PRIVACY AND DATA PROTECTION


       From: Kitty Choi, Head, Efficiency Unit
       To: Heads of Department
              ...
system errors, improper data disposal and loss of removable media, and 46% of cases involved
                             ...
Efficiency Unit Website
When asked to select the most influential drivers for management attention on privacy,
respondents...
•       Operations: The level at which day-to-day operational procedures and staff awareness
                             ...
Upcoming SlideShare
Loading in …5
×

EU newsletter on Data Privacy

797 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
797
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

EU newsletter on Data Privacy

  1. 1. PRIVACY AND DATA PROTECTION From: Kitty Choi, Head, Efficiency Unit To: Heads of Department Efficiency Unit Website Date: 27 May, 2009 PRIVACY AND DATA PROTECTION ARE SENIOR MANAGEMENT CONCERNS Head, EU Head, EU Kitty Choi The way in which organisations manage and protect personal information has never been under Kitty Choi kkychoi@eu.gov.hk kkychoi@eu.gov.hk Tel: 2810 2021 such scrutiny as now. The current climate of concern stems from a series of mass leakages of Tel: 2810 2021 Deputy Head, EU personal information. In the first quarter of 2009, more than 150 privacy incidents happened Deputy Head, EU Patricia Lau around the world while over 3 million personal records were disclosed unintentionally (Source: Patricia Lau plau@eu.gov.hk plau@eu.gov.hk Tel: 2810 3463 Open Security Foundation). Recently in Hong Kong, repeated incidents of loss of removable Tel: 2810 3463 Assistant Director, EU devices (e.g. USB), inappropriate use of peer-to-peer applications (e.g. Foxy) or loss of data Assistant Director, EU W C Chan Peggy Leung wcchan@eu.gov.hk servers have been extensively reported by the media. pwkleung@eu.gov.hk Tel: 2165 7228 Tel: 2810 2306 Assistant Director, EU These privacy breaches reflect a spectrum of risks throughout the data management lifecycle, Assistant Director, Yuk W F EU W F Yuk wfyuk@eu.gov.hk which consists of collection, storage, retention, use, sharing, archival, disposition and destruction wfyuk@eu.gov.hk Tel: 2810 3701 Tel: 2165 7228 of data. These risks may include regulatory non-compliance, impact on operations, lack of public Assistant Director, EU trust, legal liabilities, identity theft/information misuse, and last but not least, reputation risk. AssistantSteve Barclay Director, EU Steve Barclay sbarclay@eu.gov.hk Privacy and data protection issues require strategic attention from leaders. Merely plugging the sbarclay@eu.gov.hk Tel: 2810 3408 Tel: 2810 3408 technology loophole may provide an interim solution at best but it will not solve the problem PMSO, EU PMSO, EU longer term. Hedy Lo K W Kong hwhlo@eu.gov.hk kwkong@eu.gov.hk Tel: 2165 7288 Tel: 2165 7288 In response to client needs, consulting firms have established their own frameworks to protect PMSO, EU PMSO, EU Peggy Leung personal data. The EU recently met with Deloitte’s Enterprise Risk Services Practice and we would David Hooi pwkleung@eu.gov.hk dwkhooi@eu.gov.hk like to share their insights in this newsletter. Tel: 2165 7206 Tel: 2810 3701 PEO, EU PEO, EU Judy Li SOURCES OF DATA LEAKAGE Judy Li jckli@eu.gov.hk jckli@eu.gov.hk Tel: 2810 2306 Data leakage might occur through simple day-to-day activities such as handling of physical records, Tel: 2165 7206 e-mail exchanges, telephone conversations, data-sharing on USB flash drives and usage of peer-to-peer software or instant messaging services. Recent research reported that there were over 1,000 personal data incidents worldwide from 2005 to June 2008, in which 50% of the cases were due to accidental exposure, human or 1
  2. 2. system errors, improper data disposal and loss of removable media, and 46% of cases involved Efficiency Unit Website data with no protection at all (Source: Computer Weekly). Head, EU Head, EU Kitty Choi CHALLENGES TO PRIVACY AND DATA PROTECTION Kitty Choi kkychoi@eu.gov.hk According to a global security survey of the world’s top 100 global financial institutions conducted kkychoi@eu.gov.hk Tel: 2810 2021 Tel: 2810 2021 by Deloitte in 2008, 48% of respondents indicated that the loss of customer data/privacy Deputy Head, EU Deputy Head, EU Patricia Lau issues/information leakage was their highest concern. Human error is overwhelmingly stated as Patricia Lau plau@eu.gov.hk plau@eu.gov.hk Tel: 2810 3463 the greatest weakness (86%) followed by technology (63%). While the Government operates in a Tel: 2810 3463 different paradigm, the fact that we possess a huge amount of personal data across different Assistant Director, EU Assistant Director, EU W C Chan government departments and given the high expectation the public has on us to guard their Peggy Leung wcchan@eu.gov.hk pwkleung@eu.gov.hk Tel: 2165 7228 privacy, we need to be ahead of Tel: 2810 2306 this game. Assistant Director, EU Assistant Director, Yuk W F EU W F Yuk wfyuk@eu.gov.hk wfyuk@eu.gov.hk Tel: 2810 3701 Respondents also expressed Tel: 2165 7228 Assistant Director, EU concern about the growing AssistantSteve Barclay Director, EU popularity of social networking Steve Barclay sbarclay@eu.gov.hk sbarclay@eu.gov.hk Tel: 2810 3408 technologies (e.g. Facebook), Tel: 2810 3408 PMSO, EU instant messaging technologies (e.g. PMSO, EU Hedy Lo K W Kong hwhlo@eu.gov.hk MSN) and the proliferation of kwkong@eu.gov.hk Tel: 2165 7288 storage devices (e.g. USB) as well Tel: 2165 7288 PMSO, EU as mobile devices (e.g. PMSO, EU Peggy Leung David Hooi pwkleung@eu.gov.hk Blackberry). dwkhooi@eu.gov.hk Tel: 2165 7206 Tel: 2810 3701 PEO, EU As a result, more than half of the respondents surveyed restricted the use of social networking PEO, EU Judy Li Judy Li jckli@eu.gov.hk (53%) or instant messaging technologies (58%) but, for productivity reasons, they allowed jckli@eu.gov.hk Tel: 2810 2306 Tel: 2165 7206 employees to use storage devices (73%) or mobile devices (90%). Nevertheless, less than 40% of respondents offered employee guidelines on the secured use of these devices and only around 40% published policies on acceptable business use. The survey also showed that only 44% of respondents have assigned a dedicated privacy executive officer whose major responsibilities are to analyse regulation, develop privacy strategy, enforce policies, provide internal consulting on privacy issues, conduct training, respond to incidents, monitor and measure compliance, and perform risk assessments. 2
  3. 3. Efficiency Unit Website When asked to select the most influential drivers for management attention on privacy, respondents cited the need to comply with privacy regulations (79%), protection of brand and Head, EU Head, EU Kitty Choi reputation (70%) and potential liability (55%) as their top three choices. Kitty Choi kkychoi@eu.gov.hk kkychoi@eu.gov.hk Tel: 2810 2021 Tel: 2810 2021 A COMPREHENSIVE DATA CONTROL FRAMEWORK AND A HOLISTIC APPROACH Deputy Head, EU Deputy Head, EU Patricia Lau To address the privacy and data Patricia Lau plau@eu.gov.hk plau@eu.gov.hk Tel: 2810 3463 protection issues, organisations are often Tel: 2810 3463 locked into a reactive mode. According Assistant Director, EU Assistant Director, EU W C Chan to another survey conducted by Deloitte, Peggy Leung wcchan@eu.gov.hk pwkleung@eu.gov.hk Tel: 2165 7228 privacy and security professionals spend Tel: 2810 2306 more than 50% of their time responding Assistant Director, EU Assistant Director, Yuk W F EU to privacy breaches such as investigation, W F Yuk wfyuk@eu.gov.hk wfyuk@eu.gov.hk Tel: 2810 3701 remediation, incident reporting and Tel: 2165 7228 Assistant Director, EU notification as well as communication AssistantSteve Barclay Director, EU with customers, employees and Steve Barclay sbarclay@eu.gov.hk sbarclay@eu.gov.hk Tel: 2810 3408 stakeholders. Respondents struggle to Tel: 2810 3408 PMSO, EU allocate time to consider proactive privacy protection measures. PMSO, EU Hedy Lo K W Kong hwhlo@eu.gov.hk kwkong@eu.gov.hk Tel: 2165 7288 In addition, organisations often view personal data leakage to be a technology issue and respond Tel: 2165 7288 PMSO, EU with tactical measures such as implementing additional stringent IT security controls. However, PMSO, EU Peggy Leung David Hooi pwkleung@eu.gov.hk technology is not the panacea. Insufficient support from management and staff as well as an dwkhooi@eu.gov.hk Tel: 2165 7206 Tel: 2810 3701 inadequate framework would undermine the effectiveness of data protection. PEO, EU PEO, EU Judy Li Judy Li jckli@eu.gov.hk Therefore, a data control jckli@eu.gov.hk Tel: 2810 2306 Tel: 2165 7206 framework may be established at different levels of the organisation to include: • Governance: The level at which privacy strategy is formulated and applied to the unique organisation environment; 3
  4. 4. • Operations: The level at which day-to-day operational procedures and staff awareness Efficiency Unit Website regarding data privacy are established; and • Maintenance: The level at which on-going monitoring and controls are applied effectively, Head, EU Head, EU Kitty Choi especially in the light of any changes in process and technology. Kitty Choi kkychoi@eu.gov.hk kkychoi@eu.gov.hk Tel: 2810 2021 Tel: 2810 2021 In parallel, a holistic privacy protection programme with a layered enforcement among People, Deputy Head, EU Deputy Head, EU Patricia Lau Process and Technology may also be formulated. Patricia Lau plau@eu.gov.hk plau@eu.gov.hk Tel: 2810 3463 Tel: 2810 3463 • People serve as the most important and integral part of data protection. This requires Assistant Director, EU Assistant Director, EU W C Chan support from the department’s top management, awareness of all staff, as well as a sound Peggy Leung wcchan@eu.gov.hk pwkleung@eu.gov.hk Tel: 2165 7228 culture on data protection. Tel: 2810 2306 Assistant Director, EU • Processes should be well organised and documented in order to minimise human error Assistant Director, Yuk W F EU which may cause a violation of data privacy protection. Policies should be established to W F Yuk wfyuk@eu.gov.hk wfyuk@eu.gov.hk Tel: 2810 3701 provide general data privacy principles. Tel: 2165 7228 Assistant Director, EU • Technology supporting the process should be appropriately implemented to minimise the AssistantSteve Barclay Director, EU risk of leakage of personal information within the data management lifecycle. Steve Barclay sbarclay@eu.gov.hk sbarclay@eu.gov.hk Tel: 2810 3408 Tel: 2810 3408 PMSO, EU SUMMARY PMSO, EU Hedy Lo K W Kong hwhlo@eu.gov.hk Data leakage incidents are serious threats to organisations of all sizes and across various kwkong@eu.gov.hk Tel: 2165 7288 operational functions. They often attract negative publicity and reputation management becomes Tel: 2165 7288 PMSO, EU an issue. However, addressing privacy and data protection issues merely from the technology PMSO, EU Peggy Leung David Hooi pwkleung@eu.gov.hk perspective will not provide a robust and long term solution. Organisations should be proactive dwkhooi@eu.gov.hk Tel: 2165 7206 Tel: 2810 3701 and adopt a holistic approach to protect personal information. Developing a culture that is PEO, EU sensitive to the day-to-day handling of personal data will help minimise the reliance on crisis PEO, EU Judy Li Judy Li jckli@eu.gov.hk management when data leakage incidents hit the media. jckli@eu.gov.hk Tel: 2810 2306 Tel: 2165 7206 If you wish to find out more about the framework and the surveys mentioned in this newsletter, please visit http://www.deloitte.com Efficiency Unit May 2009 4

×