Many companies have detailed privacy rules to protect the personal information of customers and employees. But unless the protocols are enforced they aren’t worth the paper they’re written on.
That was the Data Privacy Day message from Brent Homan, deputy commissioner for compliance at the Office of the Privacy Commissioner of Canada (OPC).
“It’s not enough to have protocols,” he said in an interview. “You’ve got to live it.”
“Many times we looked at the processes and the policies and we thought, ‘Looks good, looks great.’ But the problem is, it wasn’t followed. It wasn’t implemented.”
“While we’ve seen that many organizations may appear to have a robust privacy framework in place, when placed under regulatory scrutiny more often than we would like to see we find the framework is sometimes illusory, and the dynamic responsibilities — including the monitoring and the steering necessary to make to make the framework work — are simply not there.”
The federal privacy commissioner oversees enforcement of the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers federally regulated industries such as financial institutions, telecom companies, and transportation firms.
Homan drew several examples of investigations from the latest Privacy Commissioner’s annual report to Parliament:
- a cellular customer of Rogers Communication’s Fido service discovered a fraudster had accessed and changed the personal information on his account more than once. This happened even after the complainant added a security PIN number and secret questions to the account to stop unauthorized access. The fraudster was persuasive enough that Fido staff “bypassed” rules to prevent that from happening.
“It’s an example of how it’s important that organizations implement measures to ensure that employees are following their authentication policies,” said Homan, “particularly in cases like this where employees may have non-compatible pressures — such as meeting sales targets — that could, perhaps, tempt them to by-pass protocols;” - an individual was dismayed to realize a help desk technician at a small computer support firm used pre-installed remote access software to access his laptop without his consent. On investigation by the OPC the computer services company said the technician obtained express oral consent to use remote access software. However, the company was unable to prove it. In addition, the commission investigator found the company didn’t have safeguards to prevent technicians from accessing sensitive information on customers’ computers.
Homan gave a third example from a 2014 investigation of Microsoft Canada, which, he said had a strong privacy management program:
- a Microsoft customer wanted their old email address deleted from its records, but found no one could do it. The customer felt Microsoft wasn’t complying with his request. An OPC investigation found none of the customer service reps — who worked for an outside company — had been trained to recognize privacy issues and refer them to Microsoft’s privacy response centre. Nor had the reps in the privacy response centre been trained to escalate unresolved privacy issues to Microsoft’s Privacy Office — and the Privacy Office did not proactively monitor the privacy response centre. “As such,” said the report, “the Microsoft Privacy Office was not in any practical sense accountable for the Privacy Response Center’s handling of customers’ privacy issues.”
These three complaints were all resolved.
“We believe there are good largely faith efforts by business to uphold customers’ privacy,” said Homan “It is not so much that businesses are not complying, but — especially with small businesses — many are simply not aware of all their obligations under PIPEDA. There might be an understanding of key privacy concepts such as obtaining consent or the need to safeguard [customers’ and employees’] personal information, but there might be a lack of internal expertise to fully understand how to meet all of the fair information principles.” These principles cover the fair collection and use of sensitive data.
For example, he said, not all businesses have a formal process for handling complaints. Nor, he added, do all firms — especially small ones — have an individual or team responsible for privacy issues, such as a data privacy officer.
Small firms don’t need to have a privacy department, Homan said, but at least they should have someone responsible for privacy issues.
Whoever that person(s), Homan said, their job should include
- being up to date on federal or provincial privacy legislation and applicable policy guidelines;
- developing a robust and comprehensive corporate data privacy policy;
- providing training to all staff on privacy and data security;
- drafting and managing contracts with third parties handling the company’s sensitive data to ensure consistency with the firm’s information handling policy.
To assist companies with their privacy initiatives, the OPC has a business advisory division and a website with guidance for firms.
Homan also stressed the importance of senior managers showing they take data privacy seriously, including having a data privacy officer who has a seat with other members of the C-suite.
“Accountability starts at the top,” he said. “It starts at the C-level and ensuring it [data privacy] is not something in an email thrown around each year.”
“What we don’t want to see,” he added, “is fantastic ‘Centres of Expertise’ in organizations with respect to privacy — but compliance stops there. Make sure there is engagement [by management] and front-line staff are excited and are apprised of their obligation to follow the protocols developed by their centre of privacy expertise.
“It’s the difference between knowing what to do, and doing what you have to do to respect individuals’ privacy.”