Three privacy articles, and a summary of Catalyst's corporate governance reports:
A PIPEDA workflow from Tom De Rosa, National Solutions Specialist with Oracle Corporation Canada
New Year's Security Resolutions
The Privacy Contradiction
Catalyst, the New York based think tank, offers a variety of publications and research reports on women in the boardroom and diversity’s impact on corporate governance
Dear Friends and Colleagues,
Wading through the flood of information on privacy and security governance in Canada? You’re not alone. Confusion and concern across a variety of industries has manifested as a result of significant legislative changes in Canada and the US, not to mention ongoing constitutional challenges to these changes.
Integrity Incorporated is here to help you cut through that, both via our services and the information we offer to our subscribers. It is my pleasure to invite you to subscribe to Compass, the Integrity Incorporated monthly newsletter on privacy, security and governance. We’ll cover:
We follow strict opt-in procedures for our communication, and you will not receive further newsletter communication from us unless you choose to subscribe. Click here to do so!
In this issue, you’ll learn how a major health care project integrated a variety of privacy policies for a complex communications infrastructure, the implications of Quebec’s challenge to PIPEDA, and analysis of some trends and events in security and privacy governance, both cautionary tales and success stories! We welcome your feedback on this newsletter, and invite you to send it along. And again, if you don’t subscribe, you won’t receive the next issue so click here to do so now!
Carolyn Burke, CEO
Microsoft Canada Partner Tour
This multi-city tour features a keynote address by Integrity CEO Carolyn Burke on Microsoft Security. This tour is exclusively for Microsoft partners; presentation information will be available online. Carolyn Burke and Microsoft’s Steve Ballmer will be also speaking at TechNet / MSDN Security Forum on February 25 and 26.
February 3 Montreal
February 5 Vancouver
February 16 Halifax
February 23 Edmonton
February 25 Toronto
Please go to www.microsoft.ca/events for additional information.
Each issue we’ll examine compliance related to a specific industry or governance problem and walk through how a solution was, or could be, reached.
January Spotlight: Health Care
This health care organization wanted to implement a service by which rural doctors could virtually consult with specialists in urban centres. Because the information being shared is highly confidential, and because a variety of different institutions were involved, an analysis of the existing privacy policies was the first step.
Because information was going to be shared between organizations, the privacy policies of all organizations needed to be amalgamated and to ensure that all policies were met, the most stringent policy had to apply to all. This resulted in:
Services Provided:Needs Assessment
Privacy Impact Assessment
Policy Review and Training
Three months from initiation of review to completion
We invite you to submit questions on security, privacy and governance compliance to firstname.lastname@example.org. Our first question comes from RV in Toronto. RV asks:
Given the recent constitutional challenge to PIPEDA by Quebec, how will this impact the implementation and compliance in the rest of Canada?
Great question, RV. For those of you who aren’t familiar with this story, a good summary of the issues can be found here.
The privacy community thinks Quebec will succeed, given their past track record with constitutional challenges. So what are the implications for the rest of the country should PIPEDA fall to this challenge?
The main implication is one that has always been in place. Organizations need to build flexible compliance systems. Regulations will change, because society is changing, and not only because of challenges like this one, but because new technologies (RFID for example) have massive implications for privacy within corporations and organizations. Legislation will always change and evolve and the ideal system is one that is flexible enough to adapt. This means organizations need to:
So in other words, PIPEDA may come and go, in another form and by another name perhaps, but privacy legislation is here to stay. It will likely change regularly, so the best policies are those that are flexible enough to provide for those changes.
It’s a shame that organizations are still in reactive mode. A recent ZDNet story highlighted a survey showing that organizations are increasing security spending – but largely because they have no choice. Legislative change is the biggest driver in security spending increases, in response to increased liability over breaches.
Business has long said that self-regulation is the best tool to ensure compliance with basic data protection standards, but Sarbanes-Oxley has probably brought about more change since its passing than years of ‘self-regulation’.
It’s too bad that in an area as important as data protection, government intervention and the threat of lawsuits are the only reasons companies are starting to invest. It gives credence to the easiest and least ethical tool in the security marketer’s kit: fear-based messaging.
As mentioned in this month’s cautionary tale, self-regulation as it relates to privacy and security compliance has been virtually non-existent to date. There are signs of hope on the horizon, however. A CNET story story discusses the release of the first reports from the five working groups formed at the National Cyber Security Summit and set a twelve-month timeline for results. We’ll be watching!
Microsoft Canada ® is a consulting client of Integrity Incorporated.
Copyright © 2004 Integrity Incorporated. All rights reserved. The Integrity Incorporated 'mark of integrity' is a registered trademark of Integrity Incorporated and is pending approval in the Canadian Trademark Office. Integrity Incorporated is a member of the family of values-focused River Street Bridge Inc. companies.