Site icon IT World Canada

Data Privacy Day message to companies: Don’t just write privacy policies, enforce them

Red Privacy Button Keyboard

Image from Shutterstock.com

Many companies have detailed privacy rules to protect the personal information of customers and employees. But unless the protocols are enforced they aren’t worth the paper they’re written on.

That was the Data Privacy Day message from Brent Homan, deputy commissioner for compliance at the Office of the Privacy Commissioner of Canada (OPC).

“It’s not enough to have protocols,” he said in an interview. “You’ve got to live it.”

“Many times we looked at the processes and the policies and we thought, ‘Looks good, looks great.’ But the problem is, it wasn’t followed. It wasn’t implemented.”

“While we’ve seen that many organizations may appear to have a robust privacy framework in place, when placed under regulatory scrutiny more often than we would like to see we find the framework is sometimes illusory, and the dynamic responsibilities — including the monitoring and the steering necessary to make to make the framework work — are simply not there.”

The federal privacy commissioner oversees enforcement of the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers federally regulated industries such as financial institutions, telecom companies, and transportation firms.

Homan drew several examples of investigations from the latest Privacy Commissioner’s annual report to Parliament:

Homan gave a third example from a 2014 investigation of Microsoft Canada, which, he said had a strong privacy management program:

These three complaints were all resolved.

“We believe there are good largely faith efforts by business to uphold customers’ privacy,” said Homan “It is not so much that businesses are not complying, but — especially with small businesses — many are simply not aware of all their obligations under PIPEDA. There might be an understanding of key privacy concepts such as obtaining consent or the need to safeguard [customers’ and employees’] personal information, but there might be a lack of internal expertise to fully understand how to meet all of the fair information principles.” These principles cover the fair collection and use of sensitive data.

For example, he said, not all businesses have a formal process for handling complaints. Nor, he added, do all firms — especially small ones — have an individual or team responsible for privacy issues, such as a data privacy officer.

Small firms don’t need to have a privacy department, Homan said, but at least they should have someone responsible for privacy issues.

Whoever that person(s), Homan said, their job should include

To assist companies with their privacy initiatives, the OPC has a business advisory division and a website with guidance for firms.

Homan also stressed the importance of senior managers showing they take data privacy seriously, including having a data privacy officer who has a seat with other members of the C-suite.

“Accountability starts at the top,” he said. “It starts at the C-level and ensuring it [data privacy] is not something in an email thrown around each year.”

“What we don’t want to see,” he added, “is fantastic ‘Centres of Expertise’ in organizations with respect to privacy — but compliance stops there. Make sure there is engagement [by management] and front-line staff are excited and are apprised of their obligation to follow the protocols developed by their centre of privacy expertise.

“It’s the difference between knowing what to do, and doing what you have to do to respect individuals’ privacy.”

Exit mobile version