Managing Privacy Incidents (HK & Macao)

Managing Privacy Incidents (HK & Macao)

Compliance, Hong Kong 2016 February

strong reliable trustworthy forward-thinking

Training Content

1. Privacy Policy Framework

2. Hong Kong and Macau Procedures

3. What is Privacy Incident?

4. Why is it important?

5. How to handle Privacy Incidents

6. Who to report / Contact?

2


1. Privacy Policy Framework

MFC Code of Business Conduct & Ethics Everyone’s obligation to protect personal and confidential

information

Statement of Corporate Privacy Principles

Global/Local Privacy Risk Management Policy

Other Related Policies Information Security Policy Records Management Policy Outsourcing Policy Email Management Guidance

3


2. Hong Kong (including Macau) Procedures

Relevant Procedures Privacy Risk Management Program – Procedures for

Hong Kong Operations Procedures for Privacy Incident Response – Hong Kong

Operations

4


3. What is Privacy Incident? Definition: A privacy incident is a circumstance or event that has or may result in an actual or possible unauthorized access to or collection, use or disclosure of personal information. The risk of a privacy incident is that it may compromise the security, confidentiality, or integrity of an individual’s personal information, and may also create potential reputation risk for Manulife. Examples: Records improperly disposed of (unlocked recycle bin) or destroyed (not

shredded) and accessible by the public. Misdirected communications (e.g. mail, fax, email sent to wrong recipient). Leakage of customer data. Insider fraud. Loss or theft of laptop, portable media (e.g. thumb drive), documents or other

written materials containing company and customer information. Inappropriate use or access of customer personal information by an employee, a

financial advisor or service provider acting on behalf of the Company.

5


4. Why is it important?

Possible Consequences of Privacy Incidents Tarnish Manulife’s reputation. Lead to credit problems and other damaging outcomes for

Manulife customers and employees, our valued stakeholders.

Damage relationships with our partners. Erode the trust of regulators. Negatively impact sales, earnings and Manulife’s stock

price. Violate the law.

6


5. How to handle Privacy Incidents

7


Escalation Pyramid (Risk based) Global Privacy Risk Management Policy

Hong Kong Privacy Officer

Senior Management

Business Unit Privacy Officer (BUPO) & BUPO Supporting Staff

Global Privacy Officer

Incident

Reported

Business Unit Customer Outside Party

Rapid Response Team (comprises of BUPO from each BU •BUPO (Leader) •Compliance •Legal •HR •IT •Other affected Business Units •Corporation Communication •Customer Service

(Not to Scale)

RISK ASSESSMENT

Low Risk – the likelihood of adverse exposure to the customer and/or Company is minimal. Medium Risk – there is the potential for a number of customers to be impacted. High Risk – many customers may be affected by authorized access to their Non-public personal information.

Low

Medium

High /M

edium (M

aterial Breach)

Divisional Privacy Officer

CEO, HK

8


Business Unit Workflow

BUPO decides if more investigation/

info is required Investigate, collect &

Document facts

Privacy Issue Identified

Response

Develop and execute action plan(s)

Record Keeping (using Compliance Database System)

Reporting and Monitoring

Escalate?

Risk assessment and classification

Staff reports to BU Privacy Officer (BUPO) & BUPO Support Staff

BUPO (& staff) follow up with internal contacts as required to close Issue

Examples are: • Records improperly

disposed of or destroy and accessible by the public.

• Loss/ theft of laptop or documents containing customer information.

• Etc.

Risk Classification: • Low Risk • Medium Risk • High Risk

• Compliance Issue, and/or

• Compliance Requirement

Inform: HKPO Rapid ResponseTeam Senior Management

Internal Record

Keeping

BUPO (& staff) to coordinate, implement and validate new

controls/ procedure

BUPO decides if changes to controls/ procedure is required

BUPO decides if

Issue needs to be logged

Yes

Yes

Yes

Yes

No

No No

No

9


How Do You Escalate? Global Privacy Risk Management Policy - Privacy Incident

Examples are: • Records improperly

disposed of or destroy and accessible by the public.

• Loss/ theft of laptop or documents containing customer information.

• Etc.

Privacy Issue Identified

STAFF reports to BU Privacy Officer (BUPO) & BUPO Support Staff

BUPO decides if more investigation/

info is required

BUPO & supporting staff to follow up with internal contacts as required

to close Issue

Investigate, collect & document facts

Yes

No

10


6. Who to Report / Contact?

If you become aware of a privacy incident, please report it immediately to one of the following personnel:

Chief Compliance Officer (CCO) Hong Kong Privacy Officer (HKPO) Business Unit Privacy Officer (BUPO)

= Business Unit Compliance Officer (BUCO)

BUPO Supporting Staff (who will report the incident to the BUPO)

11


6. Who to Report / Contact?

If you have any questions about the Privacy Policy & Statement, and our Local Privacy Risk Management Procedures, or if you have a privacy concern, please do not hesitate to contact:

BUPO = Business Unit Compliance Officer HKPO = HK Privacy Officer Chief Compliance Officer

12


Employee Responsibilities

It is our responsibility to protect information/ data and other details about customer and about our fellow colleagues. Protecting these information/ data begins with YOU!

13


Thank you

14

Documents

Managing Privacy Incidents (HK & Macao)