Advice From Ontario Privacy Commissioner: Make Privacy Part of Your Corporate Culture

The Ontario Information and Privacy Commissioner is calling on organizations to make privacy a part of their corporate culture. Dr. Ann Cavoukian, says it is not enough for organizations to have a privacy policy in place – they must take steps on an ongoing basis to make sure it is reflected in every aspect of their operations.

This recommendation comes with the release of a new how-to guide on putting privacy policies into practice. The guide entitled, A Policy is Not Enough: It Must be Reflected in Concrete Practices provides a 7-step action plan on how to effectively execute an appropriate privacy policy and embed it in the concrete practices of an organization.

As stated in their press release, the importance of this issue was highlighted recently when Elections Ontario lost two USB keys containing the unencrypted personal information of as many as 2.4 million voters. In her investigation, Commissioner Cavoukian found the agency’s failure to systematically address privacy and security issues was at the root of the problems.

Commissioner Cavoukian said,

Privacy policies alone, without a proper strategy for implementation and ongoing compliance procedures, will not protect an organization from privacy risks. The seven recommendations presented in this paper will provide organizations with concrete guidance on how to effectively execute an appropriate privacy policy, and have it reflected in actual practice. This information will be helpful to organizations of any size, and in any sector.”

In addition to the seven steps, the guide recommends organizations to develop privacy education and awareness training programs and designate a knowledgeable “go-to” person for privacy-related queries within the organization. Furthermore, processes and procedures are needed to verify compliance with privacy policies – such as comprehensive privacy audits of the organization and informal audits of the mobile devices of employees, to make sure they are protected by passwords and strong encryption.

The seven steps that organizations should consider implementing in order to effectively translate their privacy policies into privacy practices include:

  • Implement a privacy policy that reflects the privacy needs and risks of the organization and consider conducting an effective Privacy Impact Assessment
  • Link each requirement within the policy to a concrete, actionable item – operational processes, controls and/or procedures, translating each policy item into a specific practice that must be executed
  • Demonstrate how each practice item will actually be implemented
  • Develop and conduct privacy education and awareness training programs to ensure that all employees understand the policies/practices required, as well as the obligations they impose
  • Designate a central “go to” person for privacy-related queries within the organization
  • Verify both employee and organizational execution of privacy policies and operational processes and procedures
  • Proactively prepare for a potential privacy breach by establishing a data breach protocol to effectively manage a breach

Am I required to have a privacy policy in Ontario?

It is important to note that Ontario does not have it’s own privacy law for the private sector, however, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) covers personal information collected, used or disclosed in the course of a commercial activity in provinces which do not have private sector legislation, and across borders – namely, Ontario, Saskatchewan, Manitoba, New Brunswick, Nova Scotia, Prince Edward Island and Newfoundland and Labrador. However, it does not apply to employee information in organizations in these provinces. Organizations covered by the Act for their customer information may wish to consider extending the same protections to their employee information.

Alberta, British Columbia, and Quebec each have a private sector privacy law that has been deemed to be substantially similar to PIPEDA. Therefore, PIPEDA does not apply to the intraprovincial collection, use or disclosure of personal information by private sector organizations subject to these provincial laws. PIPEDA continues to apply to federal works, undertakings or businesses in these provinces.

PIPEDA also applies to inter-provincial and international transactions involving personal information in the course of commercial activities.

In matters relating to health care, Ontario, has privacy legislation deemed substantially similar to PIPEDA.

PIPEDA sets ground rules for how organizations may collect, use or disclose information about individuals in the course of commercial activities. The law also gives individuals the right to see and ask for corrections to information an organization may have collected about them. If an organization’s customers think the organization is not living up to its responsibilities under the law, they have the right to lodge an official complaint.

Hence, Ontario organizations are accountable for the protection of personal information under their control, and should take the Commissioner’s advice and make privacy part of their corporate culture. Private sector privacy legislation requires organizations to build privacy policies that outline how they collect, use and disclose their customers’ personal information.

When you take privacy rights seriously in your business, you establish an atmosphere of trust that keeps customers loyal and attracts the best employees. When you establish a comprehensive privacy policy that customers and employees can understand, you are also less likely to become involved in a privacy dispute.

Comments are closed.