpshopping.com $10.6 Billion Oversight
AOL Internal Hacker
Acxiom External Hacker
Victorias Secret Website Flaw
Choicepoint Privacy Blunder
-
8/12/2019 Adm Data Privacy Student Guide
9/56November, 2005 HP Restricted 11
Privacy Basics
Agenda
Overview
Scenarios for Discussion and Review
Getting Help
Summary
-
8/12/2019 Adm Data Privacy Student Guide
10/56November, 2005 HP Restricted 12
Topics
HP Privacy Policies and
Principles Data Protection
Requirements
Roles and Responsibilities
Data Transfer
-
8/12/2019 Adm Data Privacy Student Guide
11/56November, 2005 HP Restricted 13
HP Privacy Policies
HPs Worldwide Privacy Policies
permit the processing and exchangeof customer and employee data forbusiness purposes but they:
Require compliance with applicable
laws Are designed to meet the
expectations of HPs customers,
employees, and respective business
needsWeb address for policies:
Global Privacy Policy
WW On-Line Policy
http://www.hp.com/hpinfo/globalcitizenship/privacy/masterpolicy.htmlhttp://welcome.hp.com/country/us/en/privacy/worldwide_privacy.htmlhttp://welcome.hp.com/country/us/en/privacy/worldwide_privacy.htmlhttp://welcome.hp.com/country/us/en/privacy/worldwide_privacy.htmlhttp://welcome.hp.com/country/us/en/privacy/worldwide_privacy.htmlhttp://www.hp.com/hpinfo/globalcitizenship/privacy/masterpolicy.html -
8/12/2019 Adm Data Privacy Student Guide
12/56November, 2005 HP Restricted 14
HP Privacy Principles
Tell customers what you are doing (data collectionand usage).
Obtain permission for customer contact and datasharing.
Protect data when sharing and transferring
overseas. Maintain data securely.
Provide processes for customers to view and updatedata; maintain accuracy of data across company.
Use encryption, restriction, and authentication to
protect customer data.
Measure how well you honor your customercommitments; provide dispute resolution andescalation paths.
Oversight
Onward
Transfer
Security
Choice
Notice
Access
and Accuracy
-
8/12/2019 Adm Data Privacy Student Guide
13/56November, 2005 HP Restricted 16
Data Protection Requirements
Racial or ethnic origin, political opinions,religious beliefs, trade union membership,health, sex life, and criminal convictions. Theprocessing of such data is subject to stricterconditions.
Sensitive personaldata/ Sensitive
information
Information that can be traced to a particularindividual, such as a name, mailing address,phone number, social security number, or emailaddress.
Special care must be taken with certain PII,such as credit card numbers and identificationnumbers.
PersonallyIdentifiable
Information (PII)
(Also referred to asPersonal Data or
PersonalInformation.)
What information is protected?
-
8/12/2019 Adm Data Privacy Student Guide
14/56November, 2005 HP Restricted 17= PII = PII if linked
*varies by local interpretation
User ID: Mike345
Name: Mike Smith
Password: 851pass392
SSN#: 555-55-5555
Credit card#: 4755-5555-5555-555
Employee#: 09099999
PIN#: 1050505
Work Address: 3000 Hanover St.,
Palo Alto, CA 94304
Work Phone: 650-587-1501
Home Address: 123 Main St.
Home Phone: 408-555-1212
Performance Rating: M
Travel Profile: special meal
Ergonomic evaluation data
You surfed CNN, ESPN and BSR.org today
You surfed CNN, LLBean, and Pottery Barn today.
You traveled to Los Angeles, Nashville, Boston,
Paris and Houston in 2002.
Your favorite color is Blue.
You have owned 3 homes in the last 20 years.
Birthday: May 19, 1965.
Drivers license number: Z5551212
email address: [email protected]
IP address: 15.222.18.101*
Your HP DeskJet printer used 10% of its inkjet
cartridge capacity last week. *
Personally Identifiable Information (PII)
mailto:[email protected]:[email protected] -
8/12/2019 Adm Data Privacy Student Guide
15/56November, 2005 HP Restricted 18
Data Protection Requirements
Which agreements protect data?
A framework developed by the US Department ofCommerce and the European Commission thatallows the free flow of EU PII to certifiedcompanies in the US.http://www.export.gov/safeharbor/
Safe HarborAgreement
Protects PII:
HPThird Parties (logical HP)
http://legal.hp.com/legal/files/privacyPDPA.asp
Personal DataProtection
Agreement(PDPA)
Protects confidential information:
ClientHP
http://legal.hp.com/legal/files/cda_intro.asp
Non-disclosureAgreement
-
8/12/2019 Adm Data Privacy Student Guide
16/56November, 2005 HP Restricted 19
Data Protection Requirements
In the US, over 20 individual states haveenacted legislation that requires notification ofaffected individuals in the event of unauthorizedaccess of certain types of PII. Thoughrequirements vary, in some states (e.g.California), encryption of the more sensitivetypes of PII will negate the requirement fornotification.
DataEncryption
andNotification
Requirements
Why data encryption?
-
8/12/2019 Adm Data Privacy Student Guide
17/56November, 2005 HP Restricted 20
Roles and ResponsibilitiesHP as Data Controller
CDAPermissions
CDAPDPA
HP(Data Controller)
HP Information
Public/Restricted
Confidential Private/PII
LogicalHP
3rdParty
Outside3rd
Party
End User
End User Information Confidential PII
End User Information Confidential PII
HPs Privacy Policy+ contract +local
requirements
+ local
requirements
-
8/12/2019 Adm Data Privacy Student Guide
18/56November, 2005 HP Restricted 21
Roles and ResponsibilitiesHP as DataProcessor
CDAPermissions
CDAPDPA
LogicalHP
3rdParty
Outside3rd
Party
HP(Data Processor)
Client(Data Controller)
End User
HP Information Public Restricted Confidential Private PII
End User Information Confidential PII
End User Information Confidential PII
Client Information Confidential
PII
Client Information Confidential
PII
End User Information Confidential PII
Clients Privacy Policy+ local requirements
HPs Privacy Policy
+ contract +localrequirements
+ localrequirements
-
8/12/2019 Adm Data Privacy Student Guide
19/56November, 2005 HP Restricted 23
Data Transfer
The physical transfer of stored data, for example,a database that is moved so that it is stored inanother location.
PhysicalData
Storage
Data is not moved from a physical location butaccess from another location occurs.
Data
Access
Data that provides access to additional data; theability to grant access to data, for example, anindividual who has the information needed toreset passwords or to allow access to PII.
Ability toAccess
Data (MetaData)
In what ways can data be transferred?
-
8/12/2019 Adm Data Privacy Student Guide
20/56November, 2005 HP Restricted 24
Data Transfer Between Countries
What is transborder data flow?
Transborder data flow is the transfer of personal datafrom one country to another. Data transfer betweencountries raises potential privacy issues that
should be validated with local privacy experts.
Which countries have restrictions? European Union (EU) / European Economic Area (EEA) member countries
Switzerland
Israel
Emirate of Dubai Australia
South Korea
Japan
-
8/12/2019 Adm Data Privacy Student Guide
21/56November, 2005 HP Restricted 27
Learning
check
-
8/12/2019 Adm Data Privacy Student Guide
22/56November, 2005 HP Restricted 28
Personally Identifiable Information (PII)
All of the following are considered to be PII except for
which one?
a. name
b. phone number
c. social security number
d. credit card number
e. server configuration
-
8/12/2019 Adm Data Privacy Student Guide
23/56
November, 2005 HP Restricted 29
Third PartiesHP has sub-contracted to Microsoft to provide Help Desk
support for HP customers on Microsoft Exchange. Whattype of third-party is described in this situation?
a. logical HP third party
b. outside third-party
-
8/12/2019 Adm Data Privacy Student Guide
24/56
November, 2005 HP Restricted 30
Types of Data Transfer
A clients employee calls a Help Desk to reset their
password. As part of this process, the employee has toanswer a series of questions to confirm their identity (e.g.date of birth, last four digits of their ID number, answer toa secret question).
This Help Desk activity is being run on behalf of the clientat an HP call center in Bangalore, India. Is this considereda transfer of PII?
a. yes
b. no
-
8/12/2019 Adm Data Privacy Student Guide
25/56
November, 2005 HP Restricted 31
Data Transfers between Countries
HP Germany is transferring personnel records containing
personal information to HP USA. What condition allowsthis transfer to proceed?
a. model contract
b. consent from HP Germany
c. HP Safe Harbor certification
d. transfer to country on adequate list
-
8/12/2019 Adm Data Privacy Student Guide
26/56
November, 2005 HP Restricted 32
Quest ions?
*1 on your telephone keypad to ask a question
-
8/12/2019 Adm Data Privacy Student Guide
27/56
November, 2005 HP Restricted 33
Privacy Basics
Topics / Agenda
Overview
Scenarios for Discussion and Review
Where to Get Help
Summary
-
8/12/2019 Adm Data Privacy Student Guide
28/56
November, 2005 HP Restricted 34
Scenario 1 Help Desk Consolidation
A pharmaceuticals company
in Europe has contracted itsHelp Desk support to HP.
In a cost savings move, HPlater decides to consolidate
its help desk operations intoa small number of globalsites around the world,utilizing both HP-owned
sites and third-party serviceproviders. Answer the review
questions for this
scenario.
-
8/12/2019 Adm Data Privacy Student Guide
29/56
November, 2005 HP Restricted 35
Help Desk ConsolidationBefore
Multiple HPHelp Desks In
EU
EU Customer
-
8/12/2019 Adm Data Privacy Student Guide
30/56
November, 2005 HP Restricted 36
What type of personally
identifiable information (PII) maybe accessed in a Help Desksituation? Select all that apply.
a. passwords
b. contact information (name,address, phone number)
c. ID numbers (drivers license,social security)
d. financial information (creditcard number)
e. ability to access PII (metadata)
Questions for Review
Multiple HPHelp Desks In EU
EU Customer
-
8/12/2019 Adm Data Privacy Student Guide
31/56
-
8/12/2019 Adm Data Privacy Student Guide
32/56
November, 2005 HP Restricted 38
Questions for Review
Are there potential EU transborder data flow implications?
a. yes
b. no
-
8/12/2019 Adm Data Privacy Student Guide
33/56
November, 2005 HP Restricted 39
Help Desk ConsolidationAfter
Consolidated HP HelpDesks in KL and
Bangalore
Consolidated HP HelpDesks in Bratislava and
Barcelona Outsourced to aservice provider in
India
Consolidated HP HelpDesks in KL and
BangaloreEU Customer
(Call)
-
8/12/2019 Adm Data Privacy Student Guide
34/56
November, 2005 HP Restricted 40
Help Desk Consolidation Data Flow 1
Outsourced to aservice provider in
India
Consolidated HP HelpDesks in KL and
Bangalore
Consolidated HP HelpDesks in KL and
Bangalore
Consolidated HP HelpDesks in Bratislava
and Barcelona
EU Customer
(Call)
-
8/12/2019 Adm Data Privacy Student Guide
35/56
November, 2005 HP Restricted 41
Help Desk Consolidation Data Flow 2
Outsourced to aservice provider in
India
Consolidated HP HelpDesks in KL and
BangaloreConsolidated HP HelpDesks in Bratislava
and Barcelona
Consolidated HP HelpDesks in KL and
Bangalore
EU Customer
(Call)
-
8/12/2019 Adm Data Privacy Student Guide
36/56
November, 2005 HP Restricted 42
Help Desk Consolidation Data Flow 3
Outsourced to aservice provider in
India
Consolidated HP HelpDesks in KL and
Bangalore
Consolidated HP HelpDesks in Bratislava and
Barcelona
Consolidated HP HelpDesks in KL and
BangaloreEU Customer
(Call)
-
8/12/2019 Adm Data Privacy Student Guide
37/56
November, 2005 HP Restricted 43
Help Desk Consolidation Data Flow 4
Consolidated HP HelpDesks in KL and
Bangalore
Consolidated HP HelpDesks in Bratislava and
Barcelona Outsourced to aservice provider in
India
Consolidated HP HelpDesks in KL and
BangaloreEU Customer
(Call)
-
8/12/2019 Adm Data Privacy Student Guide
38/56
November, 2005 HP Restricted 44
Creating a Privacy Compliance Strategy
Identify scope of change
Which data centers? Which customers?
What type of data?
Map each customers situation Customer information and privacy maturity assessment
Utmost caution with pharmaceutical & financial companies
Data flow
Transborder data flow implications
Fulfill privacy requirements Define upfront a privacy compliance process with customer company
Where appropriate, develop contractual language and work withaffected customers to sign off
Working with HP Customer Privacy, initiate data protection authority(DPA) notifications
-
8/12/2019 Adm Data Privacy Student Guide
39/56
November, 2005 HP Restricted 46
Scenario Take-Aways
Managed Services deals usually
put HP in a data processor role. Movement of PII from the EU to
other countries may requirecontractual language and
notification of Data ProtectionAuthorities in the EU memberstates before data transfer canlegally begin.
Transfer of PII to third partieswithin logical HP requires a
Personal Data ProtectionAgreement to be in place.
Remember ...
-
8/12/2019 Adm Data Privacy Student Guide
40/56
November, 2005 HP Restricted 47
Scenario 2 Unauthorized Access
An Americas customer has
contracted HP to run itspayroll operations, allowingHP to transfer PII to an HPData Center in Atlanta.
Customer employees withpayroll questions or problemsare routed to consolidatedHP Help Desks in AP. In
order to assist them, theAP Help Desks have accessto the employee recordslocated in Atlanta.
Answer the review
questions for this
scenario.
-
8/12/2019 Adm Data Privacy Student Guide
41/56
November, 2005 HP Restricted 48
Help Desk Operations Normal
AMS Client
Client ApplicationHP Data Center
in Atlanta
Consolidated HPHelp Desksin KL andBangalore
Payroll DataContact information
Identification #s
Direct Deposit information
Access to recordsAnswer end user
questions
Change requests
Password resets
Help Desk Requests
Delivery of Help Desk services
-
8/12/2019 Adm Data Privacy Student Guide
42/56
November, 2005 HP Restricted 49
Questions for Review
Are there transborder data flow issues with the transfer of
information between the HP Data Center in Atlanta andthe consolidated HP Help Desks in KL and Bangalore?
a. yes
b. no
-
8/12/2019 Adm Data Privacy Student Guide
43/56
November, 2005 HP Restricted 50
Questions for Review
Lets say that the client was a company in the EU. Would
there be any transborder data flow implications?
a. yes
b. no
-
8/12/2019 Adm Data Privacy Student Guide
44/56
November, 2005 HP Restricted 51
Help Desk Operations Unauthorized Access
AMS Client
Client ApplicationHP Data Center
in Atlanta
Consolidated HPHelp Desksin KL andBangalore
Payroll DataContact information
Identification #s
Direct Deposit information
Access to recordsAnswer end user
questions
Change requests
Password resets
Help Desk Requests
Delivery of Help Desk services
Hacker!
Unauthorized access of
100K client records
detected. Sensitive PII
is not Encrypted.
-
8/12/2019 Adm Data Privacy Student Guide
45/56
November, 2005 HP Restricted 52
Creating a Privacy Response Strategy
Assess scope of the unauthorized
access or disclosure How many records potentially
accessed or disclosed?
What type of data was containedin those records?
Were the records were encryptedor unencrypted
Notify client per contract
Escalate internally through Corporate IT SecurityIncident Response Team [email protected]
Take remedial actions to eliminate root causes
-
8/12/2019 Adm Data Privacy Student Guide
46/56
November, 2005 HP Restricted 53
Scenario Take-Aways
The data flow model(s) used in a
Managed Service dealdetermines the privacycompliance strategy that shouldbe used.
Data flow from the EU to HP inthe US is covered by HPs SafeHarbor certification.
Always encrypt sensitive PIIrecords within the firewall.
Unauthorized access of sensitiveinformation can result insignificant damage to HP and itscustomers.
Remember ...
-
8/12/2019 Adm Data Privacy Student Guide
47/56
November, 2005 HP Restricted 54
Quest ions?
*1 on your telephone keypad to ask a question
-
8/12/2019 Adm Data Privacy Student Guide
48/56
November, 2005 HP Restricted 55
Privacy Basics
Agenda
Overview
Scenarios for Discussion and Review
Where to Get Help
Summary
-
8/12/2019 Adm Data Privacy Student Guide
49/56
November, 2005 HP Restricted 56
Topics
HP Privacy Contacts
Privacy Web Sites and Email Privacy References and
Tools
-
8/12/2019 Adm Data Privacy Student Guide
50/56
November, 2005 HP Restricted 57
HP Privacy Contacts
Chief Privacy Office
Barb LawlerChief Privacy Officer
Dan Swartwood TSG Privacy
Regional ResourcesAllan Paull APJ CDP MgrDaniel Pradelles EMEA CDP MgrDan Swartwood AMS Focal Point
Ray FarraroHPS Privacy
Employee Data Privacy
Cherri GillmoreGlobal Emp. Data Privacy Mgr
Customer Data Privacy
Danielle DavenportDir. Customer Data Privacy
Regional ResourcesJacqueline Soh APJ EDP MgrWilfried Kolb EMEA EDP MgrCherri Gilmore AMS EDP Mgr
P i W b Si d E il
-
8/12/2019 Adm Data Privacy Student Guide
51/56
November, 2005 HP Restricted 58
Privacy Web Sites and Email
Web Sites
TSG Privacy:
http://tsgonline.hp.com/operations/privacy/
HP Privacy Office:http://ca.corp.hp.com/privacy/
Customer Privacy Office:http://customerops.corp.hp.com/privacy/
Employee Privacy Office:http://edp.corp.hp.com/
Non-disclosure Agreement:http://legal.hp.com/legal/files/cda_intro.asp
Personal Data Protection Agreement (PDPA):http://legal.hp.com/legal/files/privacyPDPA.asp
Safe Harbor Agreement:http://www.export.gov/safeharbor/
Commercial Security:http://commercialsecurity.infosec.hp.com/
IT Enterprise Architecture:http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29
Email
HPs Privacy Mailbox: [email protected]
P i R f d T l
http://tsgonline.hp.com/operations/privacy/http://ca.corp.hp.com/privacy/http://customerops.corp.hp.com/privacy/http://edp.corp.hp.com/http://legal.hp.com/legal/files/cda_intro.asphttp://legal.hp.com/legal/files/privacyPDPA.asphttp://www.export.gov/safeharbor/http://commercialsecurity.infosec.hp.com/http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://it-ea.corp.hp.com/app/polstd.aspx?domain=domain-29http://commercialsecurity.infosec.hp.com/http://www.export.gov/safeharbor/http://legal.hp.com/legal/files/privacyPDPA.asphttp://legal.hp.com/legal/files/cda_intro.asphttp://edp.corp.hp.com/http://customerops.corp.hp.com/privacy/http://ca.corp.hp.com/privacy/http://tsgonline.hp.com/operations/privacy/ -
8/12/2019 Adm Data Privacy Student Guide
52/56
November, 2005 HP Restricted 59
HP Customer Data Privacy Rulebook and Reference
Guide:http://customerops.corp.hp.com/privacy/resources/rulebook.htm
Transborder Data Flows self-paced training:http://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.pps
Customer Privacy Press Kit:http://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.html
Privacy References and Tools
http://customerops.corp.hp.com/privacy/resources/rulebook.htmhttp://customerops.corp.hp.com/privacy/resources/rulebook.htmhttp://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.ppshttp://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.ppshttp://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.htmlhttp://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.htmlhttp://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.htmlhttp://www.hp.com/hpinfo/globalcitizenship/privacy/presskit.htmlhttp://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.ppshttp://customerops.corp.hp.com/privacy/training/Transborder%20Privacy%20Training%20Rev%20G03.ppshttp://customerops.corp.hp.com/privacy/resources/rulebook.htmhttp://customerops.corp.hp.com/privacy/resources/rulebook.htm -
8/12/2019 Adm Data Privacy Student Guide
53/56
November, 2005 HP Restricted 60
Privacy Basics
Agenda
Overview
Scenarios for Discussion and Review
Where to Get Help
Summary
-
8/12/2019 Adm Data Privacy Student Guide
54/56
November, 2005 HP Restricted 61
Summary
Now, you should be able to:
Describe how the HP Privacy Policy applies to ManagedServices deals and operations:
Implications of the data flow model
Sharing of PII with third parties
Impact of unauthorized access of sensitive PII
Types of data transferstorage, access, Meta data
Recognize the consequences of inaction to privacyexposures
Locate resources to develop a privacy compliance strategyand answer a customers privacy questions
Incorporate a privacy compliance strategy into yourrespective account support activities
-
8/12/2019 Adm Data Privacy Student Guide
55/56
November, 2005 HP Restricted 62
Quest ions?
*1 on your telephone keypad to ask a question
-
8/12/2019 Adm Data Privacy Student Guide
56/56