Tuesday, April 05, 2005

Privacy is a multidisciplinary issue in Canada

John Oltsik, an analyst for Enterprise Strategy Group, has in opinion piece in ZDnet about security basics and how elementary steps can be taken to avert privacy disasters. He mentions training as a critical component of securing systems:

Black eye for privacy Tech News on ZDNet:

"... The other elementary security action item is user training. Employees need to know how to recognize and report threats, not act as a patsy. If I want to break into the payroll system, the easiest way to proceed is simply to ask someone in finance for their password. With a bit of 'social engineering'--that is, flim-flam--you'd be surprised how many people will volunteer confidential information. Only 25 percent of companies provide employees with security training; I'd say this is a fundamental problem...."

I have to agree that training is critical for avoiding security disasters. But privacy is not just about security. In too many companies, I have seen the "privacy issue" handed over to the CIO as a technical issue. This may work in the United States where there are no laws governing companies like ChoicePoint and LexisNexis. But this does not fly in Canada.

In Canada, companies have to address the Personal Information Protection and Electronic Documents Act (often known by its snappy acronym, PIPEDA). Security is only one of ten principles that must be followed. The other principles involve accountability, communicating purposes, obtaining consent, limiting collection, use, disclosure and retention, providing access, providing redress.

In Canada, privacy is a multi-disciplinary issue that requires the CIO, HR, internal audit, marketing and just about every other division. I've seen companies that "lock down" all their data, but still let marketing collect way more information than they reasonably need without telling the consumer how the information would be used, in violation of the limiting collection, indentifying purposes and consent principles. I've seen the credit department demand social insurance numbers, which is a no-no under the law. I've also seen well-intentioned people disclose waaaaaayyyyy to much information, resulting in lost jobs and other ill effects.

The companies that do well under PIPEDA are those who see it as a customer service issue and a risk management issue, needing to be integrated into the company's culture and part of its mission to its customers. Everyone who touches customers or customers' information needs to know what they are doing, and how to properly treat and protect customer information. It's a team effort.

No comments: