TORONTO–The Ontario Information and Privacy Commission unveiled a free tool on Thursday to help businesses assess the status of their information privacy practices.
The Privacy Diagnostic Tool (PDT) gauges an organization’s privacy practices and policies against International Fair Information Practices Principles. The software was developed in conjunction with security and privacy experts from PricewaterhouseCoopers (PwC) and Guardent. PDT can be downloaded from their Web sites.
According to Michael Deck, PwC privacy director, global risk management services, PDT is based on a series of questions in 10 areas from accountability to consent to identifying purposes. Each of the 119 questions require a “Yes” or “No” answer. Once completed it generates a report outlining what needs to be done to improve privacy practices.
Ontario Information and Privacy commissioner Ann Cavoukian said the project was partly born out of people asking her where to start and what tools to use and having nothing to point them to. While there are other tools out there, she said they are usually specific to a country or region.
“What I wanted was to develop a tool that wasn’t unique to Canada — it will be a great benefit to Canada because it’s based on CSA (Canadian Standards Association) fair information practices — but it is not unique to Canada,” Cavoukian said. “Use these fair information practices in any other jurisdiction, the U.S., Australia, Japan, anywhere, and you will be well on your way to compliance with whatever privacy statutes there may be or may be down the road.”
Making the test self-administered was important, according to Cavoukian. She said many of the businesses who approached her had no idea where they stood in terms of privacy protection. The tool also contains a glossary to help users with definitions. What PDT is not, however, is a silver bullet for privacy issues.
“It’s really not intended to be an in-depth analysis of your privacy operations,” said Deck “It doesn’t purport to tell you whether you’re in compliance with any particular act, any particular legislation, but rather it’s intended to get people oriented to what the requirements, what the best practices are.”
While for the most part private companies are not required by law to adhere to any standards, Cavoukian stressed this is not issue businesses can ignore. On Jan. 1, 2001 the Personal Information Protection and Electronic Documents Act came into effect for federally-regulated companies in the private sector and international and inter-provincial companies who trade personal information where information itself is the subject of the trade. The Act will be applied more broadly in 2004.
“The message now is if you don’t build in the privacy up front and invest what you need to to protect privacy, you will definitely, virtually be guaranteed, you’re going to pay later on in some form or another. It’s not a luxury; it’s going to be a cost of doing business,” said Cavoukian.
Peter Cullen, chief privacy officer for Royal Bank Financial group, said he is excited by the value of the software.
“It’s going to allow them to move down the path of understanding what they need to do,” said Cullen. “It allows them not only to get prepared for what the law requires, but, perhaps more importantly, what the customers are coming to expect.”