Bell Canada, Telus and Scotiabank ranked among the top 20 Canadian companies with the best privacy policies, according to a new index developed by a Toronto-based privacy firm.
Others that topped the list, which was divided into five market
segments (telecommunications, banking, retail, insurance and consumer services), include SaskTel, TD Bank Financial Group, Indigo Books & Music, Aviva Canada and TransUnion Canada.
Founded in 2002 by company president Terry McQuay, Nymity Inc., which provides organizations with resources and training on privacy issues, created the National Privacy Policy Index four months ago to help companies assess and manage their privacy policies. To create the index, Nymity, which takes its name from the word ‘anonymity,’ consulted more than 130 best practice privacy policy considerations from various organizations including the Canadian Standards Association (CSA), the Canadian Institute of Chartered Accountants, the Office of the Privacy Commissioner of Canada, the U.S. Department of Commerce and the European Union.
“There are lot of policies out there that have high level motherhood statements that really don’t address specifics related to what a company does with a consumer’s personal information,” said McQuay, adding that Nymity looked at between 100 to 300 companies’ policies. “You can spot them just like that. They’re short, they don’t say too much. We can blast through all kinds of those until we find a good one.”
Four key components that constitute best privacy policies, according to Nymity experts, include accountability to consumers and to the Commissioner’s office, mitigation of business risks such as lawsuits and customer complaints, policies that build consumer trust and compliance of privacy legislation.
Governed by the Canadian Radio-television Telecommunications Commission (CRTC), Bell Canada was subject to stringent customer information restrictions and rules long before the first incarnation of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect in 2001. The full implementation of PIPEDA was rolled out to all Canadian businesses in January 2004.
“It was a natural extension for us to develop not only the privacy policy but as well as the more detailed code of information practices,” said Charles Giordano, associate director of privacy marketing strategy for Bell’s consumer division. Bell’s other divisions are enterprise and small business.
TransUnion Canada, which placed first in the consumer services category, has also been PIPEDA-compliant since 2001. The company provides services and support to consumers and businesses including credit reporting and fraud victim information.
“(Privacy) is really a key focus of our business,” said company president Ken Porter. “It’s just something that I didn’t want to pay lip-service to. You see a lot of one-liners out there about people’s commitment.”
TransUnion Canada is a fully owned subsidiary of TransUnion LLC, which is based in Chicago, and has a compliance group to lead quarterly training of all its associates that is monitored and led by a chief privacy officer.
Using the index, which is available to PrivaWorks subscribers free-of-charge, Nymity ranked the companies based on 10 areas of criteria, including accountability, safeguards and consent. Starting at $950 for an annual subscription, PrivaWorks is an online resource centre for privacy officers, lawyers and privacy consultants that helps them maintain compliance regulations, alleviate potential privacy breaches and reduce and better-resolve customer complaints.
Consent was one of the key factors in assessing companies’ privacy policies, said McQuay. In a good privacy policy, for example, organizations will explain forms of consent used such as where they use complied consent, where they have expressed consent and how individuals can opt out of these consent mechanisms.
“We want companies to explain what individuals are consenting to, how long they are consenting for use of that information, who else is going to see information and how many different uses will it be used for,” said McQuay.
Bell, for example, has to obtain customer consent before it shares their information with its mobility division. The telco giant is currently building a process to collect that data.
“We’re old hat at that,” said Giordano, referring to consent practices. “The CRTC regulations prevent us from sharing customer information from our sister companies Bell to mobility.”
Every customer that comes on board with TransUnion Canada needs to have consent in order to pull information from a credit report, said Porter. TransUnion Canada, for example, does in-depth background checks on companies when setting up an account that includes a personal visit, bank check, reference check and audits.
“We made it so if you’re going to be a member of TransUnion and pull customer information you really have consent to do so,” said Porter.
Another area of the index’s criteria looks at individual access in terms of contact numbers, time frames and what an individual can and can’t ask for, according to Nymity. A customer, for example, must inform a company when they no longer want a piece of information to be used.
“We recommend in privacy policy not only the corporation’s obligations be laid out but also the customer’s obligations,” said McQuay. “Customers have responsibilities for safeguarding their information. A good policy will explain to a customer what they should do and how.”
Comment: [email protected]