The IAPP recently honored two organizations for unique privacy programs that foster trust and bolster value to both the public and private sectors. This year’s HP-IAPP Privacy Innovation Awards went to global communications company Vodafone and the Canadian-based Alberta Pensions Services Corporation (APS).

Calling the organizations “visionaries in our industry,” IAPP President and CEO Trevor Hughes, CIPP, said the “pioneering efforts of these organizations to develop original and comprehensive approaches to privacy and security not only benefit consumers and businesses but elevate the profession as a whole.”

Both Vodafone, winner in the large organization category, and APS, recipient of the small organization award, faced their own set of challenges implementing their privacy programs, but both shared a similar recognition of the importance of an organization-wide privacy culture from top to bottom.

“Credit has to go to our previous CEO as it was her goal to have a privacy-conscious organization,” said APS Risk Management and Compliance Director Pamela Tom, noting an external consultant was brought in to review an organization-wide risk assessment and, at first, didn’t give APS a very good score.

In response, APS created a formal privacy office to educate staff on privacy issues and to implement policies and procedures. Tom was brought in to help lead such an initiative.

“Privacy was new to me,” Tom said. “I had to get up-to-speed very quickly.”

APS is subject to Alberta’s Freedom of Information and Protection of Privacy Act, so Tom said she immediately devoured the bill for comprehension. As a public-sector pension services organization, APS oversees more than 304,000 members and pensioners across the province. With such a vast amount of sensitive personal information—including salaries, health data and social insurance numbers—a comprehensive privacy program was paramount for APS.

Tom said that creating a vision based on privacy was important for the organization. In order to get staff—at all levels within the organization—to be more aware of privacy issues, Tom kept her message simple. She would ask staff members what privacy meant to them and place the employee within the context of being a pensioner. “If this was your information, how would you feel if it was mistreated or not held at a high standard?” Tom would ask.

Since APS is located within one building, Tom says it was easy to communicate her message throughout the organization, and she gives credit to APS staff. Tom says the moment the office was up-and-running, people were coming to talk to her about various privacy issues.

In addition to annual privacy training, APS requires that staff at all levels be subject to privacy and access-to-information responsibilities, which are laid out in the organization’s Delegation and Assignment of Responsibilities Tables and what they call an RACI Chart. The Privacy Advocate Office also works with staff to draft telephone scripts for accurate responses on how data is processed, retained and disclosed.

In just five years, APS went from an organization without any formal privacy program to one with an award-winning, organization-wide, mature privacy program led by two staff members.

For Vodafone, the implementation of an organization-wide privacy program faced different obstacles. Vodafone operates mobile networks in 30 countries and, as of March 2012, served more than 400 million mobile subscribers worldwide in services such as cable and satellite networks, cloud computing and machine-to-machine networks like smart grids.

Launched in February of 2010, Vodafone’s privacy program is a framework built around three core elements, namely, the privacy commitments, the privacy risk management system and the critical privacy risk register.

Global Privacy Officer Stephen Deadman said, “Every part of the Vodafone Privacy Programme is designed to shift the perception of privacy from an obligation imposed from the outside to an integral part of delivering trust and confidence to our customers, partners and stakeholders, demonstrated through our people, products, policies and processes.”

The firm’s seven privacy commitments help form the backbone of the company’s privacy culture. The seven statements—respect, openness and honesty, choice, Privacy by Design, balance, laws and standards and accountability—“are the things we believe and the ways we promise to behave with respect to our customers’ and employees’ privacy,” according to a Vodafone publication. The commitments lay the groundwork for Vodafone employees to have a “clear understanding” of the importance of privacy.

Vodafone has also created a process control system to identify, address and manage privacy risks “on the ground.” Their global Privacy Risk Management System sets out nine common control processes, including reviewing suppliers, instilling Privacy by Design in products and services, data lifecycle management and a review and reporting system to keep senior management up-to-speed on privacy considerations.

Being a large company doing business across the globe, Vodafone says its risk management system “provides the flexibility to respond to local privacy concerns, legal requirements or stakeholder expectations more effectively than a ‘one-size-fits-all’ global policy approach.”

In a rapidly developing digital landscape fraught with emerging and complex privacy issues, Vodafone has also implemented a Critical Privacy Risk Register. This “formal assessment” creates a process for regularly reviewing the “most significant” privacy risks affecting the company.

“We take into account wider developments in technology and the industry and develop strategies and policies to tackle these critical risks at a global level,” notes Vodafone’s program release.

Whether provincial or global, public- or private-sector, privacy is being taken seriously by small and large organizations and has successful outcomes in the form of privacy programs.

“Starting a new program is scary,” APS’ Tom notes. “Make sure you get buy-in, especially from the top. Once staff realizes and sees the value of privacy as a benefit to them, then privacy becomes an easy sell across the organization.”

Written By

Jedidiah Bracy, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»