Application of Privacy Schemes

Other than to meet statutory requirements, organizations can view the implementation of a privacy scheme as a useful tool to build trust amongst employees and consumers. Readily available and transparent systems will likely raise the confidence of individuals who associate with the organization, which will mean good business. Consumers will likely appreciate companies with clear and effective privacy policies. It is expected that businesses will find that implementing transparent dispute resolution programs, employing an accessible privacy officer, and instituting a means to independently verify personal information, will prove beneficial in the long term.

Implementation

Initial Steps

1. Designate a Privacy Officer or individual who will bear the responsibility of dealing with privacy matters for the organization. Depending on the size of the organization, the individual may be employed solely to deal with privacy. In a smaller organization, the individual may be a manager or other individual with knowledge of and access to the organization’s information.

2. The designated Privacy Officer should take an inventory of all personal information handling practices, including ongoing activities and new initiatives. The following checklist may help to create the inventory by asking questions such as:

  • What personal information is collected?
  • Why is it collected?
  • How is it collected?
  • What is it used for?
  • Where is it kept?
  • Who has access?
  • What security measures are used?
  • To whom is it disclosed?
  • When is it disposed of?

A more detailed checklist and tool for taking an inventory and designing a compliance scheme is available at www.bht.com/news/content/privacy_spreadsheet.xls. Excel tooltips in the row headers explain the purpose of each row.

Designing a Privacy Compliance Scheme

3. After completing the inventory of current privacy practices, the Privacy Officer should determine what resources are needed for developing, implementing and maintaining a privacy compliance system. When adequate resources are available, the Privacy Officer should:

  • prepare privacy policies and procedures, and communicate them to employees;
  • train staff to manage and protect the privacy of personal information; and
  • develop appropriate documents for disseminating information on privacy policies and prepare forms for responding to enquiries and complaints.

When a high level of risk exists, a specific objective or a set of objectives may also have to be established. In this regard, it may be important to identify the consequences of failing to meet established objectives, and to specify the control measures needed to prevent unacceptable risks, manage and monitor acceptable risks, and mitigate unexpected risks. In contexts where ramifications for failing to comply with privacy legislation may be significant, it would be prudent to consult with professional advisors.

Implementing a Privacy Scheme

4. Develop and implement privacy policies and procedures. This includes readily available and transparent policies and practices which deal with:

  • principles of information practices;
  • obtaining consent for the collection, use and disclosure of personal information;
  • how, when and why personal information is collected, used and disclosed;
  • limiting use and disclosure;
  • dealing with appropriate retention and destruction;
  • dealing with requests for access to personal information;
  • accountability;
  • maintaining accuracy and correcting personal information; and
  • implementing safeguards.

5. Develop and maintain an effective internal system of tracking the collection, use and disclosure of personal information, including employee personal information. Since organizations must, on request, provide any individual (including an employee) with the information the organization holds about that person, as well as an explanation of the manner in which the information has been used and to whom it has been disclosed, it will be very important for organizations to manage their data trails effectively.

Follow up

6. Regularly monitor and review the privacy compliance system to ensure that it is working effectively to secure privacy of personal information and reduce risks to the organization.

Reprinted with permission from Bull, Housser & Tupper.