Scribd
Upload
82 views15 pages

2014 Chief Information Security Officer (CISO) Leadership Forum

The document is a presentation about privacy for security professionals given by the Chief Privacy Officer at UnitedHealthcare Military & Veterans. The presentation covers: 1) The difference between privacy and security and how they relate. 2) The importance of commitments made in policies, regulations, laws, and contracts. 3) How ethical and political considerations impact privacy practices. 4) Key privacy factors around data collection, location, disclosure, use, retention, and takeaways.

Uploaded by

Shree Sheril
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
82 views15 pages

2014 Chief Information Security Officer (CISO) Leadership Forum

The document is a presentation about privacy for security professionals given by the Chief Privacy Officer at UnitedHealthcare Military & Veterans. The presentation covers: 1) The difference between privacy and security and how they relate. 2) The importance of commitments made in policies, regulations, laws, and contracts. 3) How ethical and political considerations impact privacy practices. 4) Key privacy factors around data collection, location, disclosure, use, retention, and takeaways.

Uploaded by

Shree Sheril
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 15

2014 Chief Information Security Officer

(CISO) Leadership Forum

What every security professional needs to know


about privacy
- Elimu Kajunju, CISSP, CIPP/US
Chief Privacy Officer &
Senior Associate General
Counsel, Privacy and Security
UnitedHealthcare Military & Veterans

• UnitedHealthcare Military & Veterans draws on the unmatched experience and expertise
of the UnitedHealth Group family of companies to provide affordable, high-quality health
care to active duty military, retirees, and their families.
• In partnership with the Department of Defense, UnitedHealthcare provides health care
services to over 2.9 million beneficiaries as the TRICARE Managed Care Support
Contractor for the TRICARE West Region.

2
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Disclaimers

 I am a lawyer but not your lawyer. This presentation should not be


construed as legal advice

 If you don’t have a lawyer advising you on privacy or


security compliance, you should get one

 This presentation represents my personal opinion and not that


of United Health Group, UnitedHealthcare or any of its affiliates

 Making friends with your privacy colleague is the best way to


learn
more about privacy

3
Topics Covered

 Difference between privacy and security

 Commitments

 Ethical & political considerations

 Data collection

 Location, location, location

 Data disclosure

 Data use

 Data retention

 Takeaways
4
Privacy Confessional

5
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Difference between privacy & security

Privacy

The rights and obligations of individuals and organizations with respect to the collection,
use, retention, disclosure and destruction of personal information

Security

The processes and methodologies which are designed and implemented to protect print,
electronic, or any other form of confidential, private and sensitive information or data from
unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.

6
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Commitments

Importance of the following commitments


• Privacy policies – usually interpreted in favor of the consumer
• Regulatory requirements
• Legal obligations
• Self-regulatory obligations
• Contracts

7
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Ethical & political considerations

Importance of these ethical and political considerations


• If your customer knew everything you did with her data, would she approve?
• “Ick” factor
• Political implications
• Legislative scrutiny
• Media attention/scrutiny
• Social media backlash

8
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Data collection

Data collection practices


• Most important factor in privacy compliance
• Question the need to collect data
• Question scope of collection
• Contradictions between collection and commitments
• Frontline for guarding against the “ick” factor

9
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Location, location, location

Critical for multi-state or multi-country businesses


• Know your customers
• Know your jurisdictions
• Understand the enforcement landscape
• Location of your customer is just as important as where you locate your customer’s
information
• Pay careful consideration of the impact of location-related decisions

10
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Data disclosure (external)

Ethical & political considerations may impact data disclosure practices


• Know who you are or will soon share information with
• Make this very clear in your policies
• Don’t add “future” disclosures to your policies
• Limit disclosures to minimum necessary
• Ask for permission from the customer when it makes sense to

11
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Data use (internal)

This is the reason why you collect the data – Make sure it is on solid ground
• Know what you are or will soon be using the information for
• Make this very clear in your policies
• Don’t add “future” uses to your policies
• Limit uses to minimum necessary
• Use de-identified data when appropriate

12
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Data retention

Mature data retention strategy is key


• Simple but comprehensive data retention schedule is needed
• Very few sets of data need to be kept forever
• Without a solid implementation plan, the strategy won’t work
• Use your record retention program to reduce your risks
• Hope is not a strategy

13
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Takeaways

• Familiarize yourself with the Generally Accepted Privacy Principles


• http://www.cica.ca/resources-and-member-benefits/privacy-resources-for
- firms-and-organizations/gen-accepted-privacy-principles/item61833.pdf
• Understand the commitments you have made in your privacy policies and contracts
and with regulatory bodies
• Put yourself in the approval chain of your contracts and other voluntary commitments
• Before making security implementation decisions, familiarize yourself with the
requirements for the applicable location (or make sure someone is checking). Some
free and good resources for this information include:
• Morrison/Foerster Privacy Library
(http://
www.mofo.com/privacylibrary/PrivacyLibraryListing.aspx?xpST=Priv
acyLibraryListing&pid)
• National Conference of State Legislators (http://
www.ncsl.org/research/telecommunications-and-information-
technology/state-laws-related-to-internet-privacy.aspx)

14
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth
Questions

15
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy