In part two of this series we delved into the first two of 10 necessary action items to ensure that your company complies with PIPEDA. They are finding someone who can be responsible, and creating and privacy policy. This article will touch upon action items three to seven.

3. Ensure Marketing

Materials Meet Marketplace Privacy Expectations

Given the need to inform customers of what use you will be making the personal information you gather, and obtaining their consent, it is imperative that all customer information, including market material, application forms, brochures, and agreements, in both hard copy and on your Web site be reviewed for legislative compliance.

Marketing information, including customer brochures, forms, applications and other systems and documents used to collect personal information, should be used in accordance with the entity’s informational privacy policies, and should ensure that the entity:

· Obtains the consent of the data subject to collect the information

· Identifies the purpose for which the information is being collected and how it will be used

· Limits the personal information gathered to that which is reasonable to accomplish the business objectives of the purpose for which the information is being collected.

In addition to addressing the marketing and other tools used to collect personal information, the entity should also ensure that the computerized and manual systems can record and monitor the various combinations of consent, including current use, future use, disclosure, sharing, etc., related to a data subject’s information.

4. Address the Regulatory Issues

Regulators do matter! It is imperative that privacy policies and procedures comply with the legislation under which the enterprise operates. Where the enterprise conducts business in multiple jurisdictions, the policies should reflect those of the most stringent legislation to minimize differences in application due to jurisdiction.

This needs to be managed carefully, though, to avoid an entity becoming less competitive in a particular jurisdiction where less stringent privacy protections are in place.

In certain cases, the regulations in one jurisdiction may conflict with business practices in another, such as the case with “opt-in” in Europe and “opt-out” business practice commonly found in the United States. In such cases, care should be taken to balance the legal requirements with the business practices through such techniques as different consent forms or different procedures for obtaining oral consent in the various jurisdictions.


5. Obtain Data Subject’s Consent

Most privacy legislations require that the enterprise receives consent from data subjects, the persons about whom it is gathering information prior to, or at the time of the collection of the information.

Consent can be formal and in writing – signing a consent agreement; verbal – discussing a registration form; informal – a click on a website; or implied – requesting information. In the latter case, it may be implied that the data subject is consenting to the entity by recording his or her name and address and using it to request products.

Regardless of the form, consent must usually be received and should always be documented in the enterprise’s records, even if that documentation is only a note to indicate that verbal consent has been received.

It is important to manage consent records thereafter to ensure that the data subject has consented to its use in future mailings and other contacts. The process does not stop with the initial recording!

In most jurisdictions with informational privacy legislation, a data subject is required to provide consent for the collection of personal information and the subsequent use or disclosure of this information.

Typically, an entity will seek consent for the use or disclosure of the information prior to, or at the time of, its collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).

In addition, many jurisdictions require that the data subject also be knowledgeable of the collection of personal information.

This “knowledge and consent’ criteria places responsibility on the entity to make a reasonable effort to ensure that the data subject is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

It should be noted that in certain circumstances personal information might have to be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent prior to use.

Further, when information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.

In other cases, seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, entities that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the entity providing the list would be expected to obtain consent before disclosing personal information.

6. Provide Access to Personal Information

Data subjects should be provided with an opportunity to view personal information the enterprise maintains about them. Most comprehensive informational privacy legislation requires that, upon request, the data subject must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. A data subject should be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

This request may be very difficult to fulfill given the likelihood that personal information may be maintained in many organizational units within the entity. If it cannot be obtained at a reasonable cost and within a reasonable period of time, the entity may request permission to disclose only that information that it can reasonably obtain.

It must be remembered that such disclosure is not a clerical function. The information must be carefully reviewed to ensure that it does not include information that contains references to other individuals, whereby such disclosure would violate the other individual’s privacy. Care must be taken with information that cannot be disclosed for legal, security, or commercial proprietary reasons. In addition, care must be taken not to disclose information that is subject to solicitor-client or litigation privilege.

Best practices would include:

· Informing the data subject whether or not the entity holds personal information about the data subject in a timely manner.

· Indicating the source, or sources, of the information.

· Permitting the data subject access to this information in a readable and understandable form.

· Placing restrictions on the release of personal information, such as requiring that medical information held by the entity be released through a medical practitioner to ensure proper interpretation.

· Providing the data subject with an account of the use that has been made or is being made of their personal information and an account of the third parties to which it has been disclosed.

One of the key security concerns is ensuring that the data subject is actually who they say they are. Th e individual making the request may be “fishing” for information about the data subject by posing as them. The entity should be guarded and may require the individual making the request to provide identification and other information, prior to releasing information about the existence, use, and disclosure of personal information about the data subject.

In part four we will reveal the final three action items and provide a summary.

Robert Parker, a partner in the Toronto office of Deloitte & Touche, is responsible for providing information security and control, data integrity and personal information privacy services to major clients. He served on the international board of directors of the Information Audit and Control Association and was international president in 1986 -1987. Currently, he is on the research board, the Journal editorial board and is liaison to the CICA’s Specialization Committee. He represented the Canadian Institute of Chartered Accountants on an ISO personal information privacy committee, and is currently assisting clients assess their readiness status and future strategy to deal with Canada’s new Personal Information Protection (and Electronic Documents) Act

Share on LinkedIn Share with Google+