privacy and your business: getting it right - mars best practices
DESCRIPTION
Implementing a privacy management program for your business is a critical yet complex undertaking. This presentation examines recent findings and resources issued by the Office of the Privacy Commissioner of Canada.TRANSCRIPT
Privacy and Your Business: Getting it Right
MaRS Best Practices March 5, 2013 Lorne MacDougall (Director PIPEDA, Toronto Office) Vance Lockton (Senior Regional Analyst)
Presenta(on Outline 1. Introduc(ons 2. 10 Tips for Avoiding a Complaint to the OPC 3. OPC Resources and Website 4. Build a Privacy Plan for Your Business 5. GeIng Accountability Right with a Privacy
Management Program 6. The Importance of Transparency 7. Conclusions and Q&A
3
Why is privacy important?
• It’s the law! • Creates trust in your organization • Can improve an organization’s reputation • Could save costs in the long-run • Good privacy means good business
The Consequences
• Increased risk of a privacy breach • Increase in customer complaints • Negative media attention • Loss of reputation and trust • Potential high costs to resolve breach • Can unnecessarily increase day-to-day
operational expenses
Role of the Privacy Commissioner of Canada
• Under PIPEDA and Privacy Act • Negotiates to find solution and makes recommendation • Ability to pursue court action if necessary
Investigate Complaints
• Brings privacy issues to the attention of parliament and provides advice
Officer of Parliament
• Promoting public awareness and understanding of privacy issues
Public Education
Except where provincial legislation is deemed “substantially similar”
What is not covered? • The collection, use or disclosure of personal
information by federal, provincial or territorial government
• An employee's name, title, business address or telephone number
• An individual's collection, use or disclosure of personal information strictly for personal purposes
• An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
9
The Toronto Office • Stronger regional presence. • Significant number of Canadian
businesses have established headquarters in the GTA.
• More than half of respondent organizations for PIPEDA complaints are based in the GTA.
• PIPEDA investigation work on the ground. • Help bring about better compliance with
PIPEDA.
Privacy & Small Business
“Small businesses often don’t have the money to hire privacy
specialists or lawyers to help them figure out how to comply
with Canada’s privacy legislation, nor is it always
necessary. Good privacy compliance doesn’t have to be expensive or time-consuming.”
- Jennifer Stoddart, Commissioner
Good privacy is good for business.
11
The 10 Privacy Principles 1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
10 Tips for Avoiding Complaints to the OPC
13
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
14
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
15
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
16
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
17
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
18
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
19
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
20
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
21
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
10 Tips for Avoiding Complaints to the OPC
22
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
OPC Resources and Website
www.priv.gc.ca
23
OPC Resources and Website
Resources -‐> Informa(on for Organiza(ons
24
OPC Resources and Website
Resources -‐> Informa(on for Organiza(ons
25
OPC Resources and Website
Build a privacy plan for your business – “The privacy tool for small businesses”
26
Build a Privacy Plan for your Business
• Who’s on Point?
Step 1
• Do you collect contact informa(on?
Step 2 • Do you collect customer demographics?
Step 3
• Do you collect financial informa(on?
Step 4 • Do you collect purchase informa(on?
Step 5
27
• Do you collect opinions/interests?
Step 6
• Do you collect other informa(on?
Step 7 • Evaluate your collec(on of informa(on
Step 8
• Who needs to see the collected informa(on?
Step 9 • Your Privacy Plan!
Step 10
Build a Privacy Plan for your Business
• For steps 2-‐7, select from a list of op(ons: – Which of the following types of data do you collect from your customers?
– Who in your organiza(on collects this informa(on?
– Why does your organiza(on collect this informa(on?
28
Build a Privacy Plan for your Business
• Select from a list of op(ons (cont’d): – Who in your organiza(on uses this informa(on? – How is this informa(on stored? – Do you ever share this informa(on with or sell it to third par(es?
29
Build a Privacy Plan for your Business
• This process generates: – An informa(on audit of your business – Consent provisions required specifically for your business – A security plan for protec(ng personal informa(on in your care
– A sample privacy brochure for your customers – A training needs assessment
30
Ge#ng Accountability Right with a Privacy Management Program
31
What do we mean by “accountability”?
• Principle 1 of Schedule 1 of PIPEDA states: “An organiza(on is responsible for personal informa(on under its control and shall designate an individual or individuals who are accountable for the organiza(on’s compliance with the following principles…”
32
GeIng Accountability Right: Building Blocks
• Culture of privacy
• Program controls
• Ongoing assessment and review
33
For More Informa,on
34
Transparency What you do:
“An organiza:on shall make readily available to individuals specific informa:on about its policies and prac:ces rela:ng to the management of personal informa:on.”
Why you do it: “Organiza:ons shall make a reasonable effort to ensure that the individual is advised of the purposes for which informa:on will be used.”
35
Transparency
The Challenges
36
Transparency
The Expecta(ons
37
Transparency
The Opportuni(es
38
We’re here to help!
39
Ques(ons?
40