Approach

Our accountability approach to privacy demonstrates that our commitment to data privacy, protection and security goes beyond legal compliance. When the people handling data are accountable, practices are transparent, and the company enforces the right behavior, we can build trust and stimulate innovation. It is important that business units use robust decision-making processes to evaluate data risks and identify and correct problems and poor decisions.

HP's privacy accountability model is a decision-making framework that helps business units make informed choices about the risks faced when handling data. The model is based on a foundation of traditional ethical considerations, such as legal compliance, observance of major industry codes of conduct, contractual agreements and international programs such as Safe Harbor. The model then builds on that foundation by considering decisions in light of our company values, customer expectations and potential risks to ensure we are fully accountable for our actions.

We developed the model with the Centre for Information Policy Leadership and work with this organization, regulators and advocacy organizations to encourage wider adoption of this type of approach.

HP monitors compliance with its privacy policies using formal internal and supplier audits, internal assessments, and customer and employee feedback. All suppliers and third-party vendors that handle HP customer and employee personal data must comply with the applicable portions of our privacy policies, by contractual agreement.

The EDS acquisition in 2008 brings a new set of privacy challenges. As one of the world's largest outsourcing providers, we need to extend our accountability-based approach to the partnerships we establish with our clients. Although the distinct roles of the client and HP are defined in the contract, we play a critical role in client programs and need to consider all components of the accountability chain.

HP's Privacy and Data Protection Board provides companywide oversight for privacy and data protection. Board members are from the Privacy, Legal, Information Technology, Security, Internal Audit, Internet, Human Resources and Government Affairs functions, as well as from each business unit and region.

At quarterly meetings, board members discuss high-level priorities, assess programs, launch projects, make strategic decisions and resolve any issues escalated to this level. External experts are regularly invited to discuss privacy trends and developments. Members work throughout the year on sub-teams that handle specific privacy issues in the company. In 2008, members identified the top privacy priorities within the company and allocated resources to address them, with emphasis on the highest priorities.

The board enables HP to manage data comprehensively in a more seamless and integrated way. Its shared decision-making model works well and sets a standard for governing all forms of data in the future.

In April 2008, we implemented a companywide privacy standard for product and service development. Designing privacy protection into our products and services builds consumer trust.

For corporate customers, HP's Secure Advantage portfolio offers hardware, software and services that help protect data throughout its use—on a desktop computer or printer or stored in a data center. Privacy features incorporated into the portfolio include:

• Software that asks the user whether they want to be notified when updates are available, rather than sending the notices automatically.
• Disk encryption that helps protects the data on each drive with minimal impact on performance. Encryption helps protect against data being accessed if the disks are lost or stolen.
• Automated encryption devices to increase protection.

HP Labs is involved in several collaborative research projects on privacy. Ensuring Consent and Revocation (EnCoRe) is a three-year, government-funded project in the UK. HP Labs is one of six partners researching how to make it easier and more rigorous to give and withdraw consent for using, storing and sharing personal data. Privacy and Identity Management for Community Services (PICOS) is a three-year project funded by the European Commission. HP Labs and HP's OpenCall Business Unit are two of 11 partners researching how to better enable privacy, trust and security in Internet communities that are based on mobile communication networks. (See additional examples.)

HP collaborates with regulators, nongovernmental organizations, and other companies to advance regional and global thinking and to develop new frameworks for privacy and data security. Our work in the Asia-Pacific Economic Cooperative (APEC) this year has reinforced the idea that companies need to say what they do simply and transparently and also demonstrate how they will keep their promises. Companies must be open about their commitments and practices. This approach, together with proper regulation and self-regulation, can better protect individuals.

APEC has developed a privacy framework to guide data flows across the many countries that border the Pacific Ocean. Its work on cross-border privacy rule development is influencing how regulators think about privacy and data protection globally. Following an invitation from the Department of Commerce and the Federal Trade Commission, in 2008 HP joined the APEC Privacy sub-group to help develop cross-border privacy rules.

HP is one of a small number of companies asked by the European Commission and French Data Protection Authority to participate in the European Union Article 29 Working Party meetings to develop practical solutions for advancing the concept of Binding Corporate Rules.

The Organization for Economic Cooperation and Development (OECD) asked HP to participate on its Privacy Committee that brings together regulators, advocacy groups and private sector thought leaders to advance concepts for the future of privacy.

In the United States, HP's chief privacy officer is on the board of directors of the Business Forum for Consumer Privacy. Co-founded by HP, Microsoft and eBay, the forum comprises 25 companies collaborating to develop new frameworks and educational support to governmental authorities as they work to develop unifying privacy legislation in the United States.

As the chair of the executive committee and member of The Centre for Information Policy Leadership (CIPL), HP supports the strategic development of new, innovative frameworks and solutions for privacy and advises regulators and privacy leaders. For example, in 2008 we proposed a cross-industry project called Intelligent Transparency. This aims to create an industry standard that will simplify online privacy statements based on the type of customer and their relationship to a company. Many consumers complain about the length and complexity of privacy statements. This initiative will work to solve this issue by providing more accurate and contextual information. The initiative continues in 2009, and HP remains involved.

HP also participates in work on important topics such as behavioral targeting as a member of the Center for Democracy and Technology's Anti-Spyware and Behavioral Marketing task forces.