privacy and your business: getting it right - mars best practices

Privacy and Your Business: Getting it Right

MaRS Best Practices March 5, 2013 Lorne MacDougall (Director PIPEDA, Toronto Office) Vance Lockton (Senior Regional Analyst)

Presenta(on Outline 1.  Introduc(ons 2.  10 Tips for Avoiding a Complaint to the OPC 3.  OPC Resources and Website 4.  Build a Privacy Plan for Your Business 5.  GeIng Accountability Right with a Privacy

Management Program 6.  The Importance of Transparency 7.  Conclusions and Q&A

3

Why is privacy important?

•  It’s the law! •  Creates trust in your organization •  Can improve an organization’s reputation •  Could save costs in the long-run •  Good privacy means good business

The Consequences

•  Increased risk of a privacy breach •  Increase in customer complaints •  Negative media attention •  Loss of reputation and trust •  Potential high costs to resolve breach •  Can unnecessarily increase day-to-day

operational expenses

Role of the Privacy Commissioner of Canada

• Under PIPEDA and Privacy Act • Negotiates to find solution and makes recommendation • Ability to pursue court action if necessary

Investigate Complaints

• Brings privacy issues to the attention of parliament and provides advice

Officer of Parliament

• Promoting public awareness and understanding of privacy issues

Public Education

Except where provincial legislation is deemed “substantially similar”

What is not covered? •  The collection, use or disclosure of personal

information by federal, provincial or territorial government

•  An employee's name, title, business address or telephone number

•  An individual's collection, use or disclosure of personal information strictly for personal purposes

•  An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes

9

The Toronto Office •  Stronger regional presence. •  Significant number of Canadian

businesses have established headquarters in the GTA.

•  More than half of respondent organizations for PIPEDA complaints are based in the GTA.

•  PIPEDA investigation work on the ground. •  Help bring about better compliance with

PIPEDA.

Privacy & Small Business

“Small businesses often don’t have the money to hire privacy

specialists or lawyers to help them figure out how to comply

with Canada’s privacy legislation, nor is it always

necessary. Good privacy compliance doesn’t have to be expensive or time-consuming.”

- Jennifer Stoddart, Commissioner

Good privacy is good for business.

11

The 10 Privacy Principles 1. Accountability

2. Identifying Purposes

3. Consent

4. Limiting Collection

5. Limiting Use, Disclosure and Retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual Access

10. Challenging Compliance

10 Tips for Avoiding Complaints to the OPC

13

•  Post contact info for your Privacy Officer on your website 1

•  Train staff about privacy 2 •  Take responsibility for employee ac(ons 3

•  Limit collec(on of personal informa(on 4

• Make SINs op(onal 5

• Driver’s licenses – you can look, but don’t record 6

• Be up front about collec(on and use of personal informa(on 7

• Tell customers about video surveillance 8

• Protect personal informa(on 9 • Respond to access requests 10


14










15










16










17










18










19










20










21










22









OPC Resources and Website

www.priv.gc.ca

23


Resources -‐> Informa(on for Organiza(ons

24


Resources -‐> Informa(on for Organiza(ons

25


Build a privacy plan for your business – “The privacy tool for small businesses”

26

Build a Privacy Plan for your Business

• Who’s on Point?

Step 1

• Do you collect contact informa(on?

Step 2 • Do you collect customer demographics?

Step 3

• Do you collect financial informa(on?

Step 4 • Do you collect purchase informa(on?

Step 5

27

• Do you collect opinions/interests?

Step 6

• Do you collect other informa(on?

Step 7 • Evaluate your collec(on of informa(on

Step 8

• Who needs to see the collected informa(on?

Step 9 • Your Privacy Plan!

Step 10


•  For steps 2-‐7, select from a list of op(ons: – Which of the following types of data do you collect from your customers?

– Who in your organiza(on collects this informa(on?

– Why does your organiza(on collect this informa(on?

28


•  Select from a list of op(ons (cont’d): – Who in your organiza(on uses this informa(on? – How is this informa(on stored? – Do you ever share this informa(on with or sell it to third par(es?

29


•  This process generates: –  An informa(on audit of your business –  Consent provisions required specifically for your business –  A security plan for protec(ng personal informa(on in your care

–  A sample privacy brochure for your customers –  A training needs assessment

30

Ge#ng Accountability Right with a Privacy Management Program

31

What do we mean by “accountability”?

•  Principle 1 of Schedule 1 of PIPEDA states: “An organiza(on is responsible for personal informa(on under its control and shall designate an individual or individuals who are accountable for the organiza(on’s compliance with the following principles…”

32

GeIng Accountability Right: Building Blocks

•  Culture of privacy

•  Program controls

•  Ongoing assessment and review

33

For More Informa,on

34

Transparency What you do:

“An organiza:on shall make readily available to individuals specific informa:on about its policies and prac:ces rela:ng to the management of personal informa:on.”

Why you do it: “Organiza:ons shall make a reasonable effort to ensure that the individual is advised of the purposes for which informa:on will be used.”

35

Transparency

The Challenges

36

Transparency

The Expecta(ons

37

Transparency

The Opportuni(es

38

We’re here to help!

39

Ques(ons?

40