New Privacy Policy
During fiscal 2008, we refocused our efforts to rethink how our data policies reflect the true state of data use at Sun and in the information ecosystem created by Sun and our affiliates, partners, vendors, customers, and even competitors. An updated privacy policy is in the process of legal review and translation. It will be available as a link at the bottom of every page of the sun.com Web site in 2008.
Training
Updated policies are meaningless unless employees know how to apply them, so our Privacy Office actively trains business groups across Sun, with an always-available Privacy Fundamentals Webinar; live, in-person instruction for data-dependent groups such as our Legal and Human Resources organizations; and one-on-one instruction for groups launching IT systems or managing vendors with access to protected data. Three more courses will launch in fiscal 2009 that specifically target groups' individual needs and high-risk issues. Finally, a company-wide mandatory overview course is in development that will inform Sun workers of their job-specific privacy obligations and direct students to detailed, tailored training.
The more our community understands the need to respect data as a valued asset, the more creative we become in protecting it.
Privacy Impact Assessments
Sun's Privacy Office has also introduced an online privacy impact assessment (PIA) instrument to better streamline our review process. The PIA provides an overview of systems that manage protected information, business processes, and data-management controls. The privacy team uses the tool to help evaluate compliance and identify privacy risks and then works with business partners to mitigate these risks. In 2008, the team used the PIA to evaluate 143 business systems and processes.
Building-in Privacy Protection
In 2008, the government of British Columbia selected Sun to develop and implement a comprehensive electronic healthcare solution. This will transform the way laboratory results and other essential patient information are shared among healthcare practitioners across the province. As part of the basic business relationship, we appointed a regional privacy and security officer and support staff responsible for compliance with all contractual obligations and provincial privacy laws and regulations. This team develops privacy and security policies and procedures for this project, trains Sun staff on privacy and security, conducts privacy impact assessments and risk analysis, implements recommendations, and is the direct and accountable contact for our customer.
|
We encourage customers with data needs that are this distinct to consider building this type of service into their plans for information transformations, particularly where, as here, the desired outcome is either driven by the nature of the data asset involved (confidential healthcare data) or its regulatory environment (in the case of British Columbia, one of the most restrictive in terms of its permissible data-flows across borders).
It is this type of forethought and cooperation between vendor and customer that produces the possibility that privacy and respect for personally identifiable information can exist—and even be considered an asset—in an increasingly networked world.
Also in 2008:
- We began a weekly scan of sun.com for privacy compliance.
- We published a white paper, "Establishing a Privacy Office."
- We participated on the Digital Connections Council of the Committee for Economic Development (CED) to explore how greater openness can truly transform certain aspects of American healthcare. The council has begun work on a similar project exploring how open access to information and systems can transform education opportunities. You can view CED's report, "Harnessing Openness to Transform American Health Care,"
- We served on the Advisory Committee for the Executive Security Action Forum.
- We actively participated in the Executive Women's Forum for Security, Privacy, and Information Governance Professionals.
- We're on the Advisory Board for the Ponemon Institute, which advocates for responsible information management.
- We sponsored and addressed the International Association of Privacy Professionals.
- We were active in the Center for Information Policy Leadership.
|
