Data Privacy Week is a period when organizations should reflect on whether they are at least doing the basics, says British Columbia’s privacy czar.
“The basic fundamentals” are what privacy pros need to be pondering this week, Michael McEvoy, B.C’s information and privacy commissioner, said in an interview. “Which,” he added, “you have to be thinking about all the time.
“When you are putting together a new product, or considering a new marketing tool, or anything of that kind, you need to be thinking about the personal information you’ll be collecting about patients, clients, customers, and how you’re going to protect it, how you’re going to use it and how you’re going to be transparent to your customers.
“People are far more aware of these issues than they were 10 years ago. They are far more sensitive about how their personal information can be used, and misused. And if you misuse it, you’re quickly going to lose the trust of those customers, clients and patients. So you have to think about these issues — and you have to think about them at the outset [of a project], not as an afterthought.”
This is a time when many innovative companies are pushing new technologies to corporate buyers, he said, such as facial recognition and artificial intelligence applications. But before organizations jump into new technologies, they have to ask whether they will serve their clients well and build trust with customers.
As an example, he cited a case his office handled of “a large retailer” in B.C. that used a facial recognition application to reduce shoplifting. It collected images of everyone who walked into stores and compared them to images of known shoplifters. As soon as management learned the privacy commissioner was investigating in November 2021, they pulled the systems and wiped the servers.
“Had they thought about some of these issues at the beginning, I don’t think they would have gone down that path,” McEvoy said.
He didn’t name the company, but it was a reference to four independently owned Canadian Tire affiliate stores. Last year McEvoy ruled the stores didn’t adequately notify customers and did not obtain consent for the collection of personal information using facial recognition technology.
Asked if companies just don’t think about some things they do, or deliberately want to test the limits of privacy law, he replied “My experience as commissioner is for the most part organizations want to do the right thing. And sometimes they will come to us, not sure if they are doing the right thing.” His office can’t give legal advice but does give guidance.
The best privacy action any organization can take is to create a privacy management program, he said. That doesn’t apply to just large firms, he added, because even small companies can collect a lot of personal information.
A privacy management program sets up a data privacy governance structure with processes employees have to follow — and includes measures to ensure they are being followed.
Senior management must actively champion the privacy program, according to guidance from three of the country’s privacy commissioners: “When senior management is committed to ensuring that the organization is compliant with privacy legislation, the program will have a better chance of success, and a culture of privacy will more likely be established.”
A data management program starts with the firm doing an inventory of all of the personal information it holds and categorizing it by sensitivity. When McEvoy’s office gets data breach reports, the first question asked is what information was breached. “You’d be surprised at the number of organizations that don’t have a good handle on exactly what they have,” he said.
A data inventory should lead to the creation of a data access policy, which restricts access to sensitive data to only those who need it.
Management also needs to decide why it is collecting, using, and disclosing data.
Then it has to develop internal policies to respect the principles in private-sector privacy legislation that the firm has to follow in each jurisdiction. That includes a policy on following data breach notification requirements to customers and/or a regulator.
Firms should conduct a privacy risk assessment of their data handling processes at least once a year.
Most of the incidents his office investigates could have been avoided, McEvoy said, had data been properly secured.
“That’s a hard lesson lots of organizations learn after the fact,” he said. Sometimes they didn’t want to spend the money. “But what is often not thought about is cost on the other side: what happens when things go wrong? What is the cost of that?”
Usually it’s far more worthwhile to spend on protecting data upfront than to pay for the costs of cleaning up after a privacy incident, he said. “Most cases are far more costly than any protection system you would have put in place”