Transcript The Success of E-Commerce May Hinge on a Fundamental Human

The Privacy Imperative:
Go Beyond Compliance to
Competitive Advantage
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner/Ontario
www.ipc.on.ca
Cambridge Chamber of Commerce
March 2, 2004
Impetus for Change
 Growth of Privacy as a Global Issue
 EU Directive on Data Protection
 Increasing amounts of personal data
collected, consolidated, aggregated
 Consumer Backlash; heightened
consumer expectations
www.ipc.on.ca
Slide 2
The New Debate:
Privacy After 9/11
It’s business as usual:
• Clear distinction between public safety and
business issues – make no mistake
• NO reduction in consumer expectations
• Increased value of trusted relationships
www.ipc.on.ca
Slide 3
Consumer Attitudes
Business is not a beneficiary of the
post-9/11 “Trust Mood”
Increased trust in government has not been
paralleled by increased trust in business
handling of personal information
Privacy On and Off the Internet: What Consumers Want
Harris Interactive, November 2001
Dr. Alan Westin
www.ipc.on.ca
Slide 4
Importance of Consumer Trust
 In the post-9/11 world:
• Consumers either as concerned or more concerned about
online privacy
• Concerns focused on the business use of personal
information, not new government surveillance powers
 If consumers have confidence in a company’s
privacy practices, consumers are more likely to:
• Increase volume of business with company…….... 91%
• Increase frequency of business……………….…...90%
• Stop doing business with company if PI misused…83%
Harris/Westin Poll, Nov. 2001 & Feb. 2002
www.ipc.on.ca
Slide 5
Information Privacy Defined
 Information Privacy: Data Protection
www.ipc.on.ca
•
Freedom of choice; control;
informational self-determination
•
Personal control over the collection,
use and disclosure of any recorded
information about an identifiable
individual
Slide 6
What Privacy is Not
Security  Privacy
www.ipc.on.ca
Slide 7
Privacy and Security:
The Difference
Authentication
Data Integrity
Confidentiality
Non-repudiation
Security:
Organizational
control of information
through information
systems
Privacy; Data Protection
Fair Information Practices
www.ipc.on.ca
Slide 8
Fair Information Practices:
A Brief History
OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data
EU Directive on Data Protection
CSA Model Code for the Protection of
Personal Information
Canada Personal Information Protection and
Electronic Documents Act (PIPEDA)
www.ipc.on.ca
Slide 9
Summary of
Fair Information Practices
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use,
Disclosure, Retention
Accuracy
www.ipc.on.ca
Safeguards
Openness
Individual Access
Challenging
Compliance
Slide 10
The Ten Commandments
Accountability
– for personal information
– designate an individual(s) accountable for compliance
Identifying Purposes
– purpose of collection must be clear at or before
time of collection
Consent
– individual has to give consent to collection, use,
disclosure of personal information
www.ipc.on.ca
Slide 11
The Ten Commandments
 Limiting Collection
– collect only information required for the identified
purpose; information shall be collected by fair and
lawful means
 Limiting Use, Disclosure, Retention
– consent of individual required for all other purposes
 Accuracy
– keep information as accurate and up-to-date as
necessary for identified purpose
 Safeguards
– protection and security required, appropriate to the
sensitivity of the information
www.ipc.on.ca
Slide 12
The Ten Commandments
 Openness
– policies and other information about the management of personal
information should be readily available
 Individual Access
– upon request, an individual shall be informed of the existence, use
and disclosure of his or her personal information and be given
access to that information, be able to challenge its accuracy and
completeness and have it amended as appropriate
 Challenging Compliance
– ability to challenge all practices in accord with the above
principles to the accountable body in the organization.
www.ipc.on.ca
Slide 13
Federal Privacy Legislation
in Canada
 Personal Information Protection and
Electronic Document Act (PIPEDA)
 Staggered implementation:
• Federally regulated businesses, 2001
• Federal health sector, 2002
• Provincially regulated private sector, 2004
www.ipc.on.ca
Slide 14
Extension of PIPEDA
 As of January 1, 2004, PIPEDA has extended to:
 all personal information collected, used or
disclosed in the course of commercial activities by
provincially regulated organizations (including
insurance companies and independent insurance
adjusters)
 unless a substantially similar provincial privacy
law is in force
www.ipc.on.ca
Slide 15
Provincial Private-Sector Privacy
Laws
Québec: Act respecting the protection of
personal information in the private sector
B.C.: Personal Information Protection Act
Alberta: Personal Information Protection Act
Ontario: draft Privacy of Personal Information
Act, 2002 – not introduced…so PIPEDA applies
www.ipc.on.ca
Slide 16
Application of PIPEDA in Ontario
 January 2004 PIPEDA applies to the commercial
activity of provincially regulated organizations
 Uncertainty as to what exactly is covered in
“commercial activity.” For example:
• The practice of law, even legal aid ?
• Health care delivery, such as doctors, hospital care?
 Await decisions of federal Privacy Commissioner
www.ipc.on.ca
Slide 17
Employee Information
Employee information of provincially
regulated employers will not be covered
However, where an Ontario organization is
part of a cross- border enterprise, it may fall
under PIPEDA as an employer
www.ipc.on.ca
Slide 18
Ontario: Health Information
Protection Act, 2003 (HIPA)
 Ontario government introduced health privacy bill
(Bill 31) on December 17, 2003
 Referred to Standing Committee on General
Government, which held public hearings and clauseby-clause deliberations
 Expected to come into effect January 1, 2005
www.ipc.on.ca
Slide 19
The Bottom Line
Privacy should be viewed as
a business issue, not a
compliance issue
www.ipc.on.ca
Slide 20
The Promise
 Electronic Commerce projected to reach
$220 billion by 2001 WTO, 1998
Estimates revised downward to reflect
lower expectations
 Electronic Commerce projected
to reach $133 billion by 2004
Wharton Forum on E-Commerce, 1999
www.ipc.on.ca
Slide 21
Privacy is affecting E-Commerce
United States: e-commerce sales were only
1.6% of total sales -- $54.9 billion in 2003
-U.S. Dept. of Commerce Census Bureau, February 2004
Canada: Online sales were only 0.6% of
total revenues -- $13.7 billion in 2002
Statistics Canada, April 2003
www.ipc.on.ca
Slide 22
Lack of Privacy = Lack of Sales
“Consumer privacy apprehensions continue to
plague the Web. These fears will hold back
roughly $15 billion in e-commerce revenue.”
Forrester Research, September 2001
“Privacy and security concerns could cost
online sellers almost $25 billion by 2006.”
Jupiter Research, May 2002
www.ipc.on.ca
Slide 23
The Business Case
“Our research shows that 80% of our
customers would walk away if we
mishandled their personal information.”
CPO, Royal Bank of Canada, 2003
Nearly 90% of online consumers want the
right to control how their personal
information is used after it is collected.
www.ipc.on.ca
Slide 24
How The Public Divides on Privacy
Privacy
Unconcerned
10
64
Feb 2003
(%)
26
0
20
40
60
The “Privacy Dynamic” - Battle
for the minds of the pragmatists
www.ipc.on.ca
Privacy
Pragmatists
Privacy
Fundamentalists
80
Dr. Alan Westin
Slide 25
Make Privacy a Corporate Priority
 An effective privacy program needs to be
integrated into the corporate culture
 It is essential that privacy protection become
a corporate priority throughout all levels of
the organization
 Senior Management and Board of Directors’
commitment is critical
www.ipc.on.ca
Slide 26
Good Governance & Privacy
“Privacy and Boards of Directors:
What You Don’t Know Can Hurt You”
• Guidance to corporate directors faced with
increasing responsibilities and expectation of
openness and transparency
• Privacy among the key issues that Boards of
Directors must address
• Potential risks if Directors ignore privacy
• Great benefits to be reaped if privacy included in a
company’s business plan
www.ipc.on.ca
Slide 27
Privacy Diagnostic Tool
 Simple, plain-language tool
(paper and e-versions)
 Free & self-administered
 CSA model code to examine
an organization’s privacy
management practices
 www.ipc.on.ca/PDT
www.ipc.on.ca
Slide 28
Final Thought
“Anyone today who thinks the
privacy issue has peaked is
greatly mistaken…we are in the
early stages of a sweeping
change in attitudes that will
fuel political battles and put
once-routine business practices
under the microscope.”
Forrester Research, March 5, 2001
www.ipc.on.ca
Slide 29
How to Contact Us
Commissioner Ann Cavoukian
Information & Privacy
Commissioner/Ontario
80 Bloor Street West, Suite 1700
Toronto, Ontario M5S 2V1
www.ipc.on.ca
Phone:
Web:
E-mail:
(416) 326-3333
www.ipc.on.ca
[email protected]