CSR in Europe, Middle East and Africa : privacy

New Global Citizenship Video

ulrikehaug — Thu, 23 Jul 2009 15:22:00 GMT

We have just released an updated version of our ‘Global Citizenship in EMEA’ video and I would like to invite you to watch it and leave your comments.

In the video, HP managers in charge of environmental responsibility, social investment, supply chain responsibility and privacy describe what HP does in their area of global citizenship.

Let me know what you think and if you know of any CSR videos by other companies that you find worth watching.

Ulrike Haug, CSR Stakeholder Programmes, HP EMEA

Daniel Pradelles: HP leads the way on the Accountability path…

jeanne2007 — Thu, 18 Jun 2009 12:37:00 GMT

I asked my colleague Daniel Pradelles to give you an update on privacy and data protection at HP. Enjoy reading. Jeannette

HP leads the way on the Accountability path…

“Privacy and data protection. These words should provide a sense of safety and trust on the personal data processing and the company responsible for undertaking it. However, these days for many individuals, they give grave cause for concern... How can we be sure that details of transactions cannot be detected? That data is used in line with users’ expectations and that confidences are kept? How confident can we be that companies will willingly be accountable for guarding our privacy?”

It has to be said that the concerns above may well impact the nascent ‘information society’ and its multiple, recent and promising evolutions, such as the internet, ambient intelligence, smart objects, cloud computing, social medias or social networking. Inappropriate handling may seriously reduce or slow down users’ benefits.

In order to address these concerns effectively, HP has been working with the Centre for Information Policy Leadership (CIPL), representatives from major industry partners, consumer protection groups and regulatory agencies to develop a Working Paper that sets out the essential elements of a new concept called ‘Accountability in Privacy Governance’.

The challenge is that all of us – companies, institutions and regulatory agencies - have different policies and practices on privacy, different visions and contexts. Consequently, our solutions for effective data protection management are different. How can anyone be sure that such solutions are adequate and that they are completely accountable for their actions? There is a need to formalise the accountability concept and its meaning and we need to do our best to harmonise the different approaches.

Our main goal is to look at accountability through several specific themes, such as: i) How it links to Privacy Governance issues, ii) What the essential elements of accountability are that link to trust in data management, iii) How to measure accountability, iv) The key linkage with another major concept named ‘privacy by design’, v) What the main incentives are for privacy accountability and finally vi) The challenges of certification and oversight.

Our aim, therefore, is to really work on the definitions and the key elements of accountability so that we can prepare a comprehensive document that contains new trends, practices and opinions on accountability that will be commonly accepted. Once completed, this Working Paper will be submitted for consideration and discussion to a number of major privacy regulators & international organisations, all of whom work to ensure consistent accountability strategy.

The importance of such an approach, which is at the heart of HP’s plans, has already been acknowledged in a recently released ‘Review of Data Protection Directive’ study produced by Rand Europe for Richard Thomas, UK Information Commissioner. Let me finish my blog entry again with a quotation from Richard, who stated in the forward of the study:

“A vital theme is accountability. Primary responsibility must be placed on organisations to get it right and they must be held to account if they get it wrong. Organisations must deploy the right technology and have a privacy-by-design approach at the heart of their plans. »

Thanks for reading.

Daniel PRADELLES EMEA Privacy Officer HP CCF

You can read more on Accountability in a recent article in the HP Global Citizenship Bulletin.

2007 data protection commissioners’ conference explored terra incognita

BlogArchive — Thu, 13 Dec 2007 12:05:00 GMT

In my previous blog entry I presented briefly the Terra Incognita conference on data protection and privacy and the six “dragons” which are “living “ there: 1) Public safety, 2) Law meets technology, 3) Globalization, 4) Ubiquitous computing, 5) The next generation and 6) The body as data. I discussed the first three in my previous blog, so let’s look at “dragons” 4), 5) and 6).

Ubiquitous computing: This one can be seen as an extension, or a twin, of the dragon of “globalization” with which it is tightly linked. A dominant aspect of the modern world is the predominance of technology as a major enabler of progress, security, wealth, efficiency, but also as a new way to perpetrate fraud and crime and make excessive privacy intrusion easier. A balance is needed between technology’s usefulness and its intrusive nature. Some practices seen as useful developments which could also be considered as potentially intrusive include fleet management, on- board “crash” recording devices, sales and service engineer travel optimization. Some practices in the near future like location-based advertising, facial recognition devices, and license plate automatic tracking were also noted.

In the more distant future technologies like “intelligent dust” or the “internet of things” will blur the line between private and public, visible and invisible, under control and out of control, humanly managed and automatic machine interaction and data collection. As noted by one of the speakers in its supporting documents:

The privacy community needs to consider what positions it will take and what concerns it will raise as such systems inevitably expand in scope and use.
Should system controllers be required to establish reasonable grounds for extensive surveillance systems?
Is advising the subjects the only constraint on use of these systems?
Are there situations when surveillance systems are too fundamental an invasion of privacy?

The Next generation: For individuals 30 years of age and more, technology is something that has entered their lives and has been evolving more and more quickly. The experience is radically different, and will be even more year after year, for the young generation. They have always lived in a world with technology, and their attitude about it is at the same time more open and more naïve than older people. Participants said that we have to inform young people about the benefits and the risks and protect them against those dangers.

When it comes to the protection of children, there is often a focus on preventing access to sexually aggressive material and child pornography. But there are also some other risks that are less critical but merit attention, such as excessive marketing to children, surveying of children, appealing contests and so called “free gifts,” which may trigger adverse consequences.

One of the workshops about this “dragon” presented some education modules that have been used in the classroom.

The Media Awareness Network demonstrated a number of games, including the award-winning Privacy Playground: “The First Adventure of the Three Cyberpigs”, as well as lesson plans and teaching modules specifically designed to provide children with an in-depth understanding of the relationship between privacy and their own experiences as consumers and citizens.
The Alberta Civil Liberties Research Centre presented the “Technotonomy” manual, an interactive textbook designed to provide teachers with background information and student materials on privacy.
The On the Identity Trail Project introduced a new privacy module called “In Your I” that provides students with an opportunity to explore the deeper relationships between privacy, autonomy and identity in a networked environment.

The Body as Data: Advanced research in the medical domain, especially on the human genome, has made a lot of information available not only about health and medical treatment but also about the body and the genetics of individuals. There are an increasing number of companies managing “biobanks” that keep extensive information about people.
“It encompasses a wide range of collections, including not just those specifically instituted as biobanks but also: pathology samples; blood samples from newborn screening; samples in various tissue banks and disease registries; samples sent to medical laboratories for clinical testing; reproductive matter in assisted reproduction clinics; collections of various body substances for forensic purposes; samples collected for military identification purposes, and samples obtained directly or indirectly for research purposes.

The speakers differentiated among three main types of biobanks:

Clinical biobanks consist of samples collected for clinical treatment purposes;
Research biobanks for experimental and research purpose
Forensic biobanks for investigatory or law enforcement purposes.

Such data poses indeed some serious questions about security, privacy, consent and purpose (primary and eventually secondary) and the speakers mentioned the potential permeability of the above differentiation. The huge interest of biobanking was mentioned and also the formidable challenge to ensure the adequate balance between the private and public interests of those and the protection of individual privacy.

The next conference will be organized jointly by the French and German data protection agencies in Strasbourg, France, which is a meaningful place for both countries in terms of culture, history and politics and will be hosted by the Council of Europe. The theme will be “Protecting privacy in a borderless world” with a focus on global technology challenges and economical and sociological aspects of our society, with speakers from civil society, enforcement agencies, private companies and researchers.

Daniel Pradelles, HP EMEA Privacy Officer

For more detailed information and background documentation you may visit http://www.privacyconference2007.gc.ca/workbooks/Terra_Incognita_workbooks_E.html

2007 data protection commissioners’ conference explored terra incognita

BlogArchive — Mon, 03 Dec 2007 06:14:00 GMT

Data protection commissioners from around the world met in Montréal from September 27-29, 2007, for their 29th annual conference titled, “Terra Incognita”. This event, open to non regulatory participants, is particularly interesting for us at the HP Privacy Office as it is an excellent and unique opportunity to meet privacy commissioners in one place, understand the main worldwide trends, exchange views, ideas and concepts. This allows a better understanding of regulatory evolution, improved HP internal policy & practices planning and a more fruitful collaboration between regulators and the industry; with the ultimate objective to ensure efficient personal data protection at minimum business impact. I attended this conference with our HP Chief privacy officer and our APJ privacy officer and would like to share my impressions of this conference.

In this conference the commissioners met to discuss successes, issues, and efforts of the previous year in their work to promote data protection principles. This year’s gathering, more than any before, acknowledged the necessity of collaboration among different stakeholders and of addressing the “dragons” populating the Terra Incognita of data protection. This theme, which seems exotic at first glance, was carefully chosen and thoroughly considered to depict the mix of expected and unexpected domains and the new technologies and practices faced by privacy professionals in their daily work in the uncharted territories of data protection.

The six dragons foreseen in the Terra Incognita were identified as the following: 1) Public safety, 2) Law meets technology, 3) Globalization, 4) Ubiquitous computing, 5) The next generation and 6) The body as data. For each of these dragons there were plenary presentations and workshops to try to assess the situation and analyze some existing or potential ways to fight the wild animals. For the program, click here.

Public Safety & Globalization: In a world dominated by the fear of terrorism, this is most likely one of the most difficult and controversial dragons. There is often a belief that the game between privacy and security is a zero sum game where inevitably an extension of security should result in less privacy and more data collected from individuals with or without their consent and knowledge. Some expressed concerns on the real efficiency of the surveillance techniques in regards to their impact upon privacy and freedom.

The presenters scanned a wide range of views reflecting the complexity of the subject, even if all agreed that the basic concepts of privacy and security are both human rights that should be equally considered, respected without trade-off between them. One speaker said that in fact it is an old problem in a new world and we should consider today freedom vs. control instead of privacy vs. security. We should move from the “nothing malicious then nothing to hide” to a time where the “potential of control can be everywhere and invisible.” Which is a paradoxical situation when to hide something, and to keep something private is natural and “just a characteristic of being a human”.

Law meets Technology: This session highlighted the growing trends about the use of technology in a surveillance society, the potential impacts, the extremes to which some nascent technologies may bring us, and how law can keep pace. Currently, some technologies, like RFID or geo-location, are viewed as potentially privacy reducing, but as one speaker said, we have to have a vision of the future and envisage as early as possible the impact of future techniques, like nanotechnologies, which might be even worse.

According to panel members, technology evolution triggers a need to evaluate, and demonstrate in some cases, how well an organization implements privacy and efficiently protects personal data. At present, most companies are relying on privacy policies, workforce trainings, and internal auditing; sometimes also using industry seals like BBBOnline or TRUST-e.

This session also reviewed some attempts to define a standard framework similar to what was done in the quality assurance domain. Such an approach, based on norms and formal certification, can bring ways to compare and ensure some level of compliance, but it may also generate significant complexity, delays and cost which may seriously impact business performance.

Daniel Pradelles, HP EMEA Privacy Officer

Privacy – from beyond compliance to accountability

BlogArchive — Thu, 05 Jul 2007 17:11:00 GMT

In March I traveled through Europe with HP’s Chief Privacy Officer Scott Taylor to visit Data Protection Authorities officials from several EU member states and the EU Commission. In a recent interview with him about HP’s approach to privacy and his role he summarized our experiences and achievements during our trip. I would like to use this blog to share some thoughts and forward looking statements following this trip and gather inputs and comments on HP’s approach.

As I mentioned in my previous entry we developed our “privacy beyond compliance” concept several years ago. One of the main points addressed in our trip was the accountability step which has been recently added to our existing approach. From the “beyond compliance” we have moved to the “accountability” model.

Today, any global company is confronted with complex markets and supply chains, and global competition. As a result, companies manage and store increasingly complex sets of data about their customers, employees and partners. That’s why a corporation like HP has to be “accountable” for the way it handles data all along the lifecycle of personal data management.

In practice it means that our policy, guidelines and practices do not stop at our door, but rather include all vendors, agents, and employees working for the company from the operational level to the executive board, ensuring that they are fully informed and trained on the way to handle information responsibly.

It also means that we have to think about personal data collection and use, not only on the legal side. We should not stop at the “what’s legal” but extend to the “is it right?”, “is it as expected by the data owner” and apply ethics and value driven considerations to our decisions making.

We can say that we have now a dual evolution which carves out a different landscape of privacy and data protection:
1. Increasing complexity with globalization, new businesses, new technologies, new practices and services;
2. Changing consumers’ expectations in terms of quality, transparency, trust and reliable relationship.

Those two trends are directly impacting the evolution of the information society. If not managed well those trends may jeopardize it and expand even more the digital divide.

This is one of the major challenges corporations and privacy professionals are facing today. Our role is to ensure the adequate management of those conflicting trends in collaboration between main parties involved: Data protection authorities, Business professionals and Consumers.

The last group has been traditionally dealt with via consumer associations or non governmental organizations. I think it would be extremely valuable to hear directly from you (customers, privacy experts, employees…), How do you see privacy and data protection? What do you think of our approach? Is there an additional dimension missing? What are your expectations? What do you fear most in our information society?

Thanks a lot in advance for your input and comments which will help us to fine tune our policies and practices.

Daniel Pradelles, HP Privacy Officer, Europe Middle East and Africa (EMEA)

Privacy – a fundamental right!

BlogArchive — Fri, 29 Jun 2007 05:28:00 GMT

Since 2006, in cooperation with my team and a network of lawyers, I manage all privacy activities as the Privacy Officer for HP in Europe, the Middle East and Africa (EMEA). We are responsible for internal aspects like policy and legal compliance, new practices and technologies, awareness raising and training and external aspects such as to ensure presence in main international events, keep abreast of regulation, consumer attitudes towards privacy, emerging technologies and close communication with data protection authorities from EMEA member states.

Privacy is considered as a fundamental human right in the EU (Charter of Fundamental Rights of the European Union - Article 7 and 8) and is regulated in most EEA countries. At HP, privacy constitutes one of the main pillars of Global Citizenship. Our policy is based on the highest levels of standards. We consider it as a basic requirement and good business practice which ensures a sustained and trusted relationship with our customers and has to be considered as a competitive advantage especially in the information society which is currently unfolding.

The role of our EMEA privacy team, in tight relationship with local legal and business management, is to ensure that we understand the local legal requirements, comply with regulatory requirements, implement sound practices and maintain appropriate awareness and a privacy conscious culture. Frankly, it is not always easy in a group of countries where the law, the culture, the expectations and even the perception of what privacy means is so diverse. Inside the EU we have a set of “Directives” which define some basic concepts to be applied as homogeneously as possible in all EU member states. The EU Member States implementation is more or less uniform and some details may vary, but at least we have a certain shared standard at a conceptual level. Without going into details let’s just say that the fundamentals such as notice, choice, access, consent, security, legal protection when transferring data abroad are the same.

These directives cover only the legal or liability side which ensures safeguards aiming to limit excesses or to ensure remedies in case of problems. However, when taking a closer look, the perspective of indivuals and businesses seems to be missing: how to ensure data protection effectiveness, business efficiency and position data protection as a business benefit and not a necessary burden? How to address individuals’ expectations, perceptions and concerns when we need more and more personal data to provide better and customized services and products?

A responsible corporation cannot simply take the position that “complying with the law is enough”, it has to go beyond. Customer as well as employee expectations have to be taken into account at the design phase of any product, software, and service or marketing/sales activity.

At HP, we addressed this gap by developing the concept of “privacy beyond compliance” a few years ago.

It is usually described by the acronym “RIM” which stands for Responsible Information Management (Wikipedia). This concept is founded on an intersection between, on the one hand, “values, ethics and legislation”, and on the other, “governance, technology & strategic visioning”. As described by the Ponemon Institute “it is a process for ensuring trust and confidence in how a company’s leaders conduct business”.

By making the “trusted relationship” a reality, it will then create an ideal “win-win” situation between personal data owner (individual, customer, and employee) and the corporation providing services and goods. It will foster and improve some concepts like CRM (Customer Relationship Management), aiming at a better, more informed, predictable, sustainable interaction with customers; Customer intimacy, ensuring an optimum match between needs, demands and customer offering.

Daniel Pradelles, HP Privacy Officer, Europe Middle East and Africa (EMEA)