Privacy Management Program Guide Will Hopefully Help With Accountability

by Marie-Yosie Saint-Cyr

The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia have developed a guide titled Getting Accountability Right with a Privacy Management Program. The guide aims to help organizations implement an effective privacy management program that meets private-sector privacy legislation and to provide consistent direction on what it means to be an accountable organization when dealing with individuals’ personal information, accountability being the first and foremost obligation under privacy legislation.

These guidelines will help businesses take data protection from policy to practice, explained BC Information and Privacy Commissioner, Elizabeth Denham.

These guidelines come after privacy commissioners had to investigate several technical breaches of privacy laws.

Recently, the Office of the Privacy Commissioner also conducted several audits of how federal institutions are managing the personal information they hold, which includes identity information. The OPC looked at the institutions’ privacy management frameworks: how they organize themselves through structures, policies, systems and procedures to distribute privacy responsibilities, coordinate privacy work, manage privacy risks, and ensure compliance with the federal Privacy Act. The audit report can be consulted here.

Privacy management risks

Canadians are becoming more concerned about the online information practices of organizations and government bodies they deal with. Individuals also consider the privacy protections that companies offer before they do business with them, especially the companies that handle their sensitive information. Many customers will stop doing business with companies if they hear or read in the media that a company has mishandled, improperly used or disclosed or lost their customers personal information.

Organizations should understand the management and reputational risk and loss of customer trust that can happen if they are not clear about how they process information.

“Privacy risk” has been defined by some to mean the chance that your data may be used in ways you don’t expect.

The risks include (this list is not exhaustive):

Organizations using inaccurate customer data to make decisions and serve content
Customers lacking understanding of how to request organizations correct their data (in violation of privacy law)
Organizations lack of understanding of privacy laws
Loss of personal data
Privacy breaches, malware or spyware attacks
Excessive privilege or access rights
Employee negligence, internal fraud for financial gain
System vulnerabilities
Improper disclosures
Discrimination against certain persons or groups who might, for example, be excluded from special offers based on their customer profiles

Guidelines that organizations can follow and suggested by the OPC and the OIPCs of Alberta and British Columbia are based on sound personal information protection principles, which include: notice and choice, education, transparency, control, data security, material changes, sensitive data and most of all accountability. Organizations that take these principles into account when they develop their data collection, and use and disclosure policies and procedures, will be better able to avoid the risks.

Hence, public- and private-sector businesses and organizations need a robust privacy management framework if they are to achieve their program objectives and observe best privacy practices and be accountable.

According to the guide:

Accountability in relation to privacy is the acceptance of responsibility for personal information protection. An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws. Done properly, it should promote trust and confidence on the part of consumers, and thereby enhance competitive and reputational advantages for organizations.

Hence, privacy management is not about just making your information technology infrastructure secure but making privacy part of your business ethics and culture. It entails taking the right steps to safeguard your organization, your clients and customers by ensuring your business complies fully with privacy laws and ensuring that privacy protection is a key consideration in any department, project, transaction, business activities and operations in your organization. In turn, it means identifying a clear accountability for privacy issues so that it is incorporated into the role of all employees, executives, decision-makers in your company.

Comments are closed.

Most Recent Comments

Noel Semple on Due Process and the Rule of Law Under Attack:

Thanks! I ordered a copy. I'll be interested to see if Garrett discusses immigration & refugee matters, which seem to… more »
Ian Mackenzie on Due Process and the Rule of Law Under Attack:

Thanks for the comment, Verna. There are processes in place to "unmake" laws - the exact same processes as are… more »
Verna Milner on Due Process and the Rule of Law Under Attack:

"The administration cannot choose which law it will follow or ignore. These are not partisan or political issues." Could it… more »
Ken Chasse on The National Requirement: Current and Future Impacts on Legal Education:

Missing are: (1) knowledge of the cause and solution of the access to justice (A2J) problem of the unaffordable legal… more »

+ -

Due Process and the Rule of Law Under Attack

Building EQ With Therapeutic Communication

Right and Wrong Reasons for Privatisation, Especially When Legal Information Is Concerned

The National Requirement: Current and Future Impacts on Legal Education

The Wellness Lawyer: “ABRACADABRA”

Winter 2025 US Legal Research Update

Privacy Management Program Guide Will Hopefully Help With Accountability