Privacy is the next big business imperative, and now it can be tested with a free self-assessment guide – the Privacy Diagnostic Tool (PDT), unveiled recently by Ontario Information and Privacy Commissioner Ann Cavoukian.
“There is no more business as usual. The PDT is a self-administered diagnostic tool that provides a snapshot of an organization’s privacy posture and creates a roadmap of what it needs to do to meet international privacy standards. Privacy is an ongoing and dynamic process,” Cavoukian said.
The PDT addresses 10 principles based on internationally recognized fair information practices such as accountability, consent, security safeguards, and individual access. Each principle relates to a series of questions to which users (based on current practices) answer yes or no. The self-assessment guide then notes the risks involved with non-compliance and alerts users to the best practices associated with each principle.
Jointly developed by the Information and Privacy Commission of Ontario and security and privacy experts from Toronto-based firms PricewaterhouseCoopers and Guardent, the PDT helps companies to assess personal information management policies and allows consumers to investigate the privacy policies of prospective businesses. Personal information includes name, address, gender, age, income, medical files and transactional or behavioural information.
“The PDT is more about best practice rather than basic compliance,” said Michael Deck, privacy director for Price-waterhouseCoopers Global Risk Management Services.
In 2000, online sales accounted for only 0.4 per cent of Canadian business revenue, Cavoukian noted. Consumer mistrust of online security is growing and any company that collects or discloses personal information should consider using the PDT, Cavoukian said.
The PDT will allow Canadian businesses to examine and strengthen their privacy policies, said Peter Cullen, corporate privacy officer for Royal Bank Financial Group in Toronto.
However, Cavoukian said the tool is not compliant with current or pending privacy legislation and is not designed to provide a detailed privacy audit.
“The PDT should be considered a gauge of privacy readiness and should complement current business privacy policies. Completing the PDT is a first step for compliance with most privacy statutes,” she said.