Effective Privacy Training: Building Accountability
Fazila Nurani, B.A.Sc. (E.Eng.), LL.B., CIPP/C, CISA
IAPP Canada Privacy Symposium
Networking Session
May 8, 2014
Empowering Organizations to Minimize Privacy Risks
Objectives
• In this session we will discuss:
Privacy training in the context of the accountability
framework.
The adult learner and learning styles.
A learner-centric approach to privacy training.
The buy-in required to effectively roll out privacy e-
learning.
Practical tips for raising privacy awareness – beyond
formal training.
Empowering Organizations to Minimize Privacy Risks
Accountability Framework
Empowering Organizations to Minimize Privacy Risks
Training is Key to Building Accountability
“In order for a privacy management program to be
effective, employees must be actively engaged in
privacy protection. They need to be educated in
privacy protection generally, and for those who handle
personal information directly, they will need additional
training specifically tailored to their roles. Training
and education need to be recurrent, and the content of
the program needs to be periodically revisited and
updated to reflect changes.”
Empowering Organizations to Minimize Privacy Risks
The Adult Learner
• Autonomous and self-directed.
• Goal oriented.
• Have accumulated life experiences and
knowledge.
• Relevancy oriented.
• Practical.
Empowering Organizations to Minimize Privacy Risks
Understanding Learning Styles
Empowering Organizations to Minimize Privacy Risks
Make No Assumptions…
Empowering Organizations to Minimize Privacy Risks
The Four Critical Elements of Learning
1. Motivation.
2. Reinforcement.
3. Retention.
4. Transference.
Empowering Organizations to Minimize Privacy Risks
E-Learning vs. Classroom Training
Interactive Accessible
Customized Standardized
Experiential Efficient
Enjoyable, social Cost savings
FOCUSED ATTENTION PRACTICAL
Consider using blended learning opportunities…
Empowering Organizations to Minimize Privacy Risks
Buy-in Required for E-Learning
INSTRUCTOR (provides strong
content)
COURSE DEVELOPER
(addresses e-learning
principles)
ORGANIZATION (funds development of
the course)
HIRING ENTITY
(recognizes training via e-
learning)
STUDENT
(willingly takes the course)
Empowering Organizations to Minimize Privacy Risks
Privacy “Awareness”
Beyond formal training:
• Fun privacy awareness initiatives.
• Targeted messaging based on areas of risk.
• Contests, quizzes, awards.
• Lunch and learns, awareness weeks…
Empowering Organizations to Minimize Privacy Risks
Privacy Posters (Leaking Information)
infosecuritylab.com
Empowering Organizations to Minimize Privacy Risks
Privacy Posters (Strong Passwords)
Empowering Organizations to Minimize Privacy Risks
Other Security Related Posters
Empowering Organizations to Minimize Privacy Risks
The Learning Pyramid
Empowering Organizations to Minimize Privacy Risks
Assessment of Learning
• What do you want the learning outcomes to be?
• How success will be measured is an important
part of program development.
• Indicators: Short term – the learning occurs.
Medium term – there is a change in behaviour.
Long term – there is a change in culture.
Resource: Complete Guide to Security and
Privacy Metrics by Debra S. Herrmann
Empowering Organizations to Minimize Privacy Risks
To Sum Up Adult Learning
• Blended learning to avoid frustration/boredom.
• Adult learning programs should: Meet the needs of the learner.
Enable learners to share their experiences.
Enable learners to learn from each other.
- Sharan Merriam
Professor of Adult Education, University of Georgia
Empowering Organizations to Minimize Privacy Risks
The Learner-Centered Approach
“It is not whether we can meet the same learning outcomes with technology, but how do we use the technologies to enrich the experience, and go beyond what can be done in the face-to-face environment.” Source: No Significant Difference Phenomenon (2001) By: Thomas L. Russell Visit: http://www.nosignificantdifference.org/
Empowering Organizations to Minimize Privacy Risks
Useful Links
• Sample e-learning courses: • PrivaTech privacy e-learning course (licensing model):
• http://www.privalearn.ca
• Sunnybrook Health Sciences Centre: • http://podcasts.sunnybrook.ca/ClinicalClerks/EPR_Course/player.html
• Course authoring tools to start from scratch: • www.udutu.com
• www.articulate.com
• www.suddenlysmart.com
Questions…?
Empowering Organizations to Minimize Privacy Risks
Contact:
Fazila Nurani
905-886-0751
Top Related