Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
EU newsletter on Data Privacy
1. PRIVACY AND DATA PROTECTION
From: Kitty Choi, Head, Efficiency Unit
To: Heads of Department
Efficiency Unit Website
Date: 27 May, 2009
PRIVACY AND DATA PROTECTION ARE SENIOR MANAGEMENT CONCERNS Head, EU
Head, EU
Kitty Choi
The way in which organisations manage and protect personal information has never been under Kitty Choi
kkychoi@eu.gov.hk
kkychoi@eu.gov.hk
Tel: 2810 2021
such scrutiny as now. The current climate of concern stems from a series of mass leakages of Tel: 2810 2021
Deputy Head, EU
personal information. In the first quarter of 2009, more than 150 privacy incidents happened Deputy Head, EU
Patricia Lau
around the world while over 3 million personal records were disclosed unintentionally (Source: Patricia Lau
plau@eu.gov.hk
plau@eu.gov.hk
Tel: 2810 3463
Open Security Foundation). Recently in Hong Kong, repeated incidents of loss of removable Tel: 2810 3463
Assistant Director, EU
devices (e.g. USB), inappropriate use of peer-to-peer applications (e.g. Foxy) or loss of data Assistant Director, EU
W C Chan
Peggy Leung
wcchan@eu.gov.hk
servers have been extensively reported by the media. pwkleung@eu.gov.hk
Tel: 2165 7228
Tel: 2810 2306
Assistant Director, EU
These privacy breaches reflect a spectrum of risks throughout the data management lifecycle, Assistant Director, Yuk
W F EU
W F Yuk
wfyuk@eu.gov.hk
which consists of collection, storage, retention, use, sharing, archival, disposition and destruction wfyuk@eu.gov.hk
Tel: 2810 3701
Tel: 2165 7228
of data. These risks may include regulatory non-compliance, impact on operations, lack of public
Assistant Director, EU
trust, legal liabilities, identity theft/information misuse, and last but not least, reputation risk. AssistantSteve Barclay
Director, EU
Steve Barclay
sbarclay@eu.gov.hk
Privacy and data protection issues require strategic attention from leaders. Merely plugging the sbarclay@eu.gov.hk
Tel: 2810 3408
Tel: 2810 3408
technology loophole may provide an interim solution at best but it will not solve the problem PMSO, EU
PMSO, EU
longer term. Hedy Lo
K W Kong
hwhlo@eu.gov.hk
kwkong@eu.gov.hk
Tel: 2165 7288
Tel: 2165 7288
In response to client needs, consulting firms have established their own frameworks to protect PMSO, EU
PMSO, EU
Peggy Leung
personal data. The EU recently met with Deloitte’s Enterprise Risk Services Practice and we would David Hooi
pwkleung@eu.gov.hk
dwkhooi@eu.gov.hk
like to share their insights in this newsletter. Tel: 2165 7206
Tel: 2810 3701
PEO, EU
PEO, EU
Judy Li
SOURCES OF DATA LEAKAGE Judy Li
jckli@eu.gov.hk
jckli@eu.gov.hk
Tel: 2810 2306
Data leakage might occur through simple day-to-day activities such as handling of physical records, Tel: 2165 7206
e-mail exchanges, telephone conversations, data-sharing on USB flash drives and usage of
peer-to-peer software or instant messaging
services.
Recent research reported that there were over
1,000 personal data incidents worldwide from
2005 to June 2008, in which 50% of the cases
were due to accidental exposure, human or
1
2. system errors, improper data disposal and loss of removable media, and 46% of cases involved
Efficiency Unit Website
data with no protection at all (Source: Computer Weekly).
Head, EU
Head, EU
Kitty Choi
CHALLENGES TO PRIVACY AND DATA PROTECTION Kitty Choi
kkychoi@eu.gov.hk
According to a global security survey of the world’s top 100 global financial institutions conducted kkychoi@eu.gov.hk
Tel: 2810 2021
Tel: 2810 2021
by Deloitte in 2008, 48% of respondents indicated that the loss of customer data/privacy Deputy Head, EU
Deputy Head, EU
Patricia Lau
issues/information leakage was their highest concern. Human error is overwhelmingly stated as Patricia Lau
plau@eu.gov.hk
plau@eu.gov.hk
Tel: 2810 3463
the greatest weakness (86%) followed by technology (63%). While the Government operates in a Tel: 2810 3463
different paradigm, the fact that we possess a huge amount of personal data across different Assistant Director, EU
Assistant Director, EU
W C Chan
government departments and given the high expectation the public has on us to guard their Peggy Leung
wcchan@eu.gov.hk
pwkleung@eu.gov.hk
Tel: 2165 7228
privacy, we need to be ahead of Tel: 2810 2306
this game. Assistant Director, EU
Assistant Director, Yuk
W F EU
W F Yuk
wfyuk@eu.gov.hk
wfyuk@eu.gov.hk
Tel: 2810 3701
Respondents also expressed Tel: 2165 7228
Assistant Director, EU
concern about the growing AssistantSteve Barclay
Director, EU
popularity of social networking Steve Barclay
sbarclay@eu.gov.hk
sbarclay@eu.gov.hk
Tel: 2810 3408
technologies (e.g. Facebook), Tel: 2810 3408
PMSO, EU
instant messaging technologies (e.g. PMSO, EU
Hedy Lo
K W Kong
hwhlo@eu.gov.hk
MSN) and the proliferation of kwkong@eu.gov.hk
Tel: 2165 7288
storage devices (e.g. USB) as well Tel: 2165 7288
PMSO, EU
as mobile devices (e.g. PMSO, EU
Peggy Leung
David Hooi
pwkleung@eu.gov.hk
Blackberry). dwkhooi@eu.gov.hk
Tel: 2165 7206
Tel: 2810 3701
PEO, EU
As a result, more than half of the respondents surveyed restricted the use of social networking PEO, EU
Judy Li
Judy Li
jckli@eu.gov.hk
(53%) or instant messaging technologies (58%) but, for productivity reasons, they allowed jckli@eu.gov.hk
Tel: 2810 2306
Tel: 2165 7206
employees to use storage devices (73%) or mobile devices (90%). Nevertheless, less than 40% of
respondents offered employee guidelines on the secured use of these devices and only around
40% published policies on acceptable business use.
The survey also showed that only 44% of respondents have assigned a dedicated privacy executive
officer whose major responsibilities are to analyse regulation, develop privacy strategy, enforce
policies, provide internal consulting on privacy issues, conduct training, respond to incidents,
monitor and measure compliance, and perform risk assessments.
2
3. Efficiency Unit Website
When asked to select the most influential drivers for management attention on privacy,
respondents cited the need to comply with privacy regulations (79%), protection of brand and Head, EU
Head, EU
Kitty Choi
reputation (70%) and potential liability (55%) as their top three choices. Kitty Choi
kkychoi@eu.gov.hk
kkychoi@eu.gov.hk
Tel: 2810 2021
Tel: 2810 2021
A COMPREHENSIVE DATA CONTROL FRAMEWORK AND A HOLISTIC APPROACH Deputy Head, EU
Deputy Head, EU
Patricia Lau
To address the privacy and data Patricia Lau
plau@eu.gov.hk
plau@eu.gov.hk
Tel: 2810 3463
protection issues, organisations are often Tel: 2810 3463
locked into a reactive mode. According Assistant Director, EU
Assistant Director, EU
W C Chan
to another survey conducted by Deloitte, Peggy Leung
wcchan@eu.gov.hk
pwkleung@eu.gov.hk
Tel: 2165 7228
privacy and security professionals spend Tel: 2810 2306
more than 50% of their time responding Assistant Director, EU
Assistant Director, Yuk
W F EU
to privacy breaches such as investigation, W F Yuk
wfyuk@eu.gov.hk
wfyuk@eu.gov.hk
Tel: 2810 3701
remediation, incident reporting and Tel: 2165 7228
Assistant Director, EU
notification as well as communication AssistantSteve Barclay
Director, EU
with customers, employees and Steve Barclay
sbarclay@eu.gov.hk
sbarclay@eu.gov.hk
Tel: 2810 3408
stakeholders. Respondents struggle to Tel: 2810 3408
PMSO, EU
allocate time to consider proactive privacy protection measures. PMSO, EU
Hedy Lo
K W Kong
hwhlo@eu.gov.hk
kwkong@eu.gov.hk
Tel: 2165 7288
In addition, organisations often view personal data leakage to be a technology issue and respond Tel: 2165 7288
PMSO, EU
with tactical measures such as implementing additional stringent IT security controls. However, PMSO, EU
Peggy Leung
David Hooi
pwkleung@eu.gov.hk
technology is not the panacea. Insufficient support from management and staff as well as an dwkhooi@eu.gov.hk
Tel: 2165 7206
Tel: 2810 3701
inadequate framework would undermine the effectiveness of data protection. PEO, EU
PEO, EU
Judy Li
Judy Li
jckli@eu.gov.hk
Therefore, a data control jckli@eu.gov.hk
Tel: 2810 2306
Tel: 2165 7206
framework may be established at
different levels of the
organisation to include:
• Governance: The level at
which privacy strategy is
formulated and applied to
the unique organisation
environment;
3
4. • Operations: The level at which day-to-day operational procedures and staff awareness
Efficiency Unit Website
regarding data privacy are established; and
• Maintenance: The level at which on-going monitoring and controls are applied effectively, Head, EU
Head, EU
Kitty Choi
especially in the light of any changes in process and technology. Kitty Choi
kkychoi@eu.gov.hk
kkychoi@eu.gov.hk
Tel: 2810 2021
Tel: 2810 2021
In parallel, a holistic privacy protection programme with a layered enforcement among People, Deputy Head, EU
Deputy Head, EU
Patricia Lau
Process and Technology may also be formulated. Patricia Lau
plau@eu.gov.hk
plau@eu.gov.hk
Tel: 2810 3463
Tel: 2810 3463
• People serve as the most important and integral part of data protection. This requires Assistant Director, EU
Assistant Director, EU
W C Chan
support from the department’s top management, awareness of all staff, as well as a sound Peggy Leung
wcchan@eu.gov.hk
pwkleung@eu.gov.hk
Tel: 2165 7228
culture on data protection. Tel: 2810 2306
Assistant Director, EU
• Processes should be well organised and documented in order to minimise human error Assistant Director, Yuk
W F EU
which may cause a violation of data privacy protection. Policies should be established to W F Yuk
wfyuk@eu.gov.hk
wfyuk@eu.gov.hk
Tel: 2810 3701
provide general data privacy principles. Tel: 2165 7228
Assistant Director, EU
• Technology supporting the process should be appropriately implemented to minimise the AssistantSteve Barclay
Director, EU
risk of leakage of personal information within the data management lifecycle. Steve Barclay
sbarclay@eu.gov.hk
sbarclay@eu.gov.hk
Tel: 2810 3408
Tel: 2810 3408
PMSO, EU
SUMMARY PMSO, EU
Hedy Lo
K W Kong
hwhlo@eu.gov.hk
Data leakage incidents are serious threats to organisations of all sizes and across various kwkong@eu.gov.hk
Tel: 2165 7288
operational functions. They often attract negative publicity and reputation management becomes Tel: 2165 7288
PMSO, EU
an issue. However, addressing privacy and data protection issues merely from the technology PMSO, EU
Peggy Leung
David Hooi
pwkleung@eu.gov.hk
perspective will not provide a robust and long term solution. Organisations should be proactive dwkhooi@eu.gov.hk
Tel: 2165 7206
Tel: 2810 3701
and adopt a holistic approach to protect personal information. Developing a culture that is PEO, EU
sensitive to the day-to-day handling of personal data will help minimise the reliance on crisis PEO, EU
Judy Li
Judy Li
jckli@eu.gov.hk
management when data leakage incidents hit the media. jckli@eu.gov.hk
Tel: 2810 2306
Tel: 2165 7206
If you wish to find out more about the framework and the surveys mentioned in this newsletter,
please visit http://www.deloitte.com
Efficiency Unit
May 2009
4