When creating a corporate privacy strategy, Canadian companies should look to the Germans for simplicity, said Ontario privacy commissioner Ann Cavoukian at a breakfast talk in Toronto yesterday.
The German term – informational self-determination – is a perfect fit, she said, because it drives home the idea of an individual controlling his or her personal data.
“Allowing customers access to data is so important,” she said. “They are the ones who know if information is accurate (and) you want accurate information.”
However, actual experiments conducted by ComputerWorld Canada (an IT World Canada publication) indicate that more often than not, customers have a huge problem getting at their personal data.
The publication’s writers contacted companies to access their personal information.
Their results were alarming…to say the least.
Only one company, a telco, got back to the writer in a timely manner with his personal information. One airline asked for the writer’s online password (a major privacy and security breach), and one bank gave a writer a glorified printout of his online statement.
When queried about these results, Cavoukian said it was “utterly unacceptable” but admitted there was little she could do – as a provincial privacy commissioner – with federally regulated companies. If the companies were within her jurisdiction, she said she would sit down with them to improve their processes. “My office is here to work with you…(it’s) not a ‘get them’ issue,” she explained.
Leland Thomas, a Thornhill, Ont.-based marketing consultant, said his own clients have come to view both security and privacy as solid business investments rather than an unrecoverable cost. His most astute clients realize that functional privacy policies can be a “point of market differentiation” especially as an increasing number of people see privacy as an issue.
A huge hurdle for many companies is their ability to match policy to existing IT infrastructures.
Nigel Brown, a senior consultant with IBM Global Services’ privacy, security and testing national practice in Markham, Ont., said companies have moved data security and (as a result) privacy, past simple perimeter gateways and are slowly moving protection to the information itself.
“I’d argue where it is really going is (about) protecting content,” he said.
But even with the best intentions, corporate privacy and security policies often run astray.
Late last year a story surfaced that the Canadian Imperial Bank of Commerce had been sending faxes to a scrap yard in West Virginia for more than three years. The faxes included addresses, social insurance numbers and detailed account data. The scrap yard owner tried (for some time) to get the faxes to stop but the bank was apparently unresponsive.
Cavoukian was visibly angry.
The “incompetence…mismanagement (and) stupidity” was “unacceptable,” she said. “I don’t understand it and I find it shameful.”
This lack of institutional data privacy awareness harks back many decades but took a big hit at the start of the dot com bubble.
“Everybody had unbridled enthusiasm about collection information…it was like kids in a candy store,” Cavoukian said. No one thought of possible backlashes to collecting too much information, she added. After 9/11, especially in the U.S., traditional distrust for the government seemed to shift over to the private sector. “Everyone was now looking at business to clean up its act,” she said.
To do this companies need to realize the role of the CIO often conflicts with many privacy principles since their mandate is to make information more accessible, not to restrict it. To delineate the line companies should look into introducing the position of chief privacy officer. This person’s job is to mandate the control of personal data access.
Often it is the simplest things that are overlooked. In the case of CIBC, Cavoukian said, the first steps should have been to stop the faxes and check the systems, and have someone fly down to West Virginia to thank the guy for his honesty,
“This is not brain surgery,” she said. Had she jurisdiction in this case she said “I’d….” Then, still angry, she quickly composed herself let her voice trail off.