privacy and your business: getting it right - mars best practices
DESCRIPTION
Implementing a privacy management program for your business is a critical yet complex undertaking. This presentation examines recent findings and resources issued by the Office of the Privacy Commissioner of Canada.TRANSCRIPT
![Page 1: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/1.jpg)
Privacy and Your Business: Getting it Right
MaRS Best Practices March 5, 2013 Lorne MacDougall (Director PIPEDA, Toronto Office) Vance Lockton (Senior Regional Analyst)
![Page 2: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/2.jpg)
![Page 3: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/3.jpg)
Presenta(on Outline 1. Introduc(ons 2. 10 Tips for Avoiding a Complaint to the OPC 3. OPC Resources and Website 4. Build a Privacy Plan for Your Business 5. GeIng Accountability Right with a Privacy
Management Program 6. The Importance of Transparency 7. Conclusions and Q&A
3
![Page 4: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/4.jpg)
Why is privacy important?
• It’s the law! • Creates trust in your organization • Can improve an organization’s reputation • Could save costs in the long-run • Good privacy means good business
![Page 5: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/5.jpg)
The Consequences
• Increased risk of a privacy breach • Increase in customer complaints • Negative media attention • Loss of reputation and trust • Potential high costs to resolve breach • Can unnecessarily increase day-to-day
operational expenses
![Page 6: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/6.jpg)
Role of the Privacy Commissioner of Canada
• Under PIPEDA and Privacy Act • Negotiates to find solution and makes recommendation • Ability to pursue court action if necessary
Investigate Complaints
• Brings privacy issues to the attention of parliament and provides advice
Officer of Parliament
• Promoting public awareness and understanding of privacy issues
Public Education
![Page 7: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/7.jpg)
Except where provincial legislation is deemed “substantially similar”
![Page 8: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/8.jpg)
What is not covered? • The collection, use or disclosure of personal
information by federal, provincial or territorial government
• An employee's name, title, business address or telephone number
• An individual's collection, use or disclosure of personal information strictly for personal purposes
• An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
![Page 9: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/9.jpg)
9
The Toronto Office • Stronger regional presence. • Significant number of Canadian
businesses have established headquarters in the GTA.
• More than half of respondent organizations for PIPEDA complaints are based in the GTA.
• PIPEDA investigation work on the ground. • Help bring about better compliance with
PIPEDA.
![Page 10: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/10.jpg)
Privacy & Small Business
“Small businesses often don’t have the money to hire privacy
specialists or lawyers to help them figure out how to comply
with Canada’s privacy legislation, nor is it always
necessary. Good privacy compliance doesn’t have to be expensive or time-consuming.”
- Jennifer Stoddart, Commissioner
![Page 11: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/11.jpg)
Good privacy is good for business.
11
![Page 12: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/12.jpg)
The 10 Privacy Principles 1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
![Page 13: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/13.jpg)
10 Tips for Avoiding Complaints to the OPC
13
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 14: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/14.jpg)
10 Tips for Avoiding Complaints to the OPC
14
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 15: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/15.jpg)
10 Tips for Avoiding Complaints to the OPC
15
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 16: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/16.jpg)
10 Tips for Avoiding Complaints to the OPC
16
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 17: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/17.jpg)
10 Tips for Avoiding Complaints to the OPC
17
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 18: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/18.jpg)
10 Tips for Avoiding Complaints to the OPC
18
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 19: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/19.jpg)
10 Tips for Avoiding Complaints to the OPC
19
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 20: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/20.jpg)
10 Tips for Avoiding Complaints to the OPC
20
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 21: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/21.jpg)
10 Tips for Avoiding Complaints to the OPC
21
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 22: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/22.jpg)
10 Tips for Avoiding Complaints to the OPC
22
• Post contact info for your Privacy Officer on your website 1
• Train staff about privacy 2 • Take responsibility for employee ac(ons 3
• Limit collec(on of personal informa(on 4
• Make SINs op(onal 5
• Driver’s licenses – you can look, but don’t record 6
• Be up front about collec(on and use of personal informa(on 7
• Tell customers about video surveillance 8
• Protect personal informa(on 9 • Respond to access requests 10
![Page 23: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/23.jpg)
OPC Resources and Website
www.priv.gc.ca
23
![Page 24: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/24.jpg)
OPC Resources and Website
Resources -‐> Informa(on for Organiza(ons
24
![Page 25: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/25.jpg)
OPC Resources and Website
Resources -‐> Informa(on for Organiza(ons
25
![Page 26: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/26.jpg)
OPC Resources and Website
Build a privacy plan for your business – “The privacy tool for small businesses”
26
![Page 27: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/27.jpg)
Build a Privacy Plan for your Business
• Who’s on Point?
Step 1
• Do you collect contact informa(on?
Step 2 • Do you collect customer demographics?
Step 3
• Do you collect financial informa(on?
Step 4 • Do you collect purchase informa(on?
Step 5
27
• Do you collect opinions/interests?
Step 6
• Do you collect other informa(on?
Step 7 • Evaluate your collec(on of informa(on
Step 8
• Who needs to see the collected informa(on?
Step 9 • Your Privacy Plan!
Step 10
![Page 28: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/28.jpg)
Build a Privacy Plan for your Business
• For steps 2-‐7, select from a list of op(ons: – Which of the following types of data do you collect from your customers?
– Who in your organiza(on collects this informa(on?
– Why does your organiza(on collect this informa(on?
28
![Page 29: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/29.jpg)
Build a Privacy Plan for your Business
• Select from a list of op(ons (cont’d): – Who in your organiza(on uses this informa(on? – How is this informa(on stored? – Do you ever share this informa(on with or sell it to third par(es?
29
![Page 30: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/30.jpg)
Build a Privacy Plan for your Business
• This process generates: – An informa(on audit of your business – Consent provisions required specifically for your business – A security plan for protec(ng personal informa(on in your care
– A sample privacy brochure for your customers – A training needs assessment
30
![Page 31: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/31.jpg)
Ge#ng Accountability Right with a Privacy Management Program
31
![Page 32: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/32.jpg)
What do we mean by “accountability”?
• Principle 1 of Schedule 1 of PIPEDA states: “An organiza(on is responsible for personal informa(on under its control and shall designate an individual or individuals who are accountable for the organiza(on’s compliance with the following principles…”
32
![Page 33: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/33.jpg)
GeIng Accountability Right: Building Blocks
• Culture of privacy
• Program controls
• Ongoing assessment and review
33
![Page 34: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/34.jpg)
For More Informa,on
34
![Page 35: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/35.jpg)
Transparency What you do:
“An organiza:on shall make readily available to individuals specific informa:on about its policies and prac:ces rela:ng to the management of personal informa:on.”
Why you do it: “Organiza:ons shall make a reasonable effort to ensure that the individual is advised of the purposes for which informa:on will be used.”
35
![Page 36: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/36.jpg)
Transparency
The Challenges
36
![Page 37: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/37.jpg)
Transparency
The Expecta(ons
37
![Page 38: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/38.jpg)
Transparency
The Opportuni(es
38
![Page 39: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/39.jpg)
We’re here to help!
39
![Page 40: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/40.jpg)
Ques(ons?
40
![Page 41: Privacy and Your Business: Getting it Right - MaRS Best Practices](https://reader034.vdocuments.site/reader034/viewer/2022051514/549c01d2b47959ca318b45f7/html5/thumbnails/41.jpg)