The Office of the Information and Privacy Commissioner for British Columbia has published another document to help businesses improve online privacy practices. This comes after an August 2013 report from Global Privacy Enforcement Network (GPEN) that shows B.C. companies have work to do to make their privacy policies clear and accessible to the public.
GPEN is an organization that enforces privacy laws at the national and sub-national level. Agencies in the following countries and regions have been accepted as members of GPEN: Canada (British Columbia), Australia (Victoria, Queensland), the European Union (Bulgaria, Berlin, Czech Republic, France, Germany, Ireland, Italy, Netherlands, Poland, Slovenia, Spain, Switzerland), Israel, Korea, New Zealand, United Kingdom (Guernsey) and the United States.
As part of their mandate, GPEN partners assessed more than 2,000 private sector websites to see what companies were telling users about the amount and type of personal information being collected, used and disclosed. The Internet sweep was meant to replicate the consumer experience by spending a few minutes per site checking for performance against a set of common indicators.
On a smaller scale, the Office of the Privacy Commissioner did the same and examined more than 250 websites doing business in the province, including charities, private colleges, law firms, credit unions, retailers, property management companies and health care organization.
|Global results||B.C. results|
|Total number of websites searched||2,186||254|
|Total number of sites for which one or more concern was identified||1,091 (50%)||253 (99%)|
The results of both examinations indicate among other things that
- there was not enough information to users about the type and amount of personal information they collect
- the policies were written in technical or legalistic language, making it difficult for the average user to understand what they were consenting to
Commissioner Elizabeth Denham said,
“B.C. businesses should be open and transparent about how they collect, use and disclose personal information, and to provide meaningful information about their personal information practices in clear and plain language. Customers must be able to make informed decisions about how their personal data will be used and to take steps to protect their privacy.”
The Personal Information Protection Act require B.C. organization to develop and put into practice policies and procedures to protect the personal information that they collect, use and disclose.
To develop policies and procedures that protect personal information, organizations must first identify the reasonable purposes for which their organization collects, uses and discloses personal information. This allows the organization to determine what information it needs to fulfill its business purposes and ensure that personal information is collected, used and disclosed only for the reasonable purposes that they have identified.
Once drafted, organizations need to communicate their privacy policies to customers and employees. They should make information available explaining their policies and procedures, such as in brochures, contracts and on websites.