www.ipc.on.ca go beyond compliance to competitive advantage: make privacy pay off ann cavoukian,...

www.ipc.on.ca

Go Beyond Compliance to Go Beyond Compliance to Competitive Advantage: Make Competitive Advantage: Make

Privacy Pay OffPrivacy Pay Off

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

IFB Toronto Fall Summit

Toronto

November 2, 2004

www.ipc.on.cawww.ipc.on.ca Slide 2

Impetus for Change

Growth of Privacy as a Global Issue

EU Directive on Data Protection

Increasing amounts of personal data collected, consolidated, aggregated

Consumer Backlash; heightened consumer expectations


Information Privacy Defined

Information Privacy: Data Protection

• Freedom of choice; control; informational self-determination

• Personal control over the collection, use and disclosure of any recorded information about an identifiable individual


What Privacy is Not

Security Privacy


AuthenticationData IntegrityConfidentialityNon-repudiation

Privacy; Data ProtectionFair Information Practices

Privacy and Security: The Difference

Security: Organizational control

of information through information systems


Fair Information Practices:A Brief History

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

EU Directive on Data Protection

CSA Model Code for the Protection of Personal Information

Canada Personal Information Protection and Electronic Documents Act (PIPEDA)


Summary of Fair Information Practices

AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,

Disclosure, RetentionAccuracy

SafeguardsOpennessIndividual AccessChallenging

Compliance


The Ten Commandments

Accountability– for personal information

– designate an individual(s) accountable for compliance

Identifying Purposes– purpose of collection must be clear at or before

time of collection

Consent– individual has to give consent to collection, use,

disclosure of personal information



Limiting Collection– collect only information required for the identified

purpose; information shall be collected by fair and lawful means

Limiting Use, Disclosure, Retention– consent of individual required for all other purposes

Accuracy– keep information as accurate and up-to-date as

necessary for identified purpose Safeguards

– protection and security required, appropriate to the sensitivity of the information



Openness– policies and other information about the management of personal

information should be readily available

Individual Access– upon request, an individual shall be informed of the existence, use

and disclosure of his or her personal information and be given access to that information, be able to challenge its accuracy and completeness and have it amended as appropriate

Challenging Compliance– ability to challenge all practices in accord with the above

principles to the accountable body in the organization.


Federal Privacy Legislationin Canada

Personal Information Protection and Electronic Document Act (PIPEDA)

Staggered implementation:

• Federally regulated businesses, 2001

• Federal health sector, 2002

• Provincially regulated private sector, 2004


Extension of PIPEDA

As of January 1, 2004, PIPEDA was extended to:

all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations (including insurance companies and independent insurance adjusters)

unless a substantially similar provincial privacy law is in force


Provincial Private-Sector Privacy Laws

Québec: Act respecting the protection of personal information in the private sector

B.C.: Personal Information Protection Act

Alberta: Personal Information Protection Act

Ontario: draft Privacy of Personal Information Act, 2002 – not introduced…so PIPEDA applies


Ontario’s Health Information Protection Act, 2003 (HIPA)

Ontario government introduced health privacy bill (Bill 31) on December 17, 2003

Received Third Reading and Royal Assent in May, 2004

Comes into effect November 1, 2004


The Bottom Line

Privacy should be viewed as a business issue, not a

compliance issue


The Promise

Electronic Commerce projected to reach $220 billion by 2001 WTO, 1998

Electronic Commerce projected to reach $133 billion by 2004Wharton Forum on E-Commerce, 1999

Estimates revised downward to reflect lower expectations


Privacy is affecting E-Commerce

United States: e-commerce sales were only 1.6% of total sales, $54.9 billion in 2003

-U.S. Dept. of Commerce Census Bureau, February 2004

Canada: Online sales were only 0.6% of total revenues – $13.7 billion in 2002

Statistics Canada, April 2003


Lack of Privacy = Lack of Sales

“Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.”

Forrester Research, September 2001

“Privacy and security concerns could cost online sellers almost $25 billion by 2006.”

Jupiter Research, May 2002


The Business Case

“Our research shows that 80% of our customers would walk away if we mishandled their personal information.”

CPO, Royal Bank of Canada, 2003

Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.


How The Public Divides on Privacy

26

64

10

0 20 40 60 80

Feb 2003(%)

PrivacyUnconcerned

PrivacyPragmatists

PrivacyFundamentalists

The “Privacy Dynamic” - Battle Dr. Alan Westinfor the minds of the pragmatists


Privacy and Customers

“The 1:1 enterprise, operating in an interactive environment, relies not just on information about customers, but on information from them.”

“It is absolutely imperative for the 1:1 enterprise to take into account the issue of protecting individual customer privacy.”

Enterprise One to One: Tools for Competing in the

Interactive Age – Don Peppers and Martha Rogers, Ph.D.


Permission-Based Marketing:The Personal Touch

Essential premise: persuade consumers

to volunteer their attention

Puts control in the hands of consumers• Makes consumers active recipients of

marketing information

• “Permission marketing is just like dating.”

Seth Godin


A Privacy-Sensitive Motto for Customer Relations Management

The old way • Know everything about your customer.

The new way• Know everything that your customers want you

to know.

• CRM or CMR (customer managed relationship)?

• Assume nothing – always ask!


Develop a Corporate Culture of Privacy

Demonstrate that privacy issues affect everything and everyone – COMMUNICATE

Focus on partnership development – ORGANIZE

Develop a cross-functional team committed to CPOs mandate – MANAGE, TRAIN

Persuade and proselytize every division and employee, leave no stone unturned – EDUCATE


Make Privacy a Corporate Priority

An effective privacy program needs to be integrated into the corporate culture

It is essential that privacy protection become a corporate priority throughout all levels of the organization

Senior Management and Board of Directors’ commitment is critical


STEPS: The Context

Terrorist attacks 9/11

Government concerns over public safety

Patriot and anti-terrorist legislation

Polarized debate for Security/Privacy

Resurgence of Privacy concerns by public


A Shift in Paradigms

The Old Paradigm: Zero Sum Game

The New Paradigm: Security + Privacy = Democracy

Privacy and Security are both necessary components: both are essential to freedom and liberty


The Challenge forPrivacy Experts

Expand the discourse: Privacy and Security are not polar opposites

Engage government and industry in demonstration projects to promote STEPs

http://www.ipc.on.ca/docs/steps.pdf


The Challenge for Solution Developers

Introduce privacy into the concept, design and implementation of technology solutions

Recognize and promote existing STEP solutions: 3-D Holographic Scanner: respecting physical

privacy while enhancing security Biometric encryption


Technology and Privacy

“The most effective means to counter technology’s

erosion of privacy is technology itself.”

Alan Greenspan, Federal Reserve Chairman


Privacy By Design: Build It In

Build in privacy – up front, in the design specifications

Minimize collection, use of personally identifiable information – use aggregate information if possible

Wherever possible, encrypt personal information

Think about anonymity and pseudonymity

Assess privacy risks: privacy impact assessment


Final Thought

“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”

Forrester Research, March 5, 2001

www.ipc.on.ca

How to Contact UsHow to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario

2 Bloor Street East, Suite 1400

Toronto, Ontario M4W 1A8

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: [email protected]