Three privacy articles, and a summary of Catalyst's corporate governance reports:

A PIPEDA workflow from Tom De Rosa, National Solutions Specialist with Oracle Corporation Canada

New Year's Security Resolutions

The Privacy Contradiction

Catalyst, the New York based think tank, offers a variety of publications and research reports on women in the boardroom and diversity’s impact on corporate governance

January 2004

Dear Friends and Colleagues,

Wading through the flood of information on privacy and security governance in Canada? You’re not alone. Confusion and concern across a variety of industries has manifested as a result of significant legislative changes in Canada and the US, not to mention ongoing constitutional challenges to these changes.

Integrity Incorporated is here to help you cut through that, both via our services and the information we offer to our subscribers. It is my pleasure to invite you to subscribe to Compass, the Integrity Incorporated monthly newsletter on privacy, security and governance. We’ll cover:

  • The latest news and industry information
  • Events related to privacy, security and governance
  • Case studies and commentary on complex privacy, security and governance projects
  • Expert advice and answers to your security and governance questions

We follow strict opt-in procedures for our communication, and you will not receive further newsletter communication from us unless you choose to subscribe. Click here to do so!

In this issue, you’ll learn how a major health care project integrated a variety of privacy policies for a complex communications infrastructure, the implications of Quebec’s challenge to PIPEDA, and analysis of some trends and events in security and privacy governance, both cautionary tales and success stories! We welcome your feedback on this newsletter, and invite you to send it along. And again, if you don’t subscribe, you won’t receive the next issue so click here to do so now!

Best regards,

Carolyn Burke, CEO
Integrity Incorporated

Microsoft Canada Partner Tour
This multi-city tour features a keynote address by Integrity CEO Carolyn Burke on Microsoft Security. This tour is exclusively for Microsoft partners; presentation information will be available online. Carolyn Burke and Microsoft’s Steve Ballmer will be also speaking at TechNet / MSDN Security Forum on February 25 and 26.

February 3 Montreal
February 5 Vancouver
February 16 Halifax
February 23 Edmonton
February 25 Toronto

Please go to for additional information.

What Do Intelligent Enterprises Know? Harness the Power of Data, Content & Knowledge: 
E-Content Institute Conference 2004
Mitigate Risk with Corporate Information Policies
Is your organization a level two or a level three? How do you become 
a security-mature organization? For executives and managers with 
knowledge management responsibility, gaining an understanding of 
how security and privacy impact KM can be the first hurdle to 
effective policy development. Informative case study from the 
pharmaceutical industry will be presented to explore the difficulties
faced in moving from a level 3 to a fully mature level 4 organization.
Attendees will also leave with an action plan on how to attain level 
5 SPM-CMM maturity (Security and Privacy Management - Capability 
Maturity Model).

Each issue we’ll examine compliance related to a specific industry or governance problem and walk through how a solution was, or could be, reached.

January Spotlight: Health Care

This health care organization wanted to implement a service by which rural doctors could virtually consult with specialists in urban centres. Because the information being shared is highly confidential, and because a variety of different institutions were involved, an analysis of the existing privacy policies was the first step.

Because information was going to be shared between organizations, the privacy policies of all organizations needed to be amalgamated and to ensure that all policies were met, the most stringent policy had to apply to all. This resulted in:

  • Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy
  • Policy review for all organizations
  • Training of various institutions to handle properly the exchange of information due to varying legislative jurisdictions being impacted

Services Provided:

Needs Assessment
Privacy Impact Assessment
Gap Analysis
Policy Review and Training

Project Duration:

Three months from initiation of review to completion

Dear Readers,

We invite you to submit questions on security, privacy and governance compliance to Our first question comes from RV in Toronto. RV asks:

Dear Compass,

Given the recent constitutional challenge to PIPEDA by Quebec, how will this impact the implementation and compliance in the rest of Canada?

Compass responds:

Great question, RV. For those of you who aren’t familiar with this story, a good summary of the issues can be found here.

The privacy community thinks Quebec will succeed, given their past track record with constitutional challenges. So what are the implications for the rest of the country should PIPEDA fall to this challenge? 

The main implication is one that has always been in place. Organizations need to build flexible compliance systems. Regulations will change, because society is changing, and not only because of challenges like this one, but because new technologies (RFID for example) have massive implications for privacy within corporations and organizations. Legislation will always change and evolve and the ideal system is one that is flexible enough to adapt. This means organizations need to:
  • Make provision for handling future changes within the privacy policies themselves
  • Conduct regular scrutiny of ongoing changes to privacy legislation
  • Engage with legal teams within, or representing, organizations to provide regular reports on moving targets and recommendations for required policy change

So in other words, PIPEDA may come and go, in another form and by another name perhaps, but privacy legislation is here to stay. It will likely change regularly, so the best policies are those that are flexible enough to provide for those changes.

It’s a shame that organizations are still in reactive mode. A recent ZDNet story highlighted a survey showing that organizations are increasing security spending – but largely because they have no choice. Legislative change is the biggest driver in security spending increases, in response to increased liability over breaches. 

Business has long said that self-regulation is the best tool to ensure compliance with basic data protection standards, but Sarbanes-Oxley has probably brought about more change since its passing than years of ‘self-regulation’. 

It’s too bad that in an area as important as data protection, government intervention and the threat of lawsuits are the only reasons companies are starting to invest. It gives credence to the easiest and least ethical tool in the security marketer’s kit: fear-based messaging.

As mentioned in this month’s cautionary tale, self-regulation as it relates to privacy and security compliance has been virtually non-existent to date. There are signs of hope on the horizon, however. A CNET story story discusses the release of the first reports from the five working groups formed at the National Cyber Security Summit and set a twelve-month timeline for results. We’ll be watching!

Integrity Incorporated
155 Dalhousie Street, Ste 701
Toronto, ON, M5B 2P7 Canada
T/ 416 369 0113     F/ 416 369 0148

Full Disclosure:
Microsoft Canada ® is a consulting client of Integrity Incorporated.

Copyright © 2004 Integrity Incorporated. All rights reserved. The Integrity Incorporated 'mark of integrity' is a registered trademark of Integrity Incorporated and is pending approval in the Canadian Trademark Office. Integrity Incorporated is a member of the family of values-focused River Street Bridge Inc. companies.