Exploring model privacy programs at organizations both large and small
By Jedidiah Bracy, CIPP/US, CIPP/E
The IAPP recently honored two organizations for unique privacy programs that foster trust and bolster value to both the public and private sectors. This year’s HP-IAPP Privacy Innovation Awards went to global communications company Vodafone and the Canadian-based Alberta Pensions Services Corporation (APS).
Calling the organizations “visionaries in our industry,” IAPP President and CEO Trevor Hughes, CIPP, said the “pioneering efforts of these organizations to develop original and comprehensive approaches to privacy and security not only benefit consumers and businesses but elevate the profession as a whole.”
Both Vodafone, winner in the large organization category, and APS, recipient of the small organization award, faced their own set of challenges implementing their privacy programs, but both shared a similar recognition of the importance of an organization-wide privacy culture from top to bottom.
“Credit has to go to our previous CEO as it was her goal to have a privacy-conscious organization,” said APS Risk Management and Compliance Director Pamela Tom, noting an external consultant was brought in to review an organization-wide risk assessment and, at first, didn’t give APS a very good score.
In response, APS created a formal privacy office to educate staff on privacy issues and to implement policies and procedures. Tom was brought in to help lead such an initiative.
“Privacy was new to me,” Tom said. “I had to get up-to-speed very quickly.”
APS is subject to Alberta’s Freedom of Information and Protection of Privacy Act, so Tom said she immediately devoured the bill for comprehension. As a public-sector pension services organization, APS oversees more than 304,000 members and pensioners across the province. With such a vast amount of sensitive personal information—including salaries, health data and social insurance numbers—a comprehensive privacy program was paramount for APS.
Tom said that creating a vision based on privacy was important for the organization. In order to get staff—at all levels within the organization—to be more aware of privacy issues, Tom kept her message simple. She would ask staff members what privacy meant to them and place the employee within the context of being a pensioner. “If this was your information, how would you feel if it was mistreated or not held at a high standard?” Tom would ask.
Since APS is located within one building, Tom says it was easy to communicate her message throughout the organization, and she gives credit to APS staff. Tom says the moment the office was up-and-running, people were coming to talk to her about various privacy issues.
In addition to annual privacy training, APS requires that staff at all levels be subject to privacy and access-to-information responsibilities, which are laid out in the organization’s Delegation and Assignment of Responsibilities Tables and what they call an RACI Chart. The Privacy Advocate Office also works with staff to draft telephone scripts for accurate responses on how data is processed, retained and disclosed.
In just five years, APS went from an organization without any formal privacy program to one with an award-winning, organization-wide, mature privacy program led by two staff members.
For Vodafone, the implementation of an organization-wide privacy program faced different obstacles. Vodafone operates mobile networks in 30 countries and, as of March 2012, served more than 400 million mobile subscribers worldwide in services such as cable and satellite networks, cloud computing and machine-to-machine networks like smart grids.
Launched in February of 2010, Vodafone’s privacy program is a framework built around three core elements, namely, the privacy commitments, the privacy risk management system and the critical privacy risk register.
Global Privacy Officer Stephen Deadman said, “Every part of the Vodafone Privacy Programme is designed to shift the perception of privacy from an obligation imposed from the outside to an integral part of delivering trust and confidence to our customers, partners and stakeholders, demonstrated through our people, products, policies and processes.”
The firm’s seven privacy commitments help form the backbone of the company’s privacy culture. The seven statements—respect, openness and honesty, choice, Privacy by Design, balance, laws and standards and accountability—“are the things we believe and the ways we promise to behave with respect to our customers’ and employees’ privacy,” according to a Vodafone publication. The commitments lay the groundwork for Vodafone employees to have a “clear understanding” of the importance of privacy.
Vodafone has also created a process control system to identify, address and manage privacy risks “on the ground.” Their global Privacy Risk Management System sets out nine common control processes, including reviewing suppliers, instilling Privacy by Design in products and services, data lifecycle management and a review and reporting system to keep senior management up-to-speed on privacy considerations.
Being a large company doing business across the globe, Vodafone says its risk management system “provides the flexibility to respond to local privacy concerns, legal requirements or stakeholder expectations more effectively than a ‘one-size-fits-all’ global policy approach.”
In a rapidly developing digital landscape fraught with emerging and complex privacy issues, Vodafone has also implemented a Critical Privacy Risk Register. This “formal assessment” creates a process for regularly reviewing the “most significant” privacy risks affecting the company.
“We take into account wider developments in technology and the industry and develop strategies and policies to tackle these critical risks at a global level,” notes Vodafone’s program release.
Whether provincial or global, public- or private-sector, privacy is being taken seriously by small and large organizations and has successful outcomes in the form of privacy programs.
“Starting a new program is scary,” APS’ Tom notes. “Make sure you get buy-in, especially from the top. Once staff realizes and sees the value of privacy as a benefit to them, then privacy becomes an easy sell across the organization.”
Read more by Jedidiah Bracy:
Top scholars and practitioners tackle privacy’s complex challenges
MIT unveils Big Data research initiative
Experts say cybersecurity legislation bolsters need for oversight board