Editor’s Note: We asked privacy pros to weigh in with their recommendations for getting board or executive-level support for privacy efforts and building strong privacy programs. In this series, Norine Primeau-Menzies, CIPP/C, Chris Pahl, CIPP/G, CIPP/US, and Michael Spadea, CIPP/US, share insights they’ve gained from their work. More experts in the privacy field will discuss obtaining and sustaining executive buy-in and other key issues during the preconference workshop Getting Results: 13 Proven Tips for Managing an Effective Privacy Program at the IAPP Privacy Academy in San Jose, CA, on October 10. Building a privacy-aware culture: Moving from theory to practice
In the fall of 2011, OTN was the recipient of the IAPP HP Innovation Award in recognition of its efforts to embed a culture of privacy into the organization. The result of this effort was a significant decrease in privacy breaches to personal health information and of overall organizational risk. OTN is a not-for-profit organization funded by the Government of Ontario in Canada. As a Healthcare Information Network Provider, we use enabling technology to improve access to healthcare across the province. Leading an organization to successfully developing a “privacy awareness culture” can be daunting; however, as OTN demonstrated, if it’s approached using fundamental leadership principles and theory, it is achievable. Consider the task a journey, and take one step at a time. At OTN, we embarked on that journey, and it took five years from infancy to maturity—and we’re still not completely there yet; it’s a work in progress. The following sections illustrate OTN’s approach. They’re meant to act as guides to an overall process. Recognizing each organization is different, they may not all apply.
Get buy-in from the top Building a “privacy-aware organization” requires commitment throughout the organization starting with the senior leadership and, ideally, the CEO. Where the privacy leader is positioned, and who he/she reports to, will define how to build an approach that gains support. Regardless of where the function sits, it is critically important to increase privacy visibility and support at the senior leader level. Work in the background and build relationships with key stakeholders in order to have support prior to presenting to a larger group. Deliver regular reports and updates on initiatives in order to garner awareness and support.
Generate a sense of urgency As with any change, there has to be a driving force or motivation behind the change to engage others to participate and join the initiative. It may be new privacy regulatory changes or rulings, a significant privacy breach—either internally or external to the organization, a serious complaint, a key project that requires privacy compliance or a key organizational risk that’s been identified. Whatever the driving force, leverage it and embed it into the change strategy.
Embed privacy into corporate strategy and operating planning Privacy can and should be leveraged as a strategic asset. Companies that make privacy a pillar of their corporate mission and protect their customers' personal information can market this to their advantage. To develop privacy in this light, it’s important to embed privacy initiatives and strategies into organizational planning. OTN identified privacy as a strategic pillar in its operating plan, and specific privacy projects and initiatives were funded as an outcome. Having staff participate in privacy projects—such as automating processes and eliminating manual errors—resulted in raising awareness across the organization and subsequently decreased privacy disclosure incidents.
Develop and report on privacy metrics One of the most successful initiatives to build a privacy culture at OTN was to develop privacy metrics and embed those metrics into the corporate scorecard and the board governance scorecard. Privacy metrics need to be relevant and tied to the organization's vision. Metrics can include anything from the number of privacy incidents/breaches, the number or percentage of privacy risks closed, the number of privacy impact assessments completed or the percentage of staff completing structured privacy awareness training. Whatever your organization decides, delivering organizational reports on a monthly basis is a sure way to gain visibility and highlight to the organization the valuable work the privacy team is doing. An organization does not necessarily have to fear metrics that demonstrate gaps which highlight work that needs to be done. When that happens, the gaps can be used to leverage the opportunities for improvement and foster an increased sense of urgency within the organization to improve in the immediate term.
Staff training Staff training is the key component to building awareness and ensuring that all staff has the same fundamental information. Training must be mandatory in order to guarantee that responsibility and accountability for safeguarding of personal information is the shared responsibility of all staff. Training doesn’t need to be complex or boring; at OTN, we developed short scenario videos demonstrating a commonly observed privacy issue that featured actual staff. We are also in the midst of rolling out “high-risk privacy training” for specific areas in the organization—clinical contact centre and service desk—that are at a higher risk of privacy incidents due to the nature of their work and the personal information/sensitive personal information they may be required to collect.
Become a valued contributor in all projects Critical to our success at OTN was changing the outdated mindset that “privacy was a barrier to achieving successful projects and initiatives.” Previously, the privacy staffs functioned as auditors and were called in at the end of a project to complete a privacy impact assessment, at which point they often identified critical risks and design flaws, resulting in “rework” for the projects. Consequently, privacy risk management was seen as a barrier to success. By ensuring that privacy risk management was involved and part of the project team from the beginning—almost in an internal consultant role—OTN was able to embed effective privacy safeguards into the design of the solutions and gain a win-win scenario. As a result, OTN is recognized as a Privacy-by-Design Ambassador, and we have demonstrated that moving privacy upstream in the process results in great solutions. Inherent to being a valued contributor is the need to be willing to adapt to business and operational realities while staying true to privacy law. Real life and business are not just black and white but a million shades of gray—and so, when consulting on internal projects, the privacy team needs to ensure business goals are achieved while still developing solutions that are acceptable and manage all facets of risk, including privacy and security. When given the task, you will be amazed how innovative teams become, and in the end, organizations achieve better solutions. At OTN, the Technical Solutions and Development Teams now work with the Privacy Team rather than against it.
Believe in staff…Make it non-disciplinary Integral to developing a privacy culture are openness and transparency that drives reporting. Reporting will not happen, however, unless a non-disciplinary philosophy is part of the overall approach. At OTN, senior management believes that our staff comes to work every day to do a good job. When a privacy incident or breach happens, it’s typically the result of a combination of events or maybe even human errors. Disciplining staff when they report an incident is counterproductive to driving overall reporting and ultimately mitigating the factors that resulted in the incident itself. Our goal at OTN is to encourage and expect self-reporting, including “near miss” situations, in order to learn from them and further improve the work we do. By analyzing the root cause of incidents and making improvements, we’ve been able to effectively decrease privacy breaches.
Make it fun and be passionate about what you do Last but not least, make it fun! Privacy legislation, we can all admit, can be dry and rather boring, but the intersection of technology and managing personal information makes privacy risk management interesting, challenging and yes, even fun. If you are passionate about what you do, it becomes contagious, and others will become as engaged in the process as you are.
Norine Primeau-Menzies, RN MHS, CIPP/C, is vice president of customer services and chief privacy officer at OTN, a not-for-profit organization funded by the Ministry of Health in the province of Ontario, Canada. OTN provides healthcare providers with a number of technology solutions including videoconferencing, store-forward technology, web conferencing and telehomecare monitoring. It is the largest videoconferencing network in the world, with over 800 members, 1,500 sites and 2,600 systems, serving over 200,000 patients on the network in 2011-12 and growing at a rate of 40 percent annually. Editor’s Note: Read about OTN’s award-winning privacy program in the article “What makes a model privacy program?" 
