Interview with Terry Hancock
August 2007
Interviewee: Terry Hancock, President, Compliance Division, SAI Global
Subject: Effective Privacy Training in a Global
Economy
Nymity: Please introduce yourself and SAI Global.
Hancock: SAI
Global is a publicly listed Australian professional and business
services company operating in the international standards,
regulatory and compliance spaces. With over 1,000 employees
and fiscal year revenues of close to CAN$200 million, we’re
located in 26 countries.
As CEO of the Compliance Division,
my role is to build a team that creates meaningful solutions
to help organizations integrate and manage compliance in their
organizations. We believe that in some cases this involves
providing training and awareness solutions that are relevant,
memorable and go beyond the immediate issues of conformity
to help manage behaviors. We currently have well over 4 million
active users of our courses around the world including more
than 250,000 in Canada where we’ve been operating for
5 years.
In other cases the function
of compliance reaches beyond these issues and organizations
are challenged with making compliance “operationalized”.
That involves taking full advantage of the benefits of technology
and information by using tools that avoid duplication of work,
capture and report data and intelligence, prevent miscommunication
and align compliance more closely to the functioning of the
business units.
Nymity: Many companies today have some type of global presence
– sometimes it’s having suppliers or manufacturing
plants located outside their home country, and sometimes there
are fully functioning subsidiary operations. How does this
global presence affect the kind of privacy training they provide?
Hancock: Some of our largest customers in
Canada have come to us with this problem. We first discuss
with the company the degree of risk they face in each area
and also what business processes that organization has that
can create specific problems. Only lastly do we concentrate
on regulation and laws. In addition, we review the type of
training that fits the culture and style of each organization.
We normally undertake a mapping exercise to identify, jurisdictions,
business lines and job roles and then plot these against key
topics and identified business risks ordered by scale and
potential impact. Most solutions can be online but supplemented
by offline and other supporting elements.
Our generic global privacy course covers 4 key issues:
- Knowing the organization’s privacy requirements,
policies and procedures
- Performing daily responsibilities that support privacy
requirements, goals and initiatives (by various job roles)
- Using privacy technologies responsibly and in compliance
with organizational, contractual and legal requirements
Reacting to privacy incidents and enquiries appropriately
The course includes a complete database of legislation by
territories as well as a survey of best practice (broadly
based on OECD principles). In this way each user will understand
both the organizational stance on privacy but also how that
plays out at a local or regional level. Typically we handle
this through multiple business lines and job roles. In this
way we can pick off high risk groups be they call centers,
HR, Marketing as well as potentially third parties such as
contractors or suppliers. Flexible Learning Objects in computer
based training allow this mixing of the generic and specific
to create multiple course structures built around one overall
curriculum. We normally strongly advise that this be made
available in all local languages.
To date our course covers over 60 different jurisdictions
and the legislative databases are maintained dynamically to
ensure continued currency of the material. Two major international
banks in Canada have signed up for this approach reflecting
both their concern about the topic but also a clear desire
to manage privacy issues around common criteria and best practice
– the highest standard needs to be the minimum standard
– everywhere.
Nymity: What are the major returns an organization should
expect from privacy training?
Hancock: The first obvious thing to say
is that, in general, the level of reporting and incidents
rise post-training, a natural reflection of enhanced understanding.
However, the quality and focus also improve as does the level
of feedback and “chatter”, so the first obvious
payback is intelligence about where problems are occurring,
levels of understanding (or otherwise) and so on. This may
not reduce the size of the Privacy in tray but as material
for an improved action plan it is priceless.
Breaches will still occur but the treatment and reporting
of them should improve and over time there should be a decline.
Employee understanding is “route one” to better
customer understanding as well, so service, breaches and handling
of privacy problems should all improve. Basic before and after
metrics should be deployed in key areas in obvious sources
of privacy challenges such as HR, telemarketing and call centers,
etc.
Most calculations of ROI on training, especially Privacy
where big corporate fines for wrongdoing are still (relatively)
rare, cannot endure close scrutiny; there are many unmeasurable
positives (better service, more satisfied customers, and improved
reputation). The best measure though is to compare organizations
that have no or ineffective training with those that do. Here
the contrast is most dramatic. And, especially when things
go wrong, most privacy disasters are often the result of how
a problem is dealt with rather then the original issue itself.
Nymity: What is the Privacy Commissioner position on training
employees on privacy?
Hancock: The Guidelines for Identification
and Authentication were published by the Office of the Privacy
Commissioner in October 2006. The Personal Information
Protection and Electronic Documents Act (PIPEDA) requires
that “organizations should provide training on authentication
policies and processes including examples of potential threats
to privacy, such as ‘pretexting’. The training
should be updated to reflect policy and process changes and
new threats.”
Jennifer Stoddard and others have been very vocal on the
need and desirability of training; it is still seen in some
quarters, however, as relatively discretionary. The key wording
here is “should” rather than “must”.
That said, the rise of identity theft, issues around cross
border handling of personal information, well publicized successful
hacking attempts on mass consumer data and so on would prompt
the question, on what basis would any self respecting organization
holding personal information not provide training?
Nymity: What are the traditional approaches to privacy training?
Hancock: Typically, we see two responses
to the challenge of instituting privacy awareness programs.
One is a piecemeal, silo-based approach where many different
parts of the organization make their own privacy training
provision. This results in training that may potentially be
both specific and relevant to particular segments of the target
audience, but gives patchy coverage, inconsistent messages
and leads to much duplication of effort and resources.
The second is a ‘global’ approach, assuming that
one size fits all. This approach is driven from the center
and is successful in better use of resources and consistent
messaging. But because of its essentially general nature,
it is not sufficiently specific, meaningful or relevant to
many learners and doesn’t deliver effective learning.
Furthermore, these centrally-driven approaches are rarely
truly global and, usually as a result of technical and other
issues, only reach a proportion of the total target audience.
We believe that the requirements for compliance training
generally, and data protection/privacy training specifically,
have entered a new phase in which a truly global privacy awareness
framework is required. Training needs to accommodate the complete
diversity of business lines, territories, languages and job
roles and have the capability to integrate new material easily.
This enables business areas to migrate over time from existing
solutions and allow for regulatory and organizational evolution.
Nymity: What are the challenges in creating effective online
privacy instruction?
Hancock: It’s important to remember
that the basic need in corporate training is to enable an
employee to do a job more effectively and within the limits
of regulation, legislation and corporate policy. The principles
of instructional design and human learning theory need to
be employed in light of this focus. So not only does the right
content need to be presented, namely, what the learner needs
to know to do his or her job, but the learner must stay motivated
throughout the training to not just complete the training,
but to remember it and act accordingly.
We use a variety of instructional strategies to develop our
programs, always keeping in mind the nature of the subject
matter and the desired learning outcomes. In some cases, content
is presented in a rather straightforward way with vignettes,
simulations and interactions inserted to maintain focus. Case
studies are used to enable recognition to real life situations.
Nymity: How does having a training program help an organization
with customer complaints?
Hancock: Most corporate risks typically
reside in three places: processes/policies, technology and
people. An effective and efficient compliance and risk management
process integrates these elements in a way that enables people
to respond appropriately in all situations. Nowhere can this
be more important than in an organization’s response
to customer complaints.
One of the benefits in establishing a documented, proven
training program is in record keeping. When an organization
commits to a sound, relevant and consistent training effort,
and can show that training was not only delivered, but that
employees successfully completed assessments attesting to
their knowledge, there is a good basis to assert that employees
responded appropriately.
Of course mistakes can happen - people can respond incorrectly
or inappropriately, or bend policy to suit a particular circumstance.
But when training is a matter of public record, the organization
can potentially diffuse a serious public relations or legal
problem by producing its policies and procedures and demonstrating
how they’ve aligned them with staff training.
Nymity: How much would it cost for SAI Global to provide
a program to train the typical call center, say with 70 customer
service representatives?
Hancock: There really is no typical call
center and no typical price. The choice of an instructional
approach and a risk management program in any one engagement
is influenced by many factors, including the nature of the
subject matter, the desired learning outcomes, the culture
of the organization, the legislative needs, the need to customize
content, the need to have instructor-led training, etc. Based
on our 15 years of experience in this space, every organization
is different.
We recognize that there are a number of very small organizations
that simply want to deliver one or two standard, off-the-shelf
online training courses to their staffs. Currently, we’re
investigating the feasibility of offering certain of our online
courses through our Web site. More on that will follow.
Nymity: What companies and which departments would gain
the most from this form of training?
Hancock: Privacy training is so closely
integrated with a company’s business practices, its
perception by outsiders and its Brand image and value that
we believe it should be offered to all employees.
Individuals and corporations now want visible proof that
their personal data, medical records, financial information,
etc. are not just protected but that protection is actively
and robustly managed. Reassurance and transparency on that
score is now non-negotiable and training is a vital component
of that.
On a more brutal note, recent legal cases have shown that
education and training (or lack of) will be taken into account
when judgments are made, there has been a high correlation
between unhappy experiences in court and poor or non-existent
training.
Nymity: What are the fastest, least expensive and most effective
process for rolling out an effective training program?
Hancock: Computer-based training in principle
is always a viable option but one size does not fit all. Careful
thought needs to be given as to how computer-based training
fits with other forms of training and communication; for example,
privacy professionals may well benefit from more detailed
offline workshop courses supplemented by computer-based training.
It’s not an “and/or” option but with care
can form the core of the training effort upon which other
elements can be crafted.
Nymity: In closing, what is
the benefit of a customer in working with a global organization
like yours?
Hancock: Well, our name itself - SAI Global
– underscores that the company has global resources
and global capabilities. But, like all worldwide companies
that have real staying power in business, we support those
global resources with local experts. Unlike certain companies
who claim to offer a “full compliance solution”
anyplace in the world but really provide only global delivery
or the use of outside consultants, we have the resources to
manage the worldwide intricacies of the compliance challenge.
In some cases we may use our local experts to assist with
interpretation of local regulations. In other cases we may
establish an in-country hosting site to ensure smooth implementation
of a Web-based solution. A powerful benefit is that we are
drawing knowledge and expertise from a very broad range of
organizations and subjects. For example, we have implemented
dozens of privacy courses in corporations and industries around
the world covering more than 70 countries giving us a unique
perspective we can bring to the table for the benefit of our
clients.
As one very current example, we are building a compliance
reporting, monitoring and management system for a global natural
resources company. We are providing local support and hosting
in China, Australia, North America and Europe, an example
of how SAI Global acts globally but thinks locally.
For More Information
To learn more about Easy i / SAI global, visit www.easyi.com
Terry Hancock
terry.hancock@easyi.com
Barry Young
barry.young@saiglobal.com
416.214.4293
|
