Presentation to the Institute of Internal Auditors, Edmonton by hwh10252

VIEWS: 5 PAGES: 30

									Presentation to the
Institute of Internal Auditors, Edmonton
Chapter (IIA)

“Internal Audit in the wake of Privacy
Legislation ”

January 15, 2008
Leah Fitzgerald
Chief Compliance Officer
EPCOR Utilities Inc.
                  This presentation is not intended to serve as, and
                  should not be interpreted as, legal advice; it is a
                  general overview only and provided only for the
                  purpose of highlighting the general principles
                  underlying the privacy law and “things to watch out
                  for”. Legal counsel or other professional experts
                  should be consulted before making any decisions or
                  judgments about privacy law or privacy practices.

                  Cases discussed are not EPCOR cases, unless
                  specifically identified as such. Most have been
                  published on the public record; others are
                  hypothetical situations presented for illustrative
                  purposes.


Internal Audit in the wake of Privacy Legislation                       2
                       Why are Privacy concerns are so Dominant?
                         – 60 minutes show on information theft
                         – Capital Health & School Authority loss of
                           memory sticks
                         – Passport Canada
                         – Increased awareness of just how powerful
                           personal information can be




Internal Audit in the wake of Privacy Legislation                      3
                            The Privacy Environment in Alberta




Internal Audit in the wake of Privacy Legislation                4
                   Alberta has three privacy statues:
                   Freedom of Information and Protection of Privacy
                   Act, (FOIPP) – applies to “public bodies”, such as
                   government entities, municipalities, etc.
                   Personal Information Protection Privacy Act, (PIPA)
                   – applies to “every organization”, (other than those
                   governed by FOIPP or federal works, undertakings
                   or businesses that are governed by PIPEDA)
                   Health Information Act, (HIA) – applies to custodians
                   of health information


Internal Audit in the wake of Privacy Legislation                          5
                     “Personal information” is information about an
                     identifiable person. The following are some examples
                     of information which is not “personal information” for the
                     purpose of the legislation:
                           Aggregated information
                           Information about an identifiable person which is
                             in the public domain
                           Business contact information
                           Information which cannot be attached to an
                             identifiable person



Internal Audit in the wake of Privacy Legislation                                 6
                                               Privacy Considerations
                     1.    only collect, use or disclose as much personal information
                           as is required to fulfill a legitimate business purpose;
                     2.    only keep personal information for as long as required to
                           fulfill a legitimate business purpose (and talk to your
                           Privacy Officer or counsel before determining the
                           timeframes for destruction);
                     3.    limit access to personal information within an organization
                           to those who require access and only permit access to the
                           extent that is required to fulfill a legitimate job function;
                     4.    maintain personal information in a manner that is secure;
                     5.    be prepared to provide “chain of handling” information if
                           requested;
                     6.    destroy personal information in a manner that protects
                           personal privacy; and
                     7.    treat specific personal information in accordance with its
                           sensitivity.


Internal Audit in the wake of Privacy Legislation                                          7
                                                    Consent

                   Generally, consent is required in order to collect, use
                   and disclose personal information.
                   Consent is usually express consent, but can sometimes
                   be implied.
                   The consent received must relate to a specific
                   legitimate and reasonable purpose and a person must
                   be properly notified of that purpose in order to give their
                   “informed consent”.




Internal Audit in the wake of Privacy Legislation                                8
                            Exceptions to Requirement of Consent

                   There are also some legislated exceptions to rules
                   against non-consensual collection, use and disclosure
                   of personal information which contemplate a variety of
                   situations where getting consent may not be feasible or
                   possible.




Internal Audit in the wake of Privacy Legislation                            9
                                                    Use
                   You can only use personal information to the extent that
                   it is reasonable to fulfill the purpose for which it was
                   originally collected for.

                   There are exceptions to use without consent.




Internal Audit in the wake of Privacy Legislation                             10
                                                    Disclosure

                   You can only disclose personal information to the extent
                   that it is reasonable to fulfill the purpose for which you
                   originally you collected it for.

                   A disclosure occurs when information passes from one
                   organization to another organization, from an
                   organization to an individual other than the person
                   whose information it is, or from one area of an
                   organization to another for purposes unrelated to why it
                   was initially collected.


Internal Audit in the wake of Privacy Legislation                               11
                                             Protection of Privacy
           An organization must make reasonable and appropriate security
           arrangements which are reasonable and appropriate to the
           sensitivity of the information.
           Financial and medical information of any kind is considered to be
           very sensitive, requiring the highest level of protection. The
           following safeguards must be considered:
                 Physical: locking files, shredding documents, removing
                   documents from view
                   Administrative: training specific to the protection required,
                    tracking of disclosures
                   Technical: IT systems and processes which serve to
                    secure information and limit access as appropriate
Internal Audit in the wake of Privacy Legislation                                   12
                                                    Access

                   Any individual has the right to ask for access to his or
                   her own personal information that is in the custody or
                   under the control of your company and your company
                   must respond openly, completely and accurately to
                   such requests, answering:
                              where the information is contained;
                              the purposes for which it is being used; and
                              the names of all persons to whom, and the
                               circumstances in which, the information has
                               been disclosed.

Internal Audit in the wake of Privacy Legislation                             13
                                                    So what?

                     Otherwise known as “how does any of this
                                 this affect me?”




Internal Audit in the wake of Privacy Legislation               14
                         Sometimes, Internal Auditors need Access to
                                   Personal Information


                   Sufficient access to records ensures that auditors are
                   able to carry out their job responsibilities.




Internal Audit in the wake of Privacy Legislation                           15
                                            Consider this Scenario

                   Question: An organization collects personal
                   information and communicates a specific purpose to an
                   individual that it will use that information for that
                   purpose.

                   Can an auditor see/use that information in the course of
                   an audit? Is that a valid use or disclosure under privacy
                   legislation?




Internal Audit in the wake of Privacy Legislation                              16
                                                    Answer


                   Public bodies under FOIPP
                   •Section 40(1)(m) allows a public body to disclose
                   personal information to the Auditor General or other
                   prescribed person or body for audit purposes.
                   •Section 7 of the FOIPP regulation allows disclosure or
                   personal information for audit purposes to employees or
                   consultants who perform audits pursuant to statue,
                   regulation or public policy relating to the public body.




Internal Audit in the wake of Privacy Legislation                             17
                                                    Answer
                   •Custodians pursuant to HIA
                   Section 27(1)(g) allows a custodian to use individually
                   identifying health information without consent for audit
                   purposes.

                   Section 35(1)(f) & 36 allows a custodian to disclose
                   individually identifying diagnostic, treatment and care
                   information or registration information without consent
                   to a person authorized to conduct an audit if that person
                   agrees in writing:
                   •To destroy the information after the audit is completed;
                   •Not to disclose the information unless to accomplish
                   the audit or to report unlawful or improper conduct

Internal Audit in the wake of Privacy Legislation                              18
                                                    Answer


                   Private Organizations pursuant to PIPA
                   Section 19 of the PIPA Regulation allows an
                   organization to collect, use and disclose personal
                   information about a person without their consent where
                   it is necessary to comply with an audit where the audit
                   or inspection is authorized or required by a statute or
                   regulation.

                   Otherwise, only if it the use or disclosure is reasonable
                   for the purposes of an “investigation” or a legal
                   proceeding.


Internal Audit in the wake of Privacy Legislation                              19
                   But what about audits not taken pursuant to a
                   statute or regulation or for the purposes of an
                   investigation?
                   Could it be said that the customer gave his or her
                   Implied Consent?
                   •Probably not.
                   Could it be said that the use or disclosure (in the audit)
                   was clearly in the interests of the individual and that the
                   individual would not reasonably be expected to withhold
                   consent, (another exception)?
                   •Likely not.




Internal Audit in the wake of Privacy Legislation                                20
                   Special PIPA Review Committee Final Report


                   •Final Report was issued November 2007
                   •Concluded: “amend PIPA to allow an organization to
                   use and disclose personal information without consent
                   for the purpose of an audit or inspection of that
                   organization, and to allow an organization performing
                   an audit or inspection to collect, use and disclose
                   personal information for that purpose.”
                   Conclusion: Some audits currently could be said to
                   “breach” PIPA




Internal Audit in the wake of Privacy Legislation                          21
                                     But that’s only part of the story




Internal Audit in the wake of Privacy Legislation                        22
                                                    Scenario
                   A customer makes an access request for his
                   information.
                   The organization has to respond openly, completely
                   and accurately to such requests, answering:
                          where the information is contained;
                          the purposes for which it is being used; and
                          the names of all persons to whom, and the
                           circumstances in which, the information has
                           been disclosed.



Internal Audit in the wake of Privacy Legislation                         23
                   Question


                   If an internal auditor took samples which included
                   personal information, could your organization know
                   where that information was contained and the purposes
                   for which it was being used?


                   If not, your organization may be found to be in breach
                   of PIPA.




Internal Audit in the wake of Privacy Legislation                           24
                   Question
                   If you take samples of personal information pursuant to
                   legislation or otherwise, how are you safeguarding that
                   information?
                   Unencrypted memory sticks? Paper files in your
                   briefcase? On your laptop?
                   How sensitive is that personal information?
                   Personal Information must be kept safe and secure
                   from loss. If it is lost and/or stolen, your organization
                   will be found to be in breach of the legislation.



Internal Audit in the wake of Privacy Legislation                              25
                                                    Audit Report
                   Personal information should not be included (without
                   consent), unless specifically allowed under a statute or
                   regulation, or an exception under the applicable privacy
                   legislation.
                   Otherwise, it would likely be found to be an
                   inappropriate disclosure in breach of FOIPP or PIPA.




Internal Audit in the wake of Privacy Legislation                             26
                                                    Privacy Audits
                   Determining the current state of an organization’s
                   personal information holdings and related procedures.
                   Privacy audits don’t necessarily lend themselves to
                   routine internal control reviews such as SOD,
                   authorization, accounting control practices, etc..
                   However, internal auditors have specific skills and
                   expertise in this area – so why not use them?




Internal Audit in the wake of Privacy Legislation                          27
                                        Conducting a Privacy Audit
                   Take an Inventory - identify the Organization’s existing
                   privacy, records and information management policies
                   and practices
                   Evaluate the Organization’s Existing Policies and
                   Procedures
                   Identify your current information practices - including
                   how and why your organization collects, uses and
                   discloses personal information




Internal Audit in the wake of Privacy Legislation                             28
                                Some Areas that warrant examination
                   •Access controls that are in place to protect personal
                   information from unauthorized modification or use,
                   damage and loss
                   •Procedures for Password use
                   •Procedures for database administration
                   •Personnel procedures
                   •Control procedures for the wide-area network and local
                   area networks
                   •Physical security of the computer system
                   •Procedures for the storage and disposal of data output
Internal Audit in the wake of Privacy Legislation                            29
                                                     The end.


                                                    Thank you.




Internal Audit in the wake of Privacy Legislation                30

								
To top