© 2003 IBM Corporation
Privacy 12th CACR Workshop
Yim Y. ChanChief Privacy Officer & CIOIBM Canada Ltd.w3.ibm.com/Privacy
2 12th CACR Workshop |© 2003 IBM Corporation
Agenda
IBM Canada Privacy
IBM Enterprise Wide Policies / Management System
Privacy on demand Assessment Tool
Communication Plan
Road Map
3 12th CACR Workshop |© 2003 IBM Corporation
How do we manage Privacy?IT Technology Solutions• Tools / Applications• Infrastructure• Standards
Business Process Governance Model• Corporate Guidelines / Business Controls• Education / Communication
“Why is Privacy Good Business?”Trust• Employees• Customers
Values• Processes• Guidelines
4 12th CACR Workshop |© 2003 IBM Corporation
IBM Enterprise Wide Policies
Simple, but company wide, mandatory throughout enterprise
PoliciesGoverns collection from all sourcesdefines use of dataimplemented through a series of corporate instructions that established:
•principles behind IBM data practices•Internet privacy standards•requirements for handling (collection, use, disclosure, storage, security, access, transfer or other processing) of:
all employee information information from customers, prospects, suppliers and other business contacts
•specific privacy rules for Web applications
5 12th CACR Workshop |© 2003 IBM Corporation
IBM Enterprise Privacy Management System
Existing Private SectorPrivacy LawsEmerging Private SectorPrivacy Laws
• Chief Privacy Officers
• Development & Research Centres
• Key Business Functions
• CIO Office
6 12th CACR Workshop |© 2003 IBM Corporation
IBM CIO Governance Model
Employees
Personal Computing
Servers
Storage
Technology
Software
GlobalServicesGlobal
Financing
MarketPlanning
Customers/Suppliers
Enterprise Model
IPD ISC Procure CRMFulfill
Strategy, Architecture, Standards and Deployment Management
IBM Global Services
• Network• Client • Server• End User Assist• Privacy/Security
• P3P• Scan Mail• Web Crawler• E-mail Cleansing• Encryption IT Service Provider
Canadian Privacy Assessment on demand
Implementation• Access Control• Retention• Disclosure• Consent …
7 12th CACR Workshop |© 2003 IBM Corporation
Privacy on-demand Assessment Tool
Provides on demand impact assessment analysis and reports using a holistic approach that leverages our best practices and business insights
Provides on demand Assessment, Feedback and Suggested Actions to process owners
Delivers Consistent Repeatable Results
Gap LogicCalculationsScoringAnalysis
Benefits/Risks Logic
CalculationsScoringAnalysis
Action LogicCalculationsScoringAnalysis
Logical Mapping
Orggy
ce
Business Assessment
P r a
s I
8 12th CACR Workshop |© 2003 IBM Corporation
Privacy on demand Assessments - Reporting
9 12th CACR Workshop |© 2003 IBM Corporation
The tool first poses general questions about
the process being assessed
The sensitivity of the personal information the process handles drives the required compliance
level
10 12th CACR Workshop |© 2003 IBM Corporation
The core of the assessment is a 43-
question Questionnaire
The Questionnaire is divided into “Compliance Areas”
reflecting different privacy requirements
Answers generate a compliance gap based on the information sensitivity
The answer closest to the real situation is picked
11 12th CACR Workshop |© 2003 IBM Corporation
Summary reports can be generated which roll
results up to a Business Unit or Company level
12 12th CACR Workshop |© 2003 IBM Corporation
Privacy Communication InitiativesObjectives Engage employees in embracing IBM Canada’s
philosophy on privacy
Provide employees with a clear understanding of our obligations and our commitment to comply with the federal legislation as well as IBM’s policies / instructions
Strategy
Deliver the right messages to the right audiences at the right time
Executive Team• Quarterly updates
Business Process Owners and Privacy Focal Points• Process assessment• Training sessions
Targeted Employee Audiences• Procurement • CSO • ibm.com • SDC• HR• Client reps
General IBM Population Awareness Campaign• Posters• IBM Canada homepage - web articles/contest - presentation on the webTargeted Employee
Audiences• Profile Holding Managers
ongoing ongoing April – September
( 15 sessions 5785 employees)
October - November
13 12th CACR Workshop |© 2003 IBM Corporation
Road Map
2002 2003 2004
Controls
Communication
Corporate Polices/Guidelines
Compliance
Business Units
Managers
Employees
Customers
Policy Statement
Privacy Tools
Architecture/Standards
Guidelines
Provincial Legislation
"Substantially Similar"
Quebec British Columbia Alberta Ontario
PIPEDA
Self-Assessments
Score-card
Privacy Health-Checks
Access Process
BRITISHCOLUMBIA
ALBERTA
SASKATCHEWAN MANITOBA
ONTARIO QUEBEC
NEWFOUNDLAND
NEWFOUNDLAND
NORTHWEST TERRITORIES
YUKON
NEW BRUNSWICK
Business Partners
14 12th CACR Workshop |© 2003 IBM Corporation
In Summary …
Privacy is Good Business
• Creates trust
• Builds values
Implemented through tools and technology to
automate privacy compliance
Managed through a worldwide governance model for
privacy adherence
Tracked through processes and roadmap for privacy
improvements