Read an Excerpt

5: Conducting A _Privacy-Needs Audit

Conducting a privacy-needs audit is phase two in the privacy policy development and planning process. Once there is a privacy task force and other necessary groups in place to tackle the privacy plan, the organization must begin to understand the many types of data and information it collects and uses. The privacy-needs audit helps the organization identify those data, determine where or whom it comes from, establish how and where it is used, and identify if and where it is disseminated. In addition, the audit process will identify laws, government regulations, and internal requirements that could possibly govern the collection, use, and dissemination of the data. Conducting the needs audit is a time-consuming task that will require the cooperation of all departments or business units in an organization.

This chapter provides a step-by-step approach to conducting a privacy-needs audit. It has divided the privacy-needs audit phase into 10 major steps that follow the first 10 steps of the organizing and researching process discussed in Chapter 4. The steps are illustrated in Figure 5-1.

Figure 5-1. Conducting a Privacy-Needs Audit: Phase 2 of Privacy Planning

In addition to describing the 10 steps for conducting a privacy-needs audit, this chapter covers the type of obstacles that an organization can encounter at each step. As in other chapters, these candid comments about obstacles are based on several decades of experience in working on organizational change using the task force approach to accomplish major enterprise initiatives.

Step 1: establishing a data _inventory system

To begin the privacy-needs audit, the organization needs to create a data inventory record system to help track and organize the information collected during the audit. A database is helpful in managing the information collected. The organization should collect as much information as possible on each piece of data in its enterprise and record it in its data inventory database. The minimal information collected about each piece of data will probably vary, depending on the organization. The following list provides a starting point for the information that an organization needs to collect:

• Description of the data
• Which department is responsible for the data
• Source of the data
• Which computer (or computers) the data reside on, if applicable
• Where paper copies of the data are filed, if applicable
• Where the data are used in-house
• How the data are used in-house
• Where the data are disseminated
• How the data are disseminated
• Any existing policies on using the data
• Laws covering the use of the data
• Previous incidents regarding privacy of the data
• The position of advocacy groups toward the use of the data
• Privacy task force notes on the data

The major obstacle when establishing a data inventory system is that the volume of work required can be very high in large enterprises. Therefore staff resources are needed to conduct the audit by department, to compile the information, and to keep the inventory updated over time. Another obstacle, which is closely tied to resource requirements, is resistance to thoroughness because of the cost and time involved. This data inventory step should be as thorough as possible. If the company does not take a comprehensive look at its data, it is not taking a comprehensive look at its vulnerability.

The objective of the privacy-needs audit and the entire privacy-_planning process is to reduce the organization's vulnerability when it comes to privacy. No organization should have a false sense of security about how vulnerable it is to privacy problems. Many organizations read the latest story in the newspaper about privacy issues that pertain to certain types of data, then take a brief look at their own in-house treatment of that particular type of data, and prematurely conclude that they are not vulnerable. Building a complete and thorough data inventory system to begin the privacy-needs audit will help reduce tendencies to take short cuts as the company develops and implements the privacy plan.

Step 2: conducting an inventory of data in the enterprise

Once a comprehensive data inventory system is in place, the organization should begin to populate the database with detailed information on the data that it controls. Each department must determine what data or information it collects, creates, or uses. Working with the department teams, the task force should catalog all of the data, their source, and their current use. This time-consuming process must be thoroughly executed. The central information technology department can be very helpful in this process. Well-organized data management operations usually have data dictionaries that describe all of the data fields in enterprise databases. In most cases, these data dictionaries are an excellent starting place to learn about the large quantities of data your organization collects, processes, or uses. The central information technology department, sometimes called the MIS department, can be assigned to assist with the data inventory process.

Companies should not, however, assume that the central information technology department is aware of all the data used by departments or business units. All too often databases and information systems have sprouted up around an organization. These databases can be standalone systems that departments have created, or they can be derivatives of centralized databases that have been extracted for specific data mining or data analysis tasks.

A formal cataloging approach should be used in inventorying data and information. To move further into the planning assessment and planning process, the company needs a uniform and thorough description of all data and information. Setting up a database that is accessible by the entire privacy task force is a good way to facilitate the cataloging process. Expect the inventory process to take a considerable amount of time; it can take weeks and sometimes months to do a data inventory, depending on the size of the organization.

To find the data and information used in the enterprise, the privacy task force and the department teams need to look everywhere. For example, data may be found in the following locations:

• Customer data files
• Supplier data files
• Channel partner records
• Accounts payable files
• Accounts receivable files
• Web site registration records
• Employee records
• Research and development files
• Subscription records for corporate newsletters

The major obstacle when actually conducting a data inventory is getting the cooperation of all departments or business units. Cooperation comes on two levels. The first is how nice people are about the detailed task of a data audit and how timely they respond. The second is how well they really cooperate and how much effort they really put into the process. Companies need to be very realistic in this phase and understand that departments and business units feel as if they have ownership of data, and in many cases, their performance ratings or compensation, especially for managers or sales people, may depend on exploiting a variety of data sources.

All the obstacles basically come down to what is referred to as cultural barriers to change. This defensiveness or fortress-building response has always been encountered in organizations that are faced with new threats, shifts in marketplaces, or social pressure. For example, heavy resistance to environmental protection requirements lasted for decades and still exists in some parts of the country and in many places around the world. Resistance to equal opportunity such as gender and racial equality in the workplace is something that has yet to be completely overcome. Progress has been made on both the environmental and equal opportunity fronts, but it has taken over 30 years.

Simply stated, companies should be warned against an observed tendency on the part of departments and business units to not fully cooperate with enterprisewide initiatives. Do not establish an environment of distrust and paranoia when dealing with departments or business units. Just take an approach of thoroughness during the data inventory step. A company's best weapon in the quest for thoroughness may not be lengthy forms for each supervisor to complete, but a softer awareness-building approach in which key supervisors or technical experts are polled about how data are being used.

To help achieve thoroughness and overcome potential resistance to the data inventory process, count on taking a three-prong approach. First, as pointed out in phase one, the organization and research phase, start an awareness campaign about the importance of privacy efforts and provide employees with a mechanism for giving feedback about potential vulnerabilities. Second, start the formal inventory process as outlined in this chapter. Third, create and distribute a survey to key personnel as a separate data collection effort to get their inputs on privacy vulnerability. The company can then triangulate the three sources of information and cross-check them as it builds the data inventory.

Step 3: determining existing privacy policies by data type

Once the data and information have been located in the enterprise, the organization needs to determine if it has any preexisting privacy policies and procedures related to each type of data. The data inventory database should include fields to track existing privacy policies. As the task force identifies data and their location, it can also inquire about any existing privacy policies related to the different data sets. These policies need to be recorded and evaluated. In the absence of a written policy or procedure, the privacy task force needs to determine what de facto or unwritten policies, if any, govern use of the data in question. For an existing policy, the task force needs to determine if it is adequate or appropriate for current activities. One of the roles of the task force is to examine any and all existing policies and procedures regarding the privacy of data. All written copies of existing policies should be collected for analysis by the task force at a later date.

The major obstacle during this step is the volume of documentation that may have to be pulled together. Existing privacy or data management policies may be difficult to sift through and actually determine what if any privacy management aspects they actually covered. In addition, some policies may not be labeled as policies that have governed past or present behavior toward privacy of data. Going through this process helps prevent new privacy policies and procedures from contradicting existing ones. The new privacy policy should not be seen as an overlay to existing policies or procedures. This means that all of the existing policies related to data privacy need to be reviewed to make sure they do not conflict with new policies. Contradictions in various types of policies will be eliminated in the policy development and implementation phase.

Step 4: reviewing laws, _government regulations

Following an examination of internal policies that may govern data use and collection, the next step in the audit process is to determine if any external laws or government regulations apply to each of the types of data that have been identified. This complex process will require assistance from legal counsel. Appropriate representatives from departments should be responsible for various data types and should be involved in the legal review process along with counsel. Bringing these parties together and reviewing the information can be a rather lengthy process and may require international assistance if the enterprise operates across international borders. The organization needs to conduct the legal requirements phase for each country in which it conducts business.

The major obstacles in accomplishing a thorough review of laws and regulations related to information privacy requirements are time and expertise. Medical organizations have already been confronted with a variety of privacy requirements, and financial services companies have long been dealing with privacy issues. Most organizations, however, are just beginning to deal with privacy issues and probably have very few staff familiar with privacy requirements. If in-house legal counsel is not available, contracting with an outside specialist in the field of privacy law is the best course of action.

Although outside legal counsel can be a very expensive aspect of privacy policy development, taking the do-it-yourself approach is not advised. For interpreting laws and regulations covering data privacy, and especially when the organization needs to comply with laws in several countries, the organization needs legal counsel that is expert in privacy law. Laws and regulations are seldom self-contained, but rather relate to other laws and regulations. Therefore a lack of familiarity with the structure of such laws can result in improper interpretations and incorrect actions. During this regulation review step, small organizations with limited budgets, especially start-up companies, are at risk. If such organizations do not have the budgets to deal properly with this legal review step, they are ill equipped to handle the entire privacy plan development process.

Step 5: assessing your insurance requirements and coverage

Along with laws and government regulations, an organization's insurance company's guidelines can determine how data are used and collected. The company should consult with its insurance company on any coverage that may relate to privacy planning, management, or protection. Most insurance companies provide coverage of corporate assets and many provide some sort of business disruption coverage. Both types of coverage could potentially relate to the violation of corporate privacy or the violation of the privacy of others by the enterprise's actions. A straightforward inquiry with the insurance carrier is best. Seeking the insurance carrier's input on the privacy planning approach could also be helpful.

The major obstacle in assessing an organization's insurance coverage is finding the expertise to do an adequate assessment. Larger organizations often have a risk management department to evaluate risks and insurance coverage. Smaller organizations tend not to have such expertise in-house, which means that they will need an outside consultant to help with this step. Basically, coverage from insurance companies regarding privacy violations is not expected. If it is a matter of data theft, they may provide some coverage. On the other hand, if inappropriate risk taking or an employee blunder causes a privacy violation, then the insurance company is not likely to provide coverage. During this step the enterprise must determine what if any coverage its insurance policies provide.

Step 6: identifying past or present privacy problems

Once an organization has a good understanding of all the internal and external factors that control and govern data collection and use, it should analyze any privacy problems that the organization is facing or has faced in the past. Unfortunately, many organizations do not start dealing with privacy issues until they have a privacy-related incident. If privacy management problems have occurred, the task force must have a full understanding of those problems. Such problems can include customer complaints, litigation, and government inquires. In addition to understanding the problems, the task force must also be informed on how the organization re-sponded to those issues.

The company is urged to take a comprehensive look at existing or past issues. This process may include a review of customer complaint forms or records in all business units and departments. If it has a Web site, the company should review any email or inquiries regarding privacy. All too often these inquiries get buried in an email box somewhere on a server and are never reviewed. If visitors to the Web site have made inquiries, these inquiries could provide insight into the perspective of the organization's Web customers or users.

The major obstacle in identifying past data privacy issues is what is referred to as institutional memory. In some cases people who have been involved in privacy incidents may have left the company. In other cases memory tends to be selective, and the task force may have difficulty assembling an objective perspective on past privacy incidents. As major incidents of the past are identified, the task force should contact the people who are no longer with the organization and attempt to get their perspectives on specific incidents. If employees involved in an incident are still with the company, the task force should talk to as many people as possible to make sure a well-rounded perspective of the incident develops. All of these efforts will help the task force develop a full understanding of what the organization faces and has faced in terms of privacy problems created within the enterprise.

Step 7: reviewing the privacy _policies and problems of your _business partners

Along with internal privacy problems, the task force needs to understand the privacy issues in which the organization's external business partners are involved. The task force should examine privacy policies, problems, or issues that the business partners have experienced. An organization could be vulnerable because of poor privacy management practices of suppliers, channel partners, or other companies with which it has some business arrangement.

These organizations should be informed that a privacy plan is being developed. This part of the privacy planning process can be very problematic; however, the enterprise must recognize that even the best privacy policies and procedures cannot protect it from encountering problems if a business partner obtains data that it misuses in a way that exposes that data to unauthorized parties.

The major obstacle is getting business partners to cooperate. If a company has long-standing relationships with the business partners, it will probably not be too difficult to foster cooperation. The most difficult scenario occurs when large numbers of channel partners are affiliates. This scenario especially applies to newer Web-based companies that use affiliate programs or to the large technology companies that have relationships with resellers, VARs (value added resellers), OEMs (original equipment manufacturers), or consultants. In these cases, collecting information on each affiliate may be impossible. The best course of action in these situations is to focus on the largest partners first. In addition, once the privacy policies are formulated, the organization can require all partners to adhere to its policies as a condition of having the business relationship.

Along with assessing the privacy policies and problems of business partners, the company should establish a process that follows news stories in which the partners are mentioned. Even if self-reporting of privacy problems is required, a business partner that gets bogged down in a privacy scandal may not place a high priority on calling to discuss the problem. Thus, a monitoring process is advisable. Any privacy-related information found through such monitoring, as well as all self-reported information from business partners, should be catalogued and analyzed by the task force....