1 / 34

Top Privacy Issues for Public Accountancy Firms

Top Privacy Issues for Public Accountancy Firms. Nicholas F. Cheung, CA, CIPP/C The Canadian Institute of Chartered Accountants. Agenda. Privacy Defined Privacy Survey Results Overview of Canadian Privacy Laws Top Privacy Issues Generally Accepted Privacy Principles. Privacy Defined.

viviana
Download Presentation

Top Privacy Issues for Public Accountancy Firms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Top Privacy Issues for Public Accountancy Firms Nicholas F. Cheung, CA, CIPP/C The Canadian Institute of Chartered Accountants

  2. Agenda • Privacy Defined • Privacy Survey Results • Overview of Canadian Privacy Laws • Top Privacy Issues • Generally Accepted Privacy Principles

  3. Privacy Defined Privacy • The rights and obligations of individuals and organizations with respect to the collection, use, retention and disclosure of personal information Personal Information (PI) • Information that is, or can be, about or related to an identifiable individual • Home or e-mail address • Financial information • Consumer purchase history

  4. Privacy Survey Results • More than half of all businesses believe customers are now more concerned about privacy than in the past • Despite advances in IT, businesses storing just as much data on paper as on electronic format • 1 in 2 businesses have a low to moderate awareness of legal privacy responsibilities

  5. “…one of the biggest challenges for most small and medium businesses is to understand their obligations under the [privacy] law.” Report of the Standing Committee on Access to Information, Privacy and Ethics House of Commons, May 2007

  6. Private SectorPrivacy Laws Federal (PIPEDA) – Jan. 1, 2004 • Applies to every organization that conducts commercial activities • Except BC, AB, QC and ON (health only) • Applies to all cross-border transfers of PI • Does not apply to employee PI other than federal work, undertaking or business • Overseen by Privacy Commissioner of Canada

  7. Private Sector Privacy Laws Provincial • Privacy laws deemed “substantially similar” to PIPEDA • BC/AB – Personal Information Protection Act (PIPA) • QC – Act Respecting the Protection of Personal Information in the Private Sector • ON – Personal Health Information Protection Act (PHIPA) • Applies to collection, use and disclosure of PI within a province • Each province/territory has a privacy commissioner

  8. Establishing a privacy policy Allowing clients access Training your employees Protecting wireless gadgets Retention & Destruction Transferring data securely Being prepared for a privacy breach Employee privacy Top Privacy Issues

  9. Establishing Your Privacy Policy • A must for your clients and your employees • 1 in 3 SME’s report either being • in the process of implementing or • have yet to implement a policy to oversee how the company and its employees collect, use, and disclose PI • If there is ever a privacy investigation, this is the first thing an investigator will ask to see • Readily accessible and available when PI is first collected from the individual • Include a copy with engagement letter or reference it

  10. Key Elements in a Privacy Notice • Notice to individuals, including the purpose(s) for collecting personal information • Choices available to individuals and the consent to be obtained • Collection of personal information • Use and retention of personal information • Access to individuals’ personal information • Disclosure of personal information to third parties • Security of personal information • Quality of personal information • Monitoring and enforcement of privacy and policies and procedures

  11. 2. Allowing ClientsAccess • Individuals should be: • given access to their PI • informed of the existence, use and disclosure • allowed to correct errors • One of the more popular reasons cited for a privacy compliant • 1 in 5 companies have not implemented any method to allow individuals to access their PI • 30 days to respond under federal law

  12. What To Include In Your Access Policy • Details required to document access request • Confirm identity • Date and details of request • How a search should be conducted • Which files, databases should be reviewed • Informing the individual about potential costs • Should be provided at no or minimal cost • Access should be free but charging for copies allowed • When the CPO should be informed • Unable to fulfill request • Delay required beyond 30 days

  13. 3. Training Your Employees “The weak link in many companies privacy “chain” is the untrained employee. Awareness training is not an option, it’s a necessity!” Fran Faier Executive Director, TRUSTe

  14. Why Train Staff on Privacy? • Required by law • Minimize employee errors • Majority of breaches caused by employee error, not by external attacks • Minimize customer frustration • Know what to collect, why and how to access • Reinforce culture of privacy • Customer confidentiality is a core value • Contractual requirement

  15. What Should Your Staff Know? • Know that privacy is protected by law • May be a sensitive issue with clients • Know what PI is in the context of your business • Personal income tax info, SINs, client investment statements • Understand how PI will be collected, used and disclosed • Be familiar with and be able to reference privacy policy • Provide a copy to clients upon request • Understand when issues should be escalated • Reinforce privacy concepts by referring to privacy within employee confidentiality and technology use agreements

  16. 4. Protecting Wireless Gadgets “You can have security without privacy, but you can’t have privacy without security.” • Many breaches caused by employees are due to loss of portable devices • Laptops • PDAs and Blackberries • USB keys • Points to consider • Do you really need to take PI offsite? • Take only what you need • Is it possible to anonymize?

  17. Laptop Protection • Types of encryption for computers • Whole Disk • Virtual Disk • Folder • Biometric access • Swap passwords for a swipe of your finger • Lenovo laptops with this feature • Lock in car trunk if necessary to leave in car • Consider using a virtual private network to reduce need for laptops

  18. 5. Secure Retention & Destruction • Some recent headlines… • “Film set uses real health records” • “Private health records sold at auction” • “Dumped receipts end up in criminals’ possession” • “Police documents found blowing in Winnipeg wind”

  19. Benefits of a Retention and Destruction Policy • Protect your business • “If you don’t have it, you can’t lose it” • Reduce scope of access requests • Save costs • Less storage space • At the office • At the storage facility

  20. Keep Only What You Need • Determine legal and regulatory requirements • ICAO Practice Advisory suggests 15 years might be appropriate due to Limitations Act, 2002 • CRA • generally is six years from end of tax year in question

  21. Properly Destroying PI • Physical copies • Shred (this doesn’t mean recycle!) • Cross cut vs. strip • Incinerate • Pulverize • Electronic copies • Smash it…render the object unusable • Disk wipe

  22. Using An External Shredder • Use a company accredited by NAID • Ensure signed contract in place • Spells out their obligation for secure destruction • Provides written confirmation • Allows witnessing of destruction • Time limit • ON priv comm has fact sheet on secure destruction that includes sample contract clauses • http://www.ipc.on.ca/images/Resources/up-fact_10_e.pdf

  23. 6. Transferring Data Securely • Fax machines • Ensure confidential faxes are received in a secure location and that faxes are sent to the right fax number • USB keys • Purchase encryption software • Protect your computers by configuring them not to accept unencrypted USB keys • Encrypted e-mail • Ensure your mail isn’t being read • Eg. Zixcorp, Echoworx • Secure file transfer • Eg: www.yousendit.com

  24. 7. Being Prepared for a Privacy Breach • Quickly being a case of “not if, but when” • What is a privacy breach? • Loss of personal information under your control • Inadvertent • Misplaced fax or laptop containing PI • Paper files not destroyed properly • Old computers with data still on hard drives • Deliberate act • Office break-in • Computer hacker

  25. Breach Notification • Ontario is the only CDN jurisdiction to require breach notification • Only pertains to health information custodians • However, May 2007 parliamentary review of PIPEDA is advocating breach notification • Certain breaches to be reported to Priv Comm • Priv Comm to determine if notification required

  26. Breach Policy • Develop a breach policy to ensure proper procedures are followed • Evaluate seriousness of breach • How to ensure containment • Notifying affected parties / Priv Comm • Communication with media • Tools available • Incident Response Plan – CICA Privacy website • Breach Notification Assessment Tool • www.ipc.on.ca

  27. 8. Employee Privacy • PIPEDA only applies to employees of a federal work, undertaking or business • Employees protected under provincial privacy acts • British Columbia • Alberta • Quebec • Employee personal information is information used to establish, manage or terminate an employment relationship

  28. Surveillance – Four Part Test • The surveillance must be “demonstrably necessary to meet a specific need” • It must be “likely to be effective” in meeting that need • The loss of privacy must be “proportional to the benefit gained” • The existence of a “less privacy invasive way” to meet the need must be considered • Can be applied to video surveillance and e-mail/Internet monitoring

  29. Employee Privacy Policy • Best practice is to create a separate employee privacy policy • Sends positive message to employees, especially if not required by law • Often seen as add-on to Code of Conduct • Communicate and obtain acknowledgement • Consent is not optional • Have employees sign they have read and understand the policy • Make specific reference to important policies or procedures • Surveillance • E-mail • Internet • Policy must be enforced

  30. What are Generally Accepted Privacy Principles (GAPP)? • A privacy framework to help organizations develop and assess their privacy program and privacy risk • Developed by the CICA and AICPA • To create a common North American standard • Endorsed by ISACA and IIA

  31. Generally Accepted Privacy Principles Management Notice Choice & Consent Collection Use & Retention Access Disclosure to Third Parties Security for Privacy Quality Monitoring & Enforcement

  32. The Benefits of GAPP • Comprehensive • Framework of over 60 measurable and relevant criteria • Not just a list of principles • Objective • Developed by the auditing profession to • Address international expectations • Create a basis for comparability • Universally available at no charge • Relevant • Widespread use and recognition • Applicable for evaluating privacy risk enterprise-wide • Recognized as suitable criteria for a privacy audit • Can also be the basis for an internal assessment

  33. Other CICA Privacy Resources • Online privacy courses • 20 Questions Businesses Should Ask About Privacy – available in Sept 07 • Canadian Privacy Laws Map • Privacy Guide for CA Firms • Upcoming News & Events • Other Publications & Toolkits • FAQ’s

  34. Contact Info www.cica.ca/privacy Nicholas F. Cheung, CA, CIPP/C Principal, Assurance Services Development CICA (416) 204-3251 nicholas.cheung@cica.ca

More Related