Canada has two federal laws designed to protect people’s privacy: The Privacy Act, which took effect on July 1, 1983, imposes obligations on about 150 federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information.
Individuals are also protected by the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. Canadian corporations have had to comply with PIPEDA since January 2004.
With PIPEDA having come into law two and a half years ago, most Canadian companies are beyond the point of generating a first policy to comply. In fact, Terry McQuay, president, lead researcher and privacy educator at Toronto-based Nymity Inc., describes corporate Canada as “well aware” of the laws, and says companies have gone a long way toward understanding them. “We’ve gone beyond compliance. We’re now into privacy management, where compliance is a component of it,” says McQuay.
Nevertheless, all companies, regardless of size, should be proactively managing their privacy programs if they want to stay clear of litigation and other problems. Complying with laws is always an element of this, but a privacy management program should have more. There are three components to a good program, according to McQuay: avoiding complaints, preventing breaches and attaining compliance with the law.
“You can be compliant and still have a probability of a breach, so you want to make sure you put a mitigation strategy in place, and know the six steps that will cover off all three of these elements,” McQuay says.
Here are six steps to proactively complying with PIPEDA:
- Tell your story: Make sure you offer a good notice strategy to consumers. You should be explaining your policies to all consumers through a privacy notice — something that can easily be communicated on your Web site.
- Share the information: Train your employees so they are well aware of your policies and the laws, including any changes to the Act or changes in internal or external technology that will affect how the company handles private information.
- Assess yourself: The fourth component is auditing. You should self-assess your organization’s information handling practices against your own policies — and, of course, against the laws.
- Retain or destroy: All companies require records management programs, which administer your policies on how long data can or must be retained.
- Consider security: Finally, tying in closely with No. 5 is ensuring that you are safeguarding personal information, which can be a records management issue, but more and more people are looking at from a security standpoint.
Terry McQuay is president, lead researcher and privacy educator at Toronto-based Nymity Inc., a provider of privacy risk management solutions that help organizations mitigate the risks of privacy breaches.
Contact the editor