Interview with
Michael Power
February 2008
Interviewee: Michael Power, V.P., Privacy and Security, Smart Systems for Health Agency
Subject: Developing a Culture of Privacy
Nymity: How would you describe a “culture” of privacy?
Power: Many privacy incidents are simply caused by “human error”. A “privacy culture” involves an awareness and sensitivity by each person within an organization - when processing personal information in their day-to-day activities - that an additional degree of caution needs to come to the fore.
Nymity: What are the business drivers and benefits of have a privacy sensitive culture?
Power: Reputational trust and confidence; legislative, regulatory or contractual compliance. The list as to why organizations need to deal with privacy has not really changed over the last four years.
Clients and stakeholders will choose more privacy-sensitive organizations over the long run because its managers are effectively managing the organization’s privacy risk. Part of managing privacy risk is developing a privacy-sensitive culture within the organization.
To put it in the starkest terms, at the end of the day, organizations that do not address privacy risk adequately will be considered as not having “good managers”. If managers cannot manage the day-to-day risks facing the organization, why should people trust them with their business?
Nymity: How do you integrate security into a privacy culture?
Power: Privacy provides the “why” while security provides the “how”. It is one thing to ask employees to be privacy-sensitive but in doing so you have to also ask them to use the privacy and security tools that an organization should provide. Security-conscious organizations will have physical, procedural and technical security controls. By adhering to well designed security and operational policies and processes, employees have the basic starting point for privacy sensitivity.
Nymity: What are the key components for building a culture of privacy?
Power: Building a culture of privacy involves an organization:
- clearly articulating privacy as an organizational priority;
- communicating key privacy and security messages;
- educating across the organization;
- raising awareness of the importance of registering privacy incidents;
- building privacy into the fabric of the organization’s activities; and
- making privacy information and guidance readily accessible.
If these things are done well, the organization has a framework to create or reinforce the “culture of privacy”.
Nymity: Where does an organization start?
Power: No question in my mind: at the top. Senior management has to assign adequate resources to information-protection issues, publicly support internal educational initiatives for privacy and security and effectively communicate that information protection isn’t solely a technical or policy issue; rather, it depends on behavior. It has to be made clear that privacy is an “individual” responsibility: everyone working with personal information is responsible for its protection. Finally, it has to be communicated that information protection is an ongoing initiative, not a short-term project.
Nymity: How did SSHA create a privacy awareness campaign?
Power: The Agency established a Privacy and Security Awareness Month in September 2007 using a coherent and consistent theme: “Get Caught! Doing the Right Thing.” It distributed a dozen different posters, reinforcing privacy and security messages from the Agency’s Code of Conduct, throughout several floors in two buildings and two data centers. The posters were then installed as screensavers on each agency computer and remained in place until December.
If your readers are interested in seeing the posters, they are downloadable from the Privacy and Security Page at www.ssha.on.ca.
It’s arguable that employees feel empowered when they have an easy means of communicating and are encouraged to do so. With that in mind, our next step was to establish a privacy and security email account as well as a direct telephone line, the latter was placed as a “speed dial” number on each telephone throughout the agency. These voice and mail accounts are monitored daily and receive traffic from employees and contractors on site who seek answers to questions or are reporting what they think are questionable practices that need to be changed. Perhaps what is most telling is that they are used by employees.
I believe that changing a culture requires individual communication. To ensure that employees remembered the privacy and security messages from the poster campaign as well as the email address and telephone number of the privacy and security hotline, we emblazoned them on coffee mugs. I gave them to each employee and contractor I saw during a series of “walk-abouts” through the Agency.
This approach may not work for larger organizations but someone from management should look each employee in the face and ask them to accept responsibility for protecting the personal information in the organization’s custody.
Nymity: How does SSHA conduct employee training?
Power: We started by creating two Web-based training modules - one for information security and another for privacy. The privacy module explains why personnel need to embrace the importance of privacy within the organization and what legislation applies to the Agency. The information security module explains some of the possible threats and what individuals can do to lessen the organization’s vulnerability. Both modules both provide fundamentals, or “101” courses. We’re working on our next phase now, which is intended to provide “201” courses - role-specific training and in-depth content more tailored to specific target audiences within SSHA (e.g. Service Desk, HR personnel).
SSHA required employees to complete the training within the October–November 2007 timeframe. New employees and contractors must complete the training within 30 days of employment or engagement. A registration requirement within the training modules allows the Agency to track who has completed the training.
We took a “carrot and stick” approach to training. As a carrot, the first three divisions within the Agency with the highest-percentage completion by a specified date became eligible for modest prizes. As for the stick, anyone not completing the training by the cut-off date was to be locked out of our information systems until they completed the modules. Fortunately, we had 100% completion before the training end date.
The modules are not publicly available but we do make them available upon request to health care institutions within Ontario.
Nymity: What kind of training and awareness follow-up did SSHA implement?
Power: We’ve conducted am employee survey to evaluate both the initial awareness and training campaigns and we’re gearing up for another awareness campaign in the spring. Both in our survey and a larger Agency cultural survey, there were clear indications that the messages were registering with employees and contractors. It is important to recognize that such campaigns have to be considered long-term initiatives. We did not start out to create a privacy and security “mascot” but Cuddles will definitely be back.
Our focus in conducting follow up campaigns will be to ensure employees and contractors understand their privacy responsibilities, the safeguards they must employ to protect personal health information, and the process of escalating and reporting privacy incidents.
Nymity: After an organization has created a culture of privacy, what steps could organization implement to create a mature privacy management program.
Power: Every organization is different and both the size of the organization and the sensitivity of the information it processes will influence how far and fast it goes in developing a comprehensive privacy management program. SSHA is far from finished in embedding a culture of privacy within the Agency and we’re attempting to “multi-track” a number of initiatives. We’ll continue to raise privacy awareness, build out our training program and continue the renewal of our privacy policy framework. To compliment this work, we’re also developing an audit/compliance program as well as examining how best to put into place appropriate “privacy metrics”.
|
