To aid in this effort, on April 17th Canada's privacy commissioner, along with the privacy commissioners of the provinces of Alberta and British, issued a guidance document entitled "Getting Accountability Right with a Privacy Management Program," along with an "At a Glance" two-page summary.  The guidance document provides easy-to-understand, high-level advice on how to operationalize a privacy management program.

Although the guidance is given in the context of compliance with Canadian privacy law, there has been an increasing focus by privacy regulators in the US and abroad on the establishment of comprehensive privacy programs for organizations that collect, use, and share personal information.  For example, one of the bedrock principles of last month's Federal Trade Commission privacy framework recommendation was the adoption of a baseline "Privacy by Design" principle through which the FTC recommended that businesses maintain comprehensive data management procedures throughout the lifecycle of their products and services.  The Canadian guidance provides a sound and practical framework for organizations looking to implement Privacy by Design that face the obvious question:  "Where do I start?"

The following is an brief overview of the guidance, as relevant to all organizations, Canadian or not, looking to implement a privacy management infrastructure:

1. Obtain organizational commitment:  The first building block of privacy compliance is the development of an internal governance structure that fosters a culture respectful of privacy.  This involves getting buy-in from senior management; establishing a Privacy Officer responsible for monitoring compliance; establishing a Privacy Office that ensures privacy protection is built into every major function involving the use of personal information; and creating reporting mechanisms reflected in internal controls.
2. Establish program controls:  Privacy program controls help ensure that what is mandated in the governance structure is implemented within the organization.  This involves conducting a personal information inventory; establishing policies relating to (i) the collection, use, retention, and disposal of personal information, (ii) access to and correction of personal information, and (iii) security of personal information; providing for risk assessments; setting up training and education for personnel; establishing breach and incident management response protocols; creating procedures to manage service providers with access to personal information; and developing procedures for informing individuals of their privacy rights.
3. Assess and revise the privacy program on an ongoing basis:  Once a privacy program is established, the organization must maintain the program to ensure ongoing effectiveness, compliance, and accountability.  This involves developing an oversight and review plan; updating the personal information inventory; revising policies as necessary; promptly addressing privacy and security assessments; reviewing and modifying training and education programs; reviewing and adapting breach and incident management response protocols; reviewing and fine-tuning contracts with service providers; and updating and clarifying external communications explaining privacy practices.

To aid in this effort, on April 17th Canada's privacy commissioner, along with the privacy commissioners of the provinces of Alberta and British, issued a guidance document entitled "Getting Accountability Right with a Privacy Management Program," along with an "At a Glance" two-page summary.  The guidance document provides easy-to-understand, high-level advice on how to operationalize a privacy management program.

Although the guidance is given in the context of compliance with Canadian privacy law, there has been an increasing focus by privacy regulators in the US and abroad on the establishment of comprehensive privacy programs for organizations that collect, use, and share personal information.  For example, one of the bedrock principles of last month's Federal Trade Commission privacy framework recommendation was the adoption of a baseline "Privacy by Design" principle through which the FTC recommended that businesses maintain comprehensive data management procedures throughout the lifecycle of their products and services.  The Canadian guidance provides a sound and practical framework for organizations looking to implement Privacy by Design that face the obvious question:  "Where do I start?"

The following is an brief overview of the guidance, as relevant to all organizations, Canadian or not, looking to implement a privacy management infrastructure:

1. Obtain organizational commitment:  The first building block of privacy compliance is the development of an internal governance structure that fosters a culture respectful of privacy.  This involves getting buy-in from senior management; establishing a Privacy Officer responsible for monitoring compliance; establishing a Privacy Office that ensures privacy protection is built into every major function involving the use of personal information; and creating reporting mechanisms reflected in internal controls.
2. Establish program controls:  Privacy program controls help ensure that what is mandated in the governance structure is implemented within the organization.  This involves conducting a personal information inventory; establishing policies relating to (i) the collection, use, retention, and disposal of personal information, (ii) access to and correction of personal information, and (iii) security of personal information; providing for risk assessments; setting up training and education for personnel; establishing breach and incident management response protocols; creating procedures to manage service providers with access to personal information; and developing procedures for informing individuals of their privacy rights.
3. Assess and revise the privacy program on an ongoing basis:  Once a privacy program is established, the organization must maintain the program to ensure ongoing effectiveness, compliance, and accountability.  This involves developing an oversight and review plan; updating the personal information inventory; revising policies as necessary; promptly addressing privacy and security assessments; reviewing and modifying training and education programs; reviewing and adapting breach and incident management response protocols; reviewing and fine-tuning contracts with service providers; and updating and clarifying external communications explaining privacy practices.

Download Product Brief - Sitrof DCM Compliance

Microsoft SharePoint is an Enterprise Content Management (ECM) tool that enables organizations to collaborate efforts and work more efficiently as a cohesive unit, through shared knowledge, documents, workflows, metrics and structure. One of the most commonly noted benefits of implementing SharePoint as an organization’s ECM tool is end-user familiarity. As SharePoint is a Microsoft product, users tend to adapt quickly to the program due to its familiar Windows-based look and functionality.

Organizations considering implementing a content management tool should keep in mind the impact on compliance and governance SharePoint has provided its users. For organizations in highly regulated industries (i.e. life sciences, financial services, government, etc.) compliance, both internal and external, remains a top priority. The four key areas they must consider when adopting a SharePoint environment are: authentication requirements; restricted access to personally identifiable information; permission based, secure login only access to such sensitive intellectual property; and data retention.

Before deploying a SharePoint environment, companies need to create a governance plan to step up an information architecture structure and an enterprise search strategy. This governance plan needs to outline user policies, set guidelines for appropriate applications, and content and standards for review. This plan will enhance the organizations collaboration efforts and maintain consistency, thus obtaining the most out of the intranet. The plan must identify key roles and responsibilities, and set up lines of communication between managers, administrators and standard users; this will identify permission statuses and identify where restrictions need to be set.

Defining the information architecture will help to increase user access to the relevant information. Faster, accurate information retrieval will result in increased productivity and enhanced collaboration capabilities. The framework of the information architecture should be built in advance, starting with basic uniform pages including the home page, the procedure and policy outline page, the search page and a department page. These pages will be the most commonly accessed, landing pages for the system. Creating a site map defining the structure of the site, by department, will help to organize all sub-pages and what intellectual property will be housed in each.

The team developing the governance plan will also need to set taxonomy guidelines, so consistent naming conventions will be used when labeling documents. A pre-determined group should be responsible for controlling the taxonomy so it is maintained and consistent. This will help to standardize the site and allow for more efficient and accurate searches.

Consistency throughout the site is crucial to its effectiveness; this includes the appearance or branding of pages across the site. A consistent look makes users aware that they are in fact on the company intranet, and as the look of higher level pages can be tailored with sub-branding to reaffirm with users working on these pages that they are in a restricted area. SharePoint has a ‘master page’ feature to ensure a consistent look and create a standard page design and layout elements that will be shared by all pages. The layout elements can include navigational controls, company logo, copyright notices, disclaimers, etc; if these elements require updating it can be done via the master page instead of on each individual page.

The governance plan must include an official approval process to ensure compliance. It must also establish user policies that render areas with sensitive intellectual property restricted and require higher levels of security to access these areas. User policies will establish who can access, edit and add to content in restricted, high security areas. This policy must also establish security measures for accessing information remotely. System back-ups and testing are also key elements of the governance plan. Scheduling regular system back-ups and setting schedules for regular content review provides necessary security for the site. Test plans should also include checking all of the systems functionality to ensure all capabilities are running efficiently.

Extensive training needs to be mandatory for all users to ensure all of the aspects of the governance plan are being met. In addition to general policy and procedure training that all users must receive, training will need to be tailored to meet the needs of the different user groups; for example site managers will require a more in depth training detailing policies and set-up procedures, whereas end users will need training geared toward the functionality of the tool and key areas like search capabilities. All users need to be trained to maximize collaborative efforts and learn the key features of the system to help them work smarter and more efficiently. Users will need to be trained in how to connect to the server remotely and access information off-site to maximize productivity. Documenting all training and providing the documentation to all users is essential in managing an ECM tool.

With a well thought out governance plan established, implementing a SharePoint environment is a seamless, effective way to increase productivity and collaborative efforts throughout an organization. If planned effectively, SharePoint can be put into place with minor to no noticeable disruption of the business. As the cost of implementing a SharePoint environment is significantly lower in contrast with its competitors, and the Windows-based application is something users are familiar with and instantly identify and feel comfortable using, this tool is a wise choice when selecting an ECM tool.

As long as the trouble seemed limited to managing storage, then it was a problem the corporation was content to live with. No one was particularly concerned about what was contained within all of that digital storage, and over time even the original owners of this electronic content forgot about it or moved on. So IT made do with additional storage devices and long-term tape-based retention. But then the eDiscovery process blew up in corporate faces, and the problem of unstructured data management blew up right along with it. eDiscovery morphed from a cost-of-doing-business process – and a great way for outside law firms to make a lot of money – into a quagmire of missed deadlines, sanctions, and multi-million dollar review costs.

Then the financial meltdown came along to complete the disaster, turning the regulatory atmosphere from complacent to threatening. The first change threatened the General Counsel’s office (GC); the second change threatened the Governance, Risk, and Compliance officers (GRC). These groups are starting to look to IT to fix the problem, but IT cannot do it alone. What this difficult situation needs is a technology that cost-effectively manages enterprise-wide unstructured data, and then customizes data delivery and actions for specific business processes. Its primary driver is the eDiscovery process, but the common platform enables effective management for GRC and storage management as well. In this Technology in Brief, we will share our take on the promise of these platforms, and how StoredIQ is fulfilling that promise.

The StoredIQ eDiscovery Preparedness solution creates a highly customizable, auditable data topology map of active electronically stored information (ESI) files and emails that are located on network servers, email servers, content management systems, storage systems, and PC's. The data topology map is ideal for helping organizations better prepare for FRCP Rule 26(f) conferences. The solution performs a system crawl, collecting all data without disrupting the business. Furthermore, it is deployed and maintained in-house, increasing the level of protection of your organization's sensitive data.

The eDiscovery Process Flow encompasses awareness, early case assessment, data preservation, data topology reporting, meet and confer preparation and review preparation. The on-going, proactive activities are comprised of continually indexing unstructured data; monitoring, viewing and analyzing data; and applying records management policies to reduce the amount of data retained. Awareness includes reasonably anticipating litigation and any formal communications needed for opposing counsels. In the early case assessment phase, relevant data sources are identified and reviewed to recognize source correspondence as well as the scope and amount of data to be collected and preserved. In this phase, email attributes are used to reconstruct threads, and deep attribute and content query functionality are used to identify relevant custodians and custodian relevant data in shared locations. The early case assessment is concluded with collection/preservation tagging to verify one's search results by reviewing relevant metadata, email, and document content. Preservation is an easy, single click process that renders powerful results. In this process chain, custody, authenticity, and original, full-object path information are all preserved and properly maintained in an audit log of the collection. The audit log is maintained by creating a hash value before and after data collection. Data topology reporting creates an auditable map of active ESI files and emails for potentially responsive data, with full analytic reporting. Topology maps and query reports help prepare organizations for the meet and confer phase by compiling all data under preservation, including key word analysis reports across all custodian data. Lastly, key review preparation functionality includes the ability to generate a review load file of all responsive items negotiated in the meet and confer, data de-duplication, container file capabilities, automatic prefixing, automated rolling productions, and load file support for many litigation review platforms.

Clearly this solution eliminates the risks associated with legal discovery, records retention, privacy, security, and illegal and irrelevant content in organizations with unmanaged, unstructured information. Compliance becomes a matter of ease with effective information policy management as well as detailed, reportable knowledge of what information is stored and where it is located. Not only does this solution enable organizations to comply with policies and regulations before litigation, but it also dramatically reduces costs often associated with the discovery of ESI (including document collection from inaccessible locations, massive volume storage, unanticipated legal risk, spoliation risk, quantitative per-document review cost, and document delivery).

If your organization is struggling to keep up with compliance, governance, and legal discovery requirements, please contact Sitrof today for a free on-site assessment.