Interview with Nicholas Cheung
September 2007
Interviewee: Nicholas Cheung, Principal, Assurance Services Development
Nymity: What was the purpose for creating this resource?
Cheung: Businesses know that their customers are more concerned than ever regarding privacy related issues. While many businesses recognize privacy risk as a risk that needs to be addressed, not all businesses know where to start. 20 Questions Businesses Should Ask About Privacy (“20 Questions”) presents thought provoking questions that every business should consider in assessing their privacy risk.
It raises key questions such as:
- What personal information does the business collect and retain?
- Does the business exchange personal information with entities operating in other provinces or countries?
- Has the business established procedures to handle access requests from individuals?
- Has the business developed procedures regarding the retention and secure disposal or destruction of personal information?
Nymity: How would you suggest a Privacy Officer use this resource?
Cheung: They can use this resource to:
- Assess or reassess their own privacy program and practices
- Help educate managers and staff in departments that collect, use and/or disclose personal information
Many businesses understand their privacy obligations and have established their privacy policy and program. However once established, their policy and program may not be reviewed again for some time. 20 Questions offers questions and answers that can assist privacy officers who are considering a review of their privacy practices or in the process of developing their privacy policy and program. For businesses that have not addressed privacy, 20 Questions provides a good introduction in assessing privacy risk.
The obligation to protect personal information must be team effort – it does not fall solely on the privacy officer’s shoulders. Every manager and employee that plays a part in collecting, using and/or disclosing personal information should have an understanding of their privacy obligations. This new resource provides information about privacy in a concise and easy-to-read format that can help to educate them about their privacy responsibilities.
Nymity: The 20 questions are broken up into subjects. What are they?
Cheung: The document is divided into the following subjects:
- Understanding Privacy Risk
- Implementing a Privacy Compliance Regime
- Managing Privacy Risk
- Security and Safeguarding of Personal Information
- Obtaining Privacy Assurance
Question: Could this document be used to be creating privacy assessment questions?
Cheung: 20 Questions provides insight and stimulates discussion on important privacy questions but is not intended to be a precise checklist or framework. For a more thorough privacy assessment framework, we encourage businesses to consult Generally Accepted Privacy Principles (GAPP), available free of charge from www.cica.ca/privacy.
For those not familiar with GAPP, it is a global privacy framework developed by the CICA and American Institute of Certified Public Accountants (AICPA). It includes over 60 measurable and objective criteria that can be used for:
- Conducting a privacy self assessment
- Benchmarking your privacy practices
- Developing your privacy policy
- Undertaking a privacy audit
Nymity: In closing, please provide an update on other CICA privacy initiatives.
Cheung: We have recently revised our privacy website (www.cica.ca/privacy) where we added an Upcoming Events and News section and expanded the area devoted to GAPP.
We have made several privacy presentations in the last few months, most recently at the International Conference of Data Protection and Privacy Commissioners that was held in Montreal at the end of September. We also continue to work with the AICPA on a joint task force devoted to addressing privacy issues.
We hope to publish a new privacy publication on privacy and data security issues for small and medium sized businesses in spring 2008.
For More Information
To learn more about CICA visit www.cica.ca
Nicholas Cheung
Nicholas.Cheung@cica.ca
416.204.3251
|
