THE MAGAZINE

Accountable Privacy

By John Wagley
Developing a privacy program to protect personal client and employee data is a challenge. Hewlett-Packard (HP) has chosen to develop a specific software platform that can make the task more manageable across its multiple units. The platform consists of dynamic, “context-based” questions and answers. A similar approach might also work well for other large enterprises.
 
HP’s decision to develop a platform, which it rolled out late last year, was driven mainly by the goal of boosting privacy policy accountability throughout the 300,000-employee company, said Scott Taylor, HP’s chief privacy officer, speaking at a recent privacy conference in Washington. Another goal of the platform, which is available via HP’s intranet, was to help guide employees through the policy, which HP makes available in written form but which can be “daunting” to understand, says Taylor.
 
The company had implemented a call center before it set up the privacy platform. Employees could call with privacy questions, but many hesitated to do so, Taylor said. The company wanted a more coherent and auditable process.
The platform software was developed mainly by HP Labs, a U.K.-based subsidiary. But the tool’s questions, guidance, and other content was selected and written by Taylor and a core team of privacy, legal, human resources, and other executives.
 
The process starts with employees logging into the program. They then provide some basic information about any project and their responsibilities for it. Employees then answer questions posed automatically by the software program, beginning with whether their project involves any customer or employee information. If it does, another question pops up with a list of possible selections ranging from names and addresses to passwords and Internet Protocol data.
 
This and other platform questions also let users pick “none of the above” and check an “other” category next to a blank line. A link to the right of each question reads “help with question,” providing additional guidance.
 
The next question asks more about the project, providing categories including marketing, HP services, and products/applications. If marketing is selected, for example, a new box opens asking for more detail such as whether it involves e-mail or postal marketing, CRM related activities, or events and trade shows.
 
A box asks about the project’s target, which could include enterprises or consumers, or specific industries such as healthcare or education. Another question asks about relevant regions, such as the European Union, the Americas, or Asia/Pacific.
 
After they complete the questionnaire, users are presented with a report. At the top, a graph places flags—yellow or red—to indicate possible risks across a series of privacy-related subjects. Some of the latter include compliance, transborder data flows, and inappropriate data collection.
 
When a flag is raised on a privacy area, the report also contains a brief section with a description and guidance. In the presentation, for example, in the area of appropriate/inappropriate data collection, a note states that HP must honor all opt-out requests within 10 days and within five days in Australia. Such report subsections also contain a “view details” link to give users further guidance.
 
The report contains a checklist of recommendations. In the presentation, for example, employees are told to “please investigate” whether opt-out requests meet previously mentioned standards. Users are then asked to verify the truthfulness of the report and to submit it to a preassigned regional or local privacy officer.
 
The tool appears to be helping educate employees, Taylor said. More employees have been contacting the privacy call center already equipped with some basic knowledge, which can help make such calls more efficient, he says.
 
The dedicated platform team, working with HP Labs, meets regularly to review and discuss the platform, which is an “ongoing” project, Taylor said. A continuing goal is to ensure that policies and current laws are accurately integrated into the tool. Next to each question, employees have an option to check a box stating that the question is unclear, helping HP identify possible usability problems. HP has also conducted surveys and held focus groups on the platform with employees.
 
HP hopes the tool will capture and save a full “life cycle” picture of company projects and business activities. As the platform collects more information, Taylor said he hopes to add greater report-generating functionality. HP also hopes to continually “spot check” the data for signs of noncompliance; about a year ago, a full-time auditor was hired to focus mainly on the platform and reports.
 
Smaller companies might not need such a platform. But Taylor says HP hopes its tool will help create an “end-to-end process for the [privacy] values of our company.”

 

Comments

 

The Magazine — Past Issues

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.