Safeguards on Personal Data Privacy. Peter Koo Partner, Enterprise Risk Services Deloitte Touche Tohmatsu Maverick Tam Associate Director, Enterprise Risk Services Deloitte Touche Tohmatsu
Deloitte ERS practice in China and Asia-Pacific Deloitte Global Approximately 169,000 people in over 140 countries Our China Practice Having more than 8,000 people in 14 offices including Beijing, Chongqing, Dalian, Guangzhou, Hangzhou, Hong Kong, Macau, Nanjing, Shanghai, Shenzhen, Suzhou, Tianjin, Wuhan and Xiamen. Serving one-third of all companies listed on the Stock Exchange of Hong Kong Deloitte Asia Pacific A team of over 12,000 people located in 31 offices including Brunei, Guam, Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam Beijing 200+ Shanghai 240+ Shenzhen 60+ Taipei 180+ Hong Kong 100+
Achieving Corporate Governance
IT Governance Framework
Implementing the Data Loss Protection Framework: Combined top down, bottom up, side-ways.. Set Policy (People) Deploy Controls (Process) Enforce and Monitor Controls (Technology) DLP Encryption IAM Data Redaction Archive DR Branch Offices WAN Business Analytics Data warehouse Back up tape Customers Partners WWW Customer Portal WAN Outsourced Development Production Data Disk storage Remote Employees VPN Enterprise e-mail Staging File Server Back up disk
Privacy and Data Protection Laws and Regulations Canada Federal/Provincial PIPEDA, FOIPPA, PIPA UK Data Privacy Act European Union EU Data Protection Directive and Member States Data Protection Laws South Korea Act on Promotion of Information and Communications Network Utilization and Data Protection Japan Personal Information Protection Act U.S. Federal GLBA, HIPAA, COPPA, Do Not Call, Safe Harbor Hong Kong Personal Data (Privacy) Ordinance Numerous State Laws Breach Notification 40 states from CA to NY Taiwan Computer- Processed Personal Data Protection Law Chile Law for the Protection of Private Life Philippines Data Privacy Law proposed by ITECC Argentina Personal Data Protection Law, Confidentiality of Information Law South Africa Electronic Communications and Transactions Act India Law pending currently under discussion Australia Federal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new e- mail spam and privacy regulations New Zealand Privacy Act
Personal Data (Privacy) Ordinance ( PDPO ) Data Protection Principles PDPO Data Protection Principles Principle 1: Purpose and manner of collection This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject. Principle 2: Accuracy and duration of retention This provides that personal data should be accurate, up-to-date and kept no longer than necessary. Principle 3: Use of personal data This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose. Principle 4: Security of personal data This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable). Principle 5: Information to be generally available This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used. Principle 6: Access to personal data This provides for data subjects to have rights of access to and correction of their personal data.
Some Relevant Guidelines and Codes of Practice Code of Practice on the Identity Card Number and Other Personal Identifiers Code of Practice on Human Resources Management Code of Practice on Consumer Credit Data Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators Privacy Guidelines: Monitoring and Personal Data Privacy at Work Guidance on the Collection and Use of Personal Data in Direct Marketing Guidance on Data Breach Handling and the Giving of Breach Notifications More
Importance of Compliance Public concerns and consequences for Personal Data Privacy Incidents: 1. Legal Compliance Contravenes an Enforcement Notice: - Imprisonment for 2 years - Level 5 Penalty: HK$50,000 - Daily penalty of $1,000 for continuous offence Compensation to individuals Potential to erase ALL Personal Data 2. Reputation Negative media exposure Investigation by Privacy Commissioner, Legislation Council, etc 3. Customer Confidence
Other Industry Specific Requirements Payment Card Industry Data Security Standard (PCI-DSS) To help payment card industry organisations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The requirement for PIC DSS includes: Maintaining secure network Securing the stored cardholder information Implementing strong access control to the stored data Circular on Customer Data Protection issued by HKMA Designated officer and incident handling process Data security policies and awareness Portable storage devices End-user computing Mobile computing Physical security controls over customer data Outside service providers
Data Leakage Happens In business, well-intentioned employees simply getting their jobs done may inadvertently put information at risk, sometimes resulting in data leakage.
AICPA / CICA General Accepted Privacy Principles Developed from a business perspective, referencing significant domestic and international privacy regulations Summarize complex privacy requirements into a single privacy objective that is supported by 10 privacy principles. Each principle is supported by objective, measurable criteria that need to be met Illustrative policy requirements, communications, and controls, including monitoring controls, are provided as support for the criteria
Role Based Access Control A role-based access control (RBAC) model is to provide access to roles that create or consume information in the course of a business activity. The role is assigned permissions at the business activity level to define the relationship with an information class and related information assets. RBAC may be accomplished either through functional capabilities in a business system or through application of metadata and business description rules.
Centralized Identity & Access Management HR System Centralized User Management Identity & Access Management System Identity Repository Self Service Batch Process Network Storage Email ERP Inventory System Windows Domain
Key Preparation Tasks Identify key data privacy regulatory requirements Inventory the personal data held by your organization Build up privacy awareness within your organization Develop privacy and data protection roadmap
Thank You!
Our Contacts Deloitte Touche Tohmatsu 35/F One Pacific Place 88 Queensway Hong Kong Tel: 2852-1600 Fax: 2541-7392 Peter Koo Partner Enterprise Risk Services Tel: 2852-6507 E-mail: petkoo@deloitte.com.hk Maverick Tam Associate Director Enterprise Risk Services Tel: 2852-5810 E-mail: mtam@deloitte.com.hk Should you require further information, please feel free to contact us or go to our web site at www.deloitte.com 17