Privacy is the next business imperative, and now it can be tested with a free self-assessment guide – the Privacy Diagnostic Tool (PDT), unveiled last month by Ontario Information and Privacy Commissioner Ann Cavoukian.
“There is no more business as usual. The PDT is a self-administered diagnostic tool that provides a snapshot of an organization’s privacy posture and creates a roadmap of what it needs to do to meet international privacy standards. Privacy is an ongoing and dynamic process,” Cavoukian said.
Jointly developed by the Information and Privacy Commission of Ontario and security and privacy experts from Toronto-based firms PricewaterhouseCoopers and Guardent, the PDT helps companies to assess personal information management policies and allows consumers to investigate the privacy policies of prospective businesses. Personal information includes name, address, gender, age, income, medical files and transactional or behavioural information.
“The PDT is more about best practice rather than basic compliance,” said Michael Deck, privacy director for PricewaterhouseCoopers Global Risk Management Services.
In 2000, online sales accounted for only 0.4 per cent of Canadian business revenue, Cavoukian noted. Consumer mistrust of online security is growing and any company that collects or discloses personal information should consider using the PDT, Cavoukian said.
“Privacy is needed for e-commerce to thrive – restrictions must be placed on the ability to share consumer information without consent,” she said.
The PDT will allow Canadian businesses to examine and strengthen their privacy policies, said Peter Cullen, corporate privacy officer for Royal Bank Financial Group in Toronto.
“The tool addresses customer concerns while still allowing businesses to grow,” Cullen said.
The PDT addresses 10 principles based on internationally recognized fair information practices such as accountability, consent, security safeguards, and individual access. Each principle relates to a series of questions to which users (based on current practices) answer yes or no. The self-assessment guide then notes the risks involved with non-compliance and alerts users to the best practices associated with each principle.
However, Cavoukian said the PDT is not compliant with current or pending privacy legislation and is not designed to provide a detailed privacy audit.
“The PDT should be considered a gauge of privacy readiness and should complement current business privacy policies. Completing the PDT is a first step for compliance with most privacy statutes,” she said.