With so many legislative and sectorial initiatives dealing with informational privacy, becoming and remaining “Privacy Compliant” presents unique challenges. The first of which is: “With which legislation should I comply?” Fortunately, most of the legislation is based upon the OECD
guidelines. The following list, compiled from various legislative, regulatory and guidance documents provides a generic set of issues that should be considered.
· Data collection must be lawful and fair
· Data must be collected for a specific, disclosed purpose
· Collection must be agreed to by the individual
· Data must be accurate, timely and relevant for the purpose
· Data must not be capable of being used to allow discrimination
· Data must be protected and secure
· The individual must have the right to access, rectify or delete his or her personal information
· Trans border data flow restrictions must safeguard the individual’s information
· Restrictions on future use and disclosure
· Restrictions on retention and destruction
· Identifiable person to contact
· Published information privacy policies and procedures
Ten Items You Should Address
Considering the requirement for protection of personal information, there are a number of activities that should be undertaken.
We have listed ten that represent activities that will assist in making your entity “Privacy Compliant.”
1. Make Someone Responsible
In Europe that person is called the Data Controller; in Canada, the Privacy Compliance Officer; and in the United States, most likely the Chief Privacy Officer. Regardless of the title, someone should be charged with the responsibility for informational privacy on an enterprise-wide basis.
This individual, supported by a department if necessary, will be responsible for the entity’s day – to-day collection and processing of personal information as well as overseeing the organization’s compliance with informational privacy policies and regulatory requirements. The individual or department, and how to contact them, should be made known, either through publication in the entity’s marketing materials and other information, or upon request.
In most privacy legislation and regulations, the entity is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The privacy compliance officer is also responsible for ensuring the adequacy of safeguards over information held by a third party. Most often this can be accomplished through contractual or other means to ensure a comparable level of protection while the information is being processed by a third party.
Finally, the privacy compliance officer should be responsible for ensuring appropriate informational privacy policies and practices are implemented including:
· Developing procedures to protect personal information;
· Establishing procedures to receive and respond to complaints and inquiries;
· Training staff and communicating to staff information about the organization’s policies and practices; and
· Developing information to explain the organization’s policies and procedures.
2. Create a Privacy Policy
Creating, promulgating and complying with an enterprise wide informational privacy policy is essential to ensuring that legislation, regulations and marketplace expectations are met.
The privacy policy should inform employees as well as customers, business partners and others, of the enterprise’s policies governing the collecting, storing, using, sharing and destroying of personal information as well as the systems and procedures designed to safeguard that information.
The privacy policy should form the basis of the entity’s privacy initiatives and its communication of those initiatives internally and externally. The policy should include, among others:
· Reference to the entity’s structure and the individuals (positions) responsible.
· The authority of the individual
· The reporting structure
· The scope of the policy
· Reference to specific legislation addressed by the policies
· Guidance for specific instances or circumstances
· General terms and conditions under which information will be collected, stored, processed, archived, used, disclosed and destroyed.
· Internal procedures for dealing with customer or employee complaints against the privacy policy
· Education and training
· Customer awareness
· Consent and confirmation for the collection and use of personal information
· Accuracy of the personal information collected and retained
· Safeguarding of personal information
· Dealing with court orders for access to personal information
· Dealing with other governments or legislators
In addition to the entity being open about their policies and practices with respect to the management of personal information, data subjects should be able to acquire information about an entity’s policies and practices without unreasonable effort.
This information should be made available in a form that is generally understandable. For example, Canadian personal information protection requires that this information include:
· The name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
· The means of gaining access to personal information held by the entity;
· A description of the type of personal information held by the entity, including a general account of its use and a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
· What personal information is made available to related entity (e.g., corporate subsidiaries).
Informational privacy policies should be reviewed on a regular basis. When new legislation or regulations are enacted, their impact should be assessed and their requirements reflected in the entity’s personal information policies.
This will ensure continued alignment of the policies with legislative and regulatory requirements.
Look for part three next week. It ventures into many more items on getting your company compliant with PIPEDA.