Power, Michael E. Developing a Culture of Privacy: A Case Study IEEE Security and Privacy November/December 2007

Contributor: vjp

Keywords: information privacy, information security

Abstract: How does an organization protect sensitive personal information such as social security numbers, health care or other information deemed ‘private’? Most relay on organizational compliance with security standard but this assumes the ability to recognize exposures or potentially questionable practices. Power’s relates his experience at developing a “culture of privacy” at Ontario’s Smart Systems Health Agency (SSHA). His objective was/is to “make every employee feel personal responsibility for privacy and security as part of their employment with SSHA.” In building a culture of privacy, Power’s offers these take away points. Management must lead by example, providing resources such as increased budgets, training and other incentives geared at changing the behaviors of employees who interact with and manage sensitive information. In addition, management must elevate privacy awareness and protection as an ongoing organizational priority. Management should ask each employee and contractor to accept personal responsibility for protecting sensitive information in the organizations custody. Evaluation and follow up programs are vital if there is to be any gauging whether employees and contractors understand their responsibilities in protecting sensitive information and the processes available for reporting breaches. When a satisfactory level of ‘awareness’ has been reach, an organization can brand itself as having a strong privacy culture with a reputation of trust.