Interview with terry hancock

July 2006

Interviewee: Terry Hancock, CEO of Easy i, a division of SAI Global

Interviewer: Terry McQuay, President of Nymity

Subject: Training Employees on Privacy

Nymity: Terry, please introduce yourself and Easy i.

Hancock: Easy i deliver risk, regulation and compliance training and awareness solutions to major organizations globally.  Easy i is part of SAI Global, an Australian listed international professional services company operating in the international standards, regulatory and compliance space see www.sai-global.com and www.easyi.com for more information. 

As CEO of Easy i and the SAI Compliance Division respectively my role personally has been to build a team that can help create meaningful solutions to deliver high impact training and communication that reaches beyond immediate issues of conformity with rules and regulations. We want to help really embed a culture of compliance and to help manage behaviours towards a new mindset.  Successful training and awareness can help companies not only improve their reputation risk but become more effective and successful businesses. This is our passion and commitment.

Our forte has been online training but we deliver offline and blended learning solutions as required. We engage with compliance, IT, HR and business lines to create the optimum solution for respective client organizations. We currently have over 4 million active users of our courses around the world including more than 250,000 in Canada. We have been operating in Canada for over 4 years.

Nymity: Why is training employees on Privacy such a challenge? 

Hancock: Many compliance and regulatory topics, for example Anti-Money Laundering, tend to be quite prescriptive. Reporting requirements, breaches and rules are relatively clear cut and therefore training can be directed with some confidence.  Privacy on the other hand tends to have a more subtle context and involves a series of delicate trade-offs around rights, responsibilities and even what constitutes best practice. This applies both to the organization and individuals and unusually in a compliance context these are not necessarily always aligned. Protection of personal data is a hugely sensitive subject and responses to actual or perceived breaches in their handling tend to happen at a more emotional level than many other regulatory and compliance issues.

Privacy in practice also tends to be quite controversial, both in principle and in execution.  In addition, Privacy problems emerge in many guises; sometimes these are from technology failings, in other cases there can be simple human error, and as any casual reader of the press will also note that even the development of privacy policies is fraught with division – there is broad global consensus for example about the handling of laundered money, cross border disputes about privacy and access to data are by contrast hugely controversial. Add in fast changing technology, identity theft, plus the uses and abuses of privacy for security purposes all make for a high level of uncertainty; privacy just has many more shades of grey than virtually any other compliance/regulatory topic we handle.

Helping employees steer through these issues is not a trivial undertaking. Furthermore, there is huge confusion about what constitutes Privacy, personal data and how employees should respond to request and complaints.  This is what makes Privacy training such a challenge.  Employees need considered guidance on how to deal with specific issues and also at what point to refer to professionals within the organisation. There is considerable uncertainty too around executive and management understanding to say nothing of those working in privacy hot-spots such as call centres and so on. 

Nymity: As Privacy laws mandating training have been in place since 2004 or earlier, what are the compelling reasons for organizations to invest now in privacy training?

Hancock: I think any casual observer of the media will be aware that Privacy issues are climbing the reputational risk ladder with great rapidity.  Erroneous faxes, lost data and data transfers across border make the headlines regularly.  It is really essential that major corporations who wish to protect and maintain their reputation and standing help their employees understand how to handle these issues. 

Privacy breaches can now hurt financially not through huge fines (relatively speaking these are still quite trivial) but from a loss of trust. By extension that duty of trust is stretched to include not just the corporation but those whom it entrusts with its systems, technology and data in the broadest sense.

Nymity: On what basis would you not invest in privacy training?

Individuals and corporations now want visible proof that their personal data, medical records, financial information etc are not just protected but that protection is actively and robustly managed. Reassurance and transparency on that score is now non negotiable and training is a vital component of that.

On a more brutal note recent legal cases have shown that education and training (or lack of) will be taken into account when judgements are made, there has been a high correlation between unhappy experiences in court and poor or non –existent training.

Nymity: What are special considerations when training call center personnel?

Hancock: Call Centres are typically characterised by high employee turnover and a relatively intense working environment. Add to that high exposure to real time privacy issues – the risks are obvious.

Call Centre staff therefore need training that works in this kind of environment - short, snappy but regular and persistent training based around case studies, scenarios and using practical, real-world examples. Legal experts are not required here, but best practice and a clear understanding of boundaries and no-go areas are essential. The key is little and often but also clarity and regularly refreshed content, the use of games, exercises and quick tests should be encouraged – the material has to deal with low attention spans and all the working issues identified above.

Nymity: What are special considerations when training retail environments?

Hancock: There are very similar considerations to those identified above.  However, the intensity of the working environment tends to be somewhat less. Retail environments are however highly sales activity orientated however, and privacy training has to be put in that context.

This means that training needs to be flexible – to be built around daily business activities, again brevity and relevant case studies and examples can make a big difference – quickly. In training generally less is more; in this retail context too material has to be appealing in the same way as the goods on sale – bright, visually appealing, compelling presentation and so on. Training like selling is about effective communication and presentation.

The same principle applies across the board here – that effective training has to focus on the unique business services, processes, and goals of that audience, relevance is critical.

Nymity: When is computer based training a viable option? 

Hancock: Computer-based training in principle is always a viable option but one size does not fit all. Careful thought needs to be given as to how computer-based training fits with other forms of training and communication; for example privacy professionals may well benefit from more detailed offline workshop courses supplemented by computer-based training. Its not an and/or option but with care can form the core of the training effort upon which other elements can be crafted.

Technology is an enabler bit also a potential obstacle however today with good web based solutions available a decent connection to the internet and a browser is usually enough to get started. Computer-based training does have significant advantages in terms of cost; those advantages are generally magnified by scale.

Traditionally classroom training is seen as a good format for discussion and review. However most organizations today have difficulty committing the time and space to these type of training formats. Well designed computer based training supplemented by briefings, FAQ’s and other material can get to the same outcome very quickly. In addition computer based training can capture trainee’s responses and through testing individual understanding can identify gaps in knowledge and respond to those rapidly.

Nymity: What are the key considerations when developing an international training program?

Hancock: Some of our largest customers in Canada have come to us with this problem.  The organization needs to take an overall stance on privacy above and beyond immediate regulatory requirements but it also needs to maintain its obligations in respect of multiple regulatory regimes. It is not always clear in practice what these are and in some cases they can conflict.

We normally take a three level approach to this problem; a mapping exercise is undertaken to identify, jurisdictions, business lines and job roles and these are plotted against key topics and identified business risks ordered by scale and potential impact.

Easy i have an existing generic global privacy course that is designed to cover 4 key issues:

• Knowing the organizations privacy requirements, policies and procedures
• Performing daily responsibilities that support privacy requirements, goals and initiatives (by various job roles)
• Using privacy technologies responsibly and in compliance with organizational, contractual and legal requirements
• Reacting to privacy incidents and enquiries appropriately.

The course includes a complete database of legislation by territories as well as a survey of best practice (broadly based on OECD principles). In this way each user will understand both the organizational stance on privacy but also how that plays out at a local or regional level. 

Typically we handle this through multiple business lines and job roles. Flexible Learning Objects in computer based training allow this mixing of the generic and specific to create multiple course structures built around one overall curriculum. We normally strongly advise that this be made available in all local languages. 

To date our course covers over 60 different jurisdictions and the legislative databases are maintained dynamically to ensure continued currency of the material. Two major international banks in Canada have signed up for this approach reflecting both their concern about the topic but also a clear desire to manage privacy issues around common criteria and best practice – the highest standard needs to be the minimum standard – everywhere.

Nymity: What about a Canadian specific program?

Hancock: Easy i has been delivering Canadian-specific Privacy employee training for some while now based on PIPEDA legislation. Courses are available in both languages and have been extensively tried and tested in over 200,000 separate user sessions with very high levels of positive feedback on completion.

We have a generic course titled “Handle With Care” which can be customized as required to include policy, procedure, corporate imagery etc. In some cases we have developed full custom courses but most clients have been happy to take the generic version with a modest degree of customization.

Demos are available now for those interested; simply send a request to our website at www.easyi.com/enus/contactus/default.asp.

Nymity: Easy i has produced a training program for Canada.  How does it work?  Who should inquire and how much does it cost?

Hancock: We have two tracks here, one is an enterprise solution aimed at organizations with more than 500 employees. This can be customized and delivered as necessary. With larger organizations it can be installed on the intranet or run off the internet as required.

For smaller business users we will be launching our web based solution at the beginning of September where courses can be purchased in any multiple from one user upwards. This is entirely web based, can be purchased with your credit card and is available for immediate use.

Both versions come with full tracking and auditing, testing and if required a course completion certificate. Courses are available in both national languages. Pricing starts from $75 for a single license, and falls to just over $30 per head for 500 users. For larger installations costs are just a handful of dollars per head.

For enquiries please go through to our contact page on the Easy i website www.easyi.com/enus/contactus/default.asp. For telephone enquires please call our hotline 1-866-725-2859. We are always willing to discuss particular needs and requirements as necessary.

Nymity: Are there organizations in Canada using Easy i training?  What value have they derived?

Hancock: As discussed above we have been delivering training to major organizations in Canada including three of the major “big 5” banks. These have included both generic and custom versions of courses. We have delivered both hosted and installed programmes and in addition to undertaking core training for various employees in different job roles we have also built repeat, enhanced and special user group training for many of our clients as a result of the success of the initial programmes. 

Feedback has been consistently high and employees have welcomed the opportunity to take training on the subject of privacy, percentage completion rates for training have been in the high 90s. Value derived has centred on:

• Increased reporting of breaches as understanding grows, the difference is they went unreported/unknown before
• Better quality of reporting and management when incidents do occur
• A much higher level of internal requests and enquiries, a desire for clarification and guidance should be seen a positive outcome
• Improved customer satisfaction around privacy issues
• Better policy and best practice development as incident reporting and feedback quality improves
• More focussed training and remedial benefits as knowledge gaps and process shortcomings are uncovered.

Nymity: What are the common privacy training mistakes?

Hancock: The most common mistake remains the most obvious; many organizations do not deliver structured training to employees or rely on simple PowerPoint shows, memos, posters and so on. The underlying messages here are that the organisation does not see the subject as critically important; there is no attempt to evaluate understanding or knowledge and there is minimal interaction with the most important audience of all – your employees.

Common other mistakes include:

• No leadership support internally, executive support is essential to success
• Training only covers the specific regulatory text; it’s the spirit and the letter!
• Not addressing all legal and regulatory requirements or in such detail as to cause real distress to the victims of such training. It is about understanding not information
• Anything is never an advance on nothing at all – make the training fit the business environment or you are just wasting time and effort
• Inadequate planning, scoping and preparation, speed is rarely of the essence and responding to a privacy crises/incident in this way is a sure fire method of getting a repeat performance.
• Not evaluating the effectiveness of the privacy education – you did the work – what did you, the organization, your employees actually learn as a result?
• Get help – privacy professionals are not training experts.

Finally please feel free to collect a copy of our privacy free white paper “making the case for privacy education and how do it right” just go to www.easyi.com/enus/whitepaper/default.asp.

Nymity: In closing, what is the typical business case privacy officers use to justify the costs of implementing a privacy training program?

Hancock: Data on Privacy breaches and their costs are becoming more widely available as are surveys on consumer and related opinion. Recent surveys are signposted in our white paper above, including the Leger Marketing survey in Canada which showed that 58% of consumers said they would immediately stop doing business with a company that experienced a breach that put their personal information in jeopardy. Most organizations will keep records of the ongoing costs of privacy failures, the main costs are reputational (intrinsically hard to measure but potentially very costly) but business process errors (lost data, fraud etc) can more easily be added to the mix.

Typically it is a combination of event data such as those kept by Privacy Rights Clearninghouse in the USA and others that can build the business case from a broad quantitative point of view combined with internal data. Equally compelling is qualitative data from surveys amongst customers, published surveys and so on. Many of the big consulting firms produce regular surveys and commentaries. Privacy training will not stop losses arising from Privacy breaches nor will it ensure reputations are protected come what may but this data is strong evidence that being passive is no longer any kind of option.

The cost benefit equation therefore is relatively straight forward to create; effective training can cost a handful of dollars per head. Choicepoint and other high profile cases reinforce this too but the most compelling data we have come across is internal. Employees generally want to be given clear guidance and support in this area, there has been no single recoded case in our experience where an organization has decided to not do privacy training on-going having started in the first place. In Canada every organization we have worked for has come back for more training on the basis of user feedback and an improved environment for Privacy awareness – we always ask new clients to speak to existing ones.

Talking to your peers and building on the example of best practice elsewhere is always worthwhile, the best business case is usually picking up on successful implementation at similar organizations.