SAI Global Privacy and Security Training Review
		Nymity's Independent Privacy Solutions Review provides a non-bias assessment of the legal and privacy benefits of SAI Global Privacy and Security online training.

Compliance: Training Employees on Privacy and Security

Privacy Law

The Personal Information Protection and Electronic Document Act (PIPEDA) mandates privacy and security training for employees, specifically for:

• privacy, PIPEDA Schedule 1 - 4.1.4 Principle 1 - Accountability requires the "training staff and communicating to staff, information about the organization’s policies and practices"; and
• security, Schedule 1 - 4.7.4 Principle 7 - Safeguards states an "Organization shall make their employees aware of the importance of maintaining the confidentiality of personal information".

Compliance with Security Codes Not only do privacy laws mandate training, so does security codes like the Payment Card Industry Data Security Standard (PCI - DSS) which states "All employees should be aware of the sensitivity of data and their responsibilities for protecting it." Another example, is the Canadian Institute of Chartered Accountants Generally Accepted Privacy Principles (GAPP) requirement to "Educate and train internal personnel (initially and periodically) who have access to personal information or are charged with the security of personal information about privacy and security concepts, and issues; and promotes ongoing awareness". In Canada, training on privacy and security is a legislative requirement and mandated in security codes. Commissioners Findings Findings and Orders from the Privacy Commissioners' offices across Canada mandate organizations train employees on privacy and security, especially if the cause of the complaint was due to an employee mistake. This is frequent, as many privacy and security incidents arise from an employee inappropriately handling personal information. In one retail case, the the Finding stated "While the club had a privacy policy, it appeared that privacy training had not been provided to its staff at that location, in contravention of Principle 4.1.4." and it went on to state: "the club ensures that staff are trained with regard to their responsibilities concerning the protection, collection, use and disclosure of personal information, including procedures on how to receive and respond to privacy complaints and inquiries". In another case, involving three telecommunications organizations, their customer service representatives provided personal information in a pretexting incident as the customer service representatives did not follow the organization's policies for customer authentication. The Finding stated : "It was established that employees in all three organizations did not follow customer authentication procedures and thereby failed to adequately protect customer personal information". The Commissioner Finding went on to recommend: "company 1, company 2 and company 3 (named in Finding) each undertake a number of specific actions to strengthen customer service representative training". In this investigation the Commissioner's office decided to make the names of the companies a public record. Training Demonstrates Compliance Demonstrating effective privacy and security training programs is important when an organization is involved in a complaint investigation. Not just to show compliance, but in incidents related to customer disputes, the training will become part of the companies defense. If an individual files a complaint against your organization regarding one of your employees and makes claims that are counter to the your policy, the Commissioner's office will look at the your training materials and check to see if the employee in question was trained. If employee is trained on the policy and states that he/she followed the policy, the Commissioner's office is likely to side with the your organization over the compliant as there is evidence to back your claims. Privacy and security training demonstrates compliance.

Training is a Challenge “Training is perhaps the single greatest challenge of PIPEDA compliance, particularly with large and varied customer-facing channels – a lot rests on the shoulders of the front lines. Training is never complete – it must be an ongoing process.” David Elder Former Assistant General Counsel Bell Canada “Training should be the foundation of a company’s entire compliance program. Creating privacy policy is the easy part. The real challenge is ensuring that your company and employees live by it.” Robin Gould-Soil Corporate Privacy Officer TD Financial Group “The key thing is to understand what questions and concerns might be raised by individual when dealing with your organization. Once you identify that, ensure your frontline staff is trained to handle these concerns.” Kelly Taylor Compliance Manager & Privacy Officer TransUnion of Canada

SAI Global Privacy and Security Training Privacy Review

SAI Global provides a suite of information security and privacy training offerings. Each offering is designed to eliminate privacy and security breaches and ensure an organization's compliance. SAI Global was one of the first to recognize the short-comings of training programs based on privacy principles, or focused strictly on compliance with laws. This approach often has unexpected results and can be ineffective in eliminating breaches. For training to work, SAI Global recognized that training must focus on common business practices in which employees are handling personal information, some call this scenario-based training.

Culture of Privacy

In SAI Global scenario-based training employees learn from common scenarios allowing them to easily apply their knowledge to their own area of business operations. This approach creates an understanding of the importance of handling personal information in a secure manner, reporting incidents of privacy breaches and dealing with situations before they escalate into a major problem. SAI Global privacy and security training help organizations build a culture of privacy.

SAI solutions are fully customizable, measurable and already translated into French and English. Courses include:

• For Your Eyes Only – this core course reflects the latest standards and best practices
• Investigating Information Security at Work – a scenario-driven course that brings the subject to life through a strong story line
• Physical Security – stresses the individual’s responsibility in protecting the organization from unauthorized access
• PCI DSS – communicates the purpose of the Payment Card Industry Data Security Standard
• InfoSec Moments – high impact, short video vignettes that are easy to deploy and access – available in a variety of topics including Confidential Information via blogging, talking to friends, and talking in public places and Copyright Compliance
• Handle with Care, reflects global best practices and can be tailored by geography, language and job role

---

SAI Global - Privacy & Security Training Privacy ROI

To calculate SAI Global's Privacy Return on Investment (Privacy ROI) an organization must calculate the cost of creating and deploying an effective training programs inhouse and compare it to the cost of SAI Global's offering. Also, an organization must assess the risks of creating an inhouse program that does not apply the advance techniques available from SAI Global. Based on this evaluation the Privacy ROI can be established.

Inhouse Training - Costs

If an organization has the web-based infrastructure to deliver online training then the costs would be calculated based on the time to develop, test and deploy an effective training program. It can be difficult for a non-training organization to create content of an effective privacy and security program, because the tendency is to focus on policies and principles. It may seem simple, but in practice it is quite difficult. It takes many years, prototyping and testing to create a program to the calibrate of SAI Global's offering. Also, an organization wants an efficient program to minimize the time employees are completing training. For example, if an organization uses a SAI program that takes five minutes less time then an inhouse program the company will save thousands of dollars.

If the organization doesn't have inhouse webbased training infrastructure the organization would have to use presentations and other mechanisms to deliver the training. Often, organizations find this cost prohibitive and they typically have a scaled back training program which results in a higher probability of a privacy breach and non-compliance.

Risk of not Training

If compliance is a concern, or eliminating privacy breaches a priority, training is not an option for an organization. It must be implemented and maintained. But there is a payback, as training programs:

• demonstrate due diligence in a investigation
• provide evidence to support an organization's claims
• ensure compliance, and
• most importantly, eliminate costly privacy and security breaches.

---

Next Steps

Contact:

Barry Young
Canadian Director
SAI Global
1 Yonge Street
Suite 1801
Toronto ON M5E 1W7

Phone: 416 214 4293
Cell: 519 854 3279
Email: barry.young@saiglobal.com

• Strategic Alliances
  • Research Contributors
  • IAPP
  • PrivaWorks Real Risk Study
  • USCIB
  • US Privacy Solution Reviews
  • Canadian Privacy Solution Reviews
    • Breach Management Services
    • Do-Not-Call
    • Cross Border Legal Services
    • Data Leakage Protection
    • Document Shredding Services
    • EHR Legal Services
    • PC Data Protection
    • Privacy Breach Insurance
    • Privacy Filters
    • Training Employees
  • Privacy by Design
  • The Future of Privacy
  • The Ponemon Institute
  • Carswell

• Free Privacy Maps
• Privacy Research Tools
• Visit Customer List