Privacy and Your Business: Getting it Right - MaRS Best Practices

406 views

Published on

Implementing a privacy management program for your business is a critical yet complex undertaking. This presentation examines recent findings and resources issued by the Office of the Privacy Commissioner of Canada.

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
406
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Privacy and Your Business: Getting it Right - MaRS Best Practices

  1. 1. Privacy andYour Business:Getting it Right  MaRS Best PracticesMarch 5, 2013Lorne MacDougall (DirectorPIPEDA, Toronto Office)Vance Lockton (Senior RegionalAnalyst)
  2. 2. Presenta(on  Outline  1.  Introduc(ons  2.  10  Tips  for  Avoiding  a  Complaint  to  the  OPC  3.  OPC  Resources  and  Website  4.  Build  a  Privacy  Plan  for  Your  Business  5.  GeIng  Accountability  Right  with  a  Privacy   Management  Program  6.  The  Importance  of  Transparency  7.  Conclusions  and  Q&A   3  
  3. 3. Why is privacy important?•  It s the law!•  Creates trust in your organization•  Can improve an organization s reputation•  Could save costs in the long-run•  Good privacy means good business
  4. 4. The Consequences•  Increased risk of a privacy breach•  Increase in customer complaints•  Negative media attention•  Loss of reputation and trust•  Potential high costs to resolve breach•  Can unnecessarily increase day-to-day operational expenses
  5. 5. Role of the Privacy Commissioner of Canada • Under PIPEDA and Privacy ActInvestigate • Negotiates to find solution and makes recommendationComplaints • Ability to pursue court action if necessary Officer of • Brings privacy issues to the attention of parliament andParliament provides advice Public • Promoting public awareness and understanding ofEducation privacy issues
  6. 6. Except where provincial legislation is deemed substantially similar
  7. 7. What is not covered?•  The collection, use or disclosure of personal information by federal, provincial or territorial government•  An employees name, title, business address or telephone number•  An individuals collection, use or disclosure of personal information strictly for personal purposes•  An organizations collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
  8. 8. The Toronto Office•  Stronger regional presence.•  Significant number of Canadian businesses have established headquarters in the GTA.•  More than half of respondent organizations for PIPEDA complaints are based in the GTA.•  PIPEDA investigation work on the ground.•  Help bring about better compliance with PIPEDA. 9  
  9. 9. Privacy & Small BusinessSmall businesses often don t have the money to hire privacy specialists or lawyers to help them figure out how to comply with Canada s privacy legislation, nor is it always necessary. Good privacy compliance doesn t have to be expensive or time-consuming. - Jennifer Stoddart, Commissioner
  10. 10. Good  privacy  is  good  for  business.   11  
  11. 11. The 10 Privacy Principles1. Accountability 6. Accuracy2. Identifying Purposes 7. Safeguards3. Consent 8. Openness4. Limiting Collection 9. Individual Access5. Limiting Use, Disclosure 10. Challenging and Retention Compliance
  12. 12. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   13  
  13. 13. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   14  
  14. 14. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   15  
  15. 15. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   16  
  16. 16. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   17  
  17. 17. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   18  
  18. 18. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   19  
  19. 19. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   20  
  20. 20. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   21  
  21. 21. 10  Tips  for  Avoiding  Complaints  to  the  OPC  1   •  Post  contact  info  for  your   Privacy  Officer  on  your  website   6   • Driver’s  licenses  –  you  can  look,   but  don’t  record  2   •  Train  staff  about  privacy   7   • Be  up  front  about  collec(on  and   use  of  personal  informa(on  3   •  Take  responsibility  for   employee  ac(ons   8   • Tell  customers  about  video   surveillance  4   •  Limit  collec(on  of  personal   informa(on   9   • Protect  personal  informa(on  5   •  Make  SINs  op(onal   10   • Respond  to  access  requests   22  
  22. 22. OPC  Resources  and  Website      www.priv.gc.ca     23  
  23. 23. OPC  Resources  and  Website    Resources  -­‐>    Informa(on  for   Organiza(ons   24  
  24. 24. OPC  Resources  and  Website    Resources  -­‐>    Informa(on  for   Organiza(ons   25  
  25. 25. OPC  Resources  and  Website    Build  a  privacy  plan  for   your  business  –   The   privacy  tool  for  small   businesses   26  
  26. 26. Build  a  Privacy  Plan  for  your  Business  • Who’s  on   Step  2   • Do  you  collect   Step  4   • Do  you  collect   Point?   • Do  you  collect   customer   • Do  you  collect   purchase   contact   demographics?     financial   informa(on?   informa(on?   informa(on?   Step  1   Step  3   Step  5  • Do  you  collect   Step  7   • Evaluate  your   Step  9   • Your  Privacy   opinions/ • Do  you  collect   collec(on  of   • Who  needs  to   Plan!   interests?   other   informa(on   see  the   informa(on?   collected   informa(on?   Step  6   Step  8   Step  10   27  
  27. 27. Build  a  Privacy  Plan  for  your  Business  •  For  steps  2-­‐7,  select  from  a  list  of  op(ons:   –  Which  of  the  following  types  of  data  do  you   collect  from  your  customers?   –  Who  in  your  organiza(on  collects  this   informa(on?   –  Why  does  your  organiza(on  collect  this   informa(on?   28  
  28. 28. Build  a  Privacy  Plan  for  your  Business  •  Select  from  a  list  of  op(ons  (cont d):   –  Who  in  your  organiza(on  uses  this  informa(on?   –  How  is  this  informa(on  stored?   –  Do  you  ever  share  this  informa(on  with  or  sell  it   to  third  par(es?   29  
  29. 29. Build  a  Privacy  Plan  for  your  Business  •  This  process  generates:   –  An  informa(on  audit  of  your  business   –  Consent  provisions  required  specifically  for  your  business   –  A  security  plan  for  protec(ng  personal  informa(on  in  your   care   –  A  sample  privacy  brochure  for  your  customers   –  A  training  needs  assessment   30  
  30. 30. Ge#ng  Accountability  Right  with  a   Privacy  Management  Program   31  
  31. 31. What  do  we  mean  by   accountability ?  •  Principle  1  of  Schedule  1  of  PIPEDA  states:       An  organiza(on  is  responsible  for  personal   informa(on  under  its  control  and  shall   designate  an  individual  or  individuals  who  are   accountable  for  the  organiza(on s  compliance   with  the  following  principles…   32  
  32. 32. GeIng  Accountability  Right:   Building  Blocks  •  Culture  of  privacy  •  Program  controls  •  Ongoing  assessment  and  review   33  
  33. 33. For  More  Informa,on   34  
  34. 34. Transparency  What  you  do:     An  organiza:on  shall  make  readily  available  to  individuals   specific  informa:on  about  its  policies  and  prac:ces  rela:ng  to   the  management  of  personal  informa:on.  Why  you  do  it:     Organiza:ons  shall  make  a  reasonable  effort  to  ensure  that   the  individual  is  advised  of  the  purposes  for  which  informa:on   will  be  used.   35  
  35. 35. Transparency                       The  Challenges   36  
  36. 36. Transparency                       The  Expecta(ons   37  
  37. 37. Transparency                       The  Opportuni(es   38  
  38. 38. We re  here  to  help!   39  
  39. 39.     Ques(ons?   40  

×