Ann Cavoukian, Ph.D. Privacy by Design – The Next Wave:
Privacy by Design – The Next Wave: How to Protect Privacy Globally Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario, Canada International Association of Business Communicators World Conference, Toronto, Canada June 7, 2010 Presentation Outline 1. Setting the Stage: Changing the Paradigm 2. SmartPrivacy and Privacy by Design 3. SmartPrivacy is Smart Business 4. Web 2.0: Privacy in the Clouds 5. Online Social Networks 6. Develop A Culture of Privacy 7. Conclusions Setting the Stage: Why We Need to Change the Paradigm Privacy = Freedom If Privacy is to Survive, Things Have to Change The Future of Privacy: Change the Paradigm to Positive-Sum, NOT Zero-Sum Positive-Sum Model Change the paradigm from a zero-sum to a “positive-sum” model: Create a win-win scenario, not an either/or involving unnecessary trade-offs and false dichotomies SmartPrivacy and Privacy by Design Smart rivacy www.smartprivacy.ca Privacy by Design — “The sine qua non” Data Security Fair Information Practices “SmartPrivacy is the umbrella that offers the complete suite of protections to ensure data privacy. It consists of multiple measures ranging from regulatory protections to educationFoundations and awareness, but one measure stands out as the sine qua SmartPrivacy v1.0 non: Privacy by Design. Dr. Ann Cavoukian, Information & Privacy Commissioner of Ontario, Canada, August 13, 2009. Privacy by Design: “Build It In” • I first developed the concept of Privacy by Design in the 90s, as a response to the growing threats to online privacy that were beginning to emerge; • Privacy by Design seeks to build in privacy – up front, right into the design specifications; into the architecture; embed privacy into the technology used – bake it in; • Data minimization is key: minimize the routine collection and use of personally identifiable information – use encrypted or coded information whenever possible; • Use PETs Plus wherever possible: give people maximum control over their own data. Privacy by Design: The Trilogy of Applications Information Technology Accountable Business Practices Physical Design & Infrastructure Privacy by Design: The 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default 3. Privacy Embedded into Design 4. Full Functionality: Positive-Sum, not Zero-Sum 5. End-to-End Lifecycle Protection 6. Visibility and Transparency 7. Respect for User Privacy www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf SmartPrivacy is Smart Business The Privacy Dividend 1. The Business Case 2. Personal Information in the Business Context 3. Creating the Business Case “In the words of Commissioner Cavoukian, “The ‘payoff’ to privacyrespecting organisations is ... ultimately, enduring competitive advantage. In a world of increasingly savvy and interconnected customers, an organisation’s approach to privacy may offer precisely the competitive advantage needed to succeed.” www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/privacy_dividend.pdf The Bottom Line Privacy should be viewed as a business issue, not a compliance issue Think strategically and transform privacy into a competitive business advantage Consumer Choice and Privacy • There is a strong competitive advantage for businesses to invest in good data privacy and security practices; • “There is a significant portion of the population that is becoming concerned about identity theft, and it is influencing their purchasing decisions.” — Rena Mears, Deloitte & Touche LLP Costs of a Privacy Breach • Legal liabilities, class action suits; • Loss of client confidentiality and trust; • Diminution of brand and reputation; • Loss of customers, competitive edge; • Penalties and fines levied; • Costs of crisis management, damage control, review and retrofit of information systems, policies and procedures. Good Governance and Privacy: Board of Directors IPC Publication: • Guidance to corporate directors faced with increasing responsibilities and expectation of openness and transparency; • Privacy among the key issues that Boards of Directors must address; • Potential risks if Directors ignore privacy; • Great benefits to be reaped if privacy included in a company’s business plan. www.ipc.on.ca/docs/director.pdf Bottom Line: It’s All About Trust “Trust is more important than ever online … Price does not rule the Web … Trust does.” — Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships Consumer Trust: A Matter of Faith • According to Symantec’s 2009 Internet Security Report, less than half (47%) of Canadians have faith that their personal information is protected while shopping online; “I think people see that, all over the world, organizations have had credit card numbers stolen out from underneath them and they understand that this theft occurs over the Internet ...” — Robert Hamilton, Product Marketing Manager of Symantec Corp. — www.symantec.com/content/en/us/about/media/pdfs/Symc_ISTrends09_ISSPredictions10.pdf Ten Reasons for Building Consumer Trust 1. Avoiding damage to your company’s and/or brand’s reputation; 2. Avoiding penalization by any existing or pending laws; 3. Avoiding civil and class-action lawsuits; 4. Maintaining the balance of monitoring the activities of employees while not harming their morale and productivity; 5. Ensuring the continuation of valuable business relationships by ensuring your company measures up to the privacy standards adopted by strategic partners; Ten Reasons for Building Consumer Trust (Cont’d) 6. Being aware of the privacy laws and customs in other countries; 7. Gaining the trust and confidence of customers so that they will not provide you with false information; 8. Dealing with consumers who expect you to treat their personal information the same way that you would treat your own; 9. Repeat online customers are those that feel assured that shopping online is secure and that their information is protected; 10. Gain and maintain an edge over your competitors through embracing more than just the minimum of laws, regulations and privacy best practices. — Ann Cavoukian, Ph.D., Tyler Hamilton, The Privacy Payoff: How Successful Business Build Consumer Trust, McGraw-Hill Ryerson, 2002, pp. 13-14. Make Privacy A Core Competency for Competitive Advantage Customer benefits: • Protecting privacy gives customers the reassurance of knowing what is happening to their personal information; Hard to imitate: • Privacy is respected when you have a “culture of privacy” – we all know how difficult it is to effect culture change; It can be leveraged widely to many products and markets: • Respect for privacy attaches to your brand, and therefore, cuts across product and service lines, just as a reputation for bad service infects all lines. Web 2.0: Privacy in the Clouds Identity and Privacy Crisis Growing ID requirements pose privacy problems: • Fraud and security concerns are inhibiting confidence, trust, and the growth of e-commerce, e-government; • Fears of surveillance and excessive collection, use and disclosure of identity information by others are also diminishing confidence and use; • Lack of individual user empowerment and control over one’s own personal data is diminishing confidence and use; • Function creep, power asymmetries, discrimination, harm; Needed: improved user control, data minimization techniques, architectures of privacy, stronger security, trusted devices and credible assurances. Privacy in the Clouds • The 21st Century Privacy Challenge; • Creating a User-Centric Identity Management Infrastructure; • Technology Building Blocks; • Call to Action. www.ipc.on.ca/images/Resources%5Cprivacyintheclouds.pdf The 21st Century Privacy Challenge Power and Promise of Cloud Computing: • Limitless flexibility; • Better reliability and security; • Enhanced collaboration; • Portability; • Simpler devices. The 21st Century Privacy Challenge (Cont’d) Cloud computing requires identity services that: • Are device independent; • Enable a single sign-on to thousands of online services; • Allow pseudonyms and multiple discrete (and valid) identities to protect user privacy; • Are interoperable, based on open standards, and available in open source software (to maximize user choice); • Enable federated identity management; • Are transparent and lend themselves to audit. Cloud Technology Building Blocks • Open source and proprietary identity software based on open standards; • Federated identity; • Multiple and partial identities; • Data-centred policies; • Audit tools. Online Social Networks Privacy Remains a key social norm www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=138 But Some Social Practices are Changing: • Digital Dumping • Sexting • Twiddling • Pee-Mail Do Not Underestimate the Winds of Change … Do not let weak privacy practices damage your Brand Crawled, Scraped and Spidered • Social media sites are being crawled, scraped and spidered, and the personal data they collect is being aggregated and indexed, made searchable to anyone, for free, on the internet; • • • • www.zoominfo.com (Finds People and Companies) www.snitch.name (Social White pages) www.spock.com (a.k.a. Intelius People Search) www.pipl.com (Most comprehensive people search) • Where is this personal information going? • Where else is personal data being collected, shared, and used? NYT: Facebook – Bold and Controversial Changes “In December, Facebook made a series of bold and controversial changes regarding the nature of its users' privacy on the social networking site. The company once known for protecting privacy now seemingly wants to compete with more open social networks like the microblogging media darling Twitter.” — The 3 Facebook Settings Every User Should Check Now, Sarah Perez, New York Times, January 20, 2010. Power of the Default The Default Rules: 80% of the time, whatever option is presented as the default, that will be the condition that prevails What to Avoid: Brand Fatigue … Brand Backlash … Damage to your Brand Develop A Culture of Privacy Redirecting Institutional Culture “A company must challenge all its assumptions about how each task is handled. It must not be afraid to peel back the layers and examine itself in a way it has never had to in the past … devoting a tremendous amount of time and energy to the task.” — William A. Wheeler, Business Process Engineering: Breakpoint Strategies for Market Dominance, 1993. “Organizational learning theorists propose that it is not enough for leaders to design appropriate organization structures and to make well-reasoned decisions; instead, organizations must be characterized at all levels by attentiveness to changing conditions.” — Dr. Amy C. Edmondson, Professor of Leadership and Management and Chair of the Doctoral Programs, Harvard Business School. Building A Culture of Privacy • A culture of privacy enables sustained collective action by providing people with a similarity of approach, outlook, and priorities; • The importance of privacy must be a message that comes from the top; • Privacy must be woven into the fabric of the day-to-day operations of an organization, with adequate resources. Benefits of A Commitment to Privacy • Strong organizational image and reputation as a forward-thinking, progressive leader; • Enhanced data quality and integrity; • Savings in terms of time and money (e.g., avoid lawsuits, avoid requirement to notify individuals following a privacy breach, etc.). Weaving Privacy into Day-to-Day Operations • On-going privacy training and awareness program (new staff training; refresher training for existing staff, new threats to privacy, new technology threats and solutions); • Policies and procedures for maintaining privacy must be clearly articulated and individuals must know how to apply them in the day-to-day work; • Privacy must form part of the performance standard for every business that works with personal information. Global Condemnation by Privacy Watchdogs • In April, 2010, Google and other online companies faced international condemnation from privacy commissioners around the globe over the way it mishandled the private information of millions of its users with the roll out of its Google Buzz service; • The heads of privacy and data protection agencies from ten countries, issued a joint letter calling on the Web giant and others to do more to respect the privacy rights of their users; • The letter stated that international agencies are becoming “increasingly concerned” that Google and other online companies are forgetting the privacy rights of Internet users when rolling out new technologies and services; — Matt Hartley, Canwest News Service, April 20, 2010 Global Condemnation by Privacy Watchdogs (Cont’d) "We therefore call on you, like all organizations entrusted with people's personal information, to incorporate fundamental privacy principles directly into the design of new online services:" • Ensuring the service has easy to understand privacy controls; • Default settings that better protect privacy and the ability to protect all personal data; • Offering users an easy way to delete their accounts quickly; • Collecting only the minimum amount of personal information necessary; • Providing clear and unambiguous information about how a user's personal information will be used. Privacy by Design … or Privacy by Disaster? … You decide Conclusions • If you develop a trusted business relationship with your customers, they will provide you with a steady stream of information – enhancing communication opportunities; • It’s all about trust – when personal information is involved, you build consumer confidence and trust by strongly protecting your customers’ privacy; • By protecting privacy, and communicating that clearly to your customers, it will give them a comfort level to communicate freely with you, without fear of their information being indiscriminately disclosed – a true “win/win;” • Lead with Privacy by Design – embed privacy into the design specifications of information technologies, accountable business practices and operations; • Take it a step further – change the paradigm from “zero-sum” to “positive sum,” where both privacy and business interests can be delivered, thereby raising the overall level of protection and functionality. How to Contact Us Ann Cavoukian, Ph.D. Information & Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: Web: E-mail: (416) 326-3948 / 1-800-387-0073 www.ipc.on.ca [email protected] For more information on Privacy by Design, please visit: www.privacybydesign.ca
© Copyright 2024