It is critical to ensure organizations and their employees are accountable for privacy and data protection, especially as regulatory frameworks struggle to keep pace with technological advances. We seek to create a chain of accountability for the information we handle, ensuring responsibility for data privacy and security at every stage of the process. HP teams work together to implement and monitor our privacy model, and collaborate with external partners to improve privacy protection for those who interact with HP worldwide.
Accountability approach to privacy
The HP Privacy Accountability Framework (see graphic), developed in collaboration with the Centre for Information Policy Leadership, is a decision-making framework that helps our employees assess and manage the risks associated with collecting and handling personal data. It goes beyond legal requirements to ensure the people handling data are accountable and their practices transparent. The model takes into account ethical considerations, contractual agreements, regulations, and local culture, and encourages employees to consider decisions based on our company values, customer expectations, and potential risks.
HP Privacy Accountability Framework
In 2010, more than 262,000 employees completed our mandated privacy training. Employees in functions that routinely handle personal information, such as human resources, marketing, and client services, receive additional training. Because training alone is not enough, in 2010 we also developed and launched an internal, dynamic, context-based tool—the HP Privacy Advisor—to guide employees through a privacy impact assessment and risk-management process. Beginning in 2011, all employees who collect or use personal information will be required to vet their project through the HP Privacy Advisor.
We use internal assessments/audits, third-party certifications, and dispute-resolution mechanisms (e.g., TRUSTe and Better Business Bureau) as well as customer and employee feedback to monitor compliance with our privacy policies.
All suppliers and third-party vendors who handle HP customer and employee data are contractually bound to comply with the applicable portions of our privacy policies and data security requirements. As HP Enterprise Services handles personal data on behalf of customers, we define our commitments in our client contracts.
Employees and customers can contact our privacy office in more than 30 languages with queries, concerns, praise, or complaints. We are committed and resourced to respond to inquiries within 48 hours, and we have developed detailed protocols to ensure we handle complaints effectively, promptly, and appropriately.
As part of HP Internal Audit's Integrated Assurance Program, we created a new function called HP Privacy Assurance to assess company compliance with our privacy policies and standards, and to track and mitigate any identified risks and potential noncompliance. The program is pan-HP and covers any division or business unit that collects, uses, accesses, or stores personal information.
Privacy and Data Protection Board
The HP Privacy and Data Protection Board (PDPB) identifies and provides guidance on priority and perceived risk areas. In 2010, the PDPB initiated and oversaw an audit of our online collection of consumer personal information and the use of that information for email marketing globally.
The PDPB is part of the overall HP Corporate Ethics and Compliance governance structure. Comprising senior managers from business units and functions throughout the company, it is chartered to manage HP's overall risk profile on privacy and personal data protection and to serve as a focal point for any related escalations. The PDPB meets quarterly to discuss strategy and priorities, identify and prioritize privacy and personal data protection risks, launch new projects, oversee mitigation plans, and resolve issues identified through our monitoring programs.
Introducing our new privacy audit program was a major focus for the PDPB in 2010. Related activities included updating and documenting our privacy risk management process.
Privacy and our products and services
We use companywide product development standards to integrate privacy and data protection into new products and services. Our Secure Advantage portfolio for enterprise customers offers hardware, software, and services that help protect data stored on computers, printers, and in data centers. Privacy enhancing features include:
- Software that asks users if they want to be notified when updates are available, rather than sending notices automatically
- Disk encryption that protects the data on each drive with minimal impact on performance
- Automated encryption devices to increase protection
HP ArcSight helps leading commercial and government organizations ensure the privacy and security of their information by detecting threats and risks early enough to take action and prevent loss. For example, the U.S. Department of Defense is subjected to approximately 3 million network attacks every day. ArcSight's Enterprise Threat and Risk Management solutions help it and other organizations detect even the most sophisticated attempts to steal private information.
HP scientists continue to undertake research projects on privacy. They lead EnCoRe (Ensuring Consent and Revocation), a partnership of six organizations investigating how to make giving and revoking consent for the use of personal information as easy as turning a tap on or off. In 2010, EnCoRe published and demonstrated its first technical architecture.
External policy development
Policymakers worldwide are pushing for much-needed change in privacy regulation. New frameworks from Europe to Asia Pacific to the Americas are incorporating accountability and the concept of Privacy by Design. This is shifting the concept of compliance away from simply following rules, and instead requiring organizations to demonstrate they have the capacity to protect privacy and personal data. HP is working closely with regulators and industry and consumer advocates around the world to develop these new frameworks.
In 2010, the European Commission (EC) began a major review of its existing data protection framework to make sure it remains relevant and can evolve as needed over the coming decade. HP has maintained an open dialog with key EC members and data protection regulators for several years to share thoughts on central issues and possible solutions. This relationship has positioned HP as a trusted advisor, involving us in the revision process from an early stage and enabling us to provide balanced perspectives to commission members during public consultations.
We are very proud to have received approval from the European data protection authorities in 2010 for our Binding Corporate Rules (BCRs). BCRs are a way for multinational companies to be recognized as having adequate processes in place to uphold the European Directive for Privacy and protect personal data when transferring it between countries. HP is one of a handful of U.S.-based, multinational companies who have obtained such approval.
Asia-Pacific Economic Cooperation (APEC) is developing a privacy framework that drives improved accountability and governs data flows between countries within that region. From the beginning, HP has been actively engaged in this process and continues to contribute to establishing a new approach to cross-border collaboration.
Our HP Privacy Office continues to work with regulators and industry groups to define accountability and what it means for a company to be accountable for its privacy practices. The first phase of this work, known as the Galway Project as it was sponsored by the Irish Data Protection Commissioner, identified the essential elements of accountability in 2009. The second phase, sponsored by the Commission Nationale de l'Informatique et des Libertés (CNIL), began in 2010 and defined ways to measure accountability. The third and final phase, sponsored by the Spanish Data Protection Authority, will complete the framework. We are working to ensure the results will effectively protect privacy without hampering business innovation. See the project's discussion document for more details.
We also aim to use our experience and expertise in privacy and data protection to become a trusted advisor to countries and regulators that are introducing new regulations. In Latin America, for example, HP is actively engaged with key regulators in establishing secondary legislation and guidance documents. We regularly meet with several regulators and present and speak at various international conferences, e.g., Ibero-American Data Protection meeting in Mexico City and the 32nd International Conference of Data Protection and Privacy Commissioners.