You Might be Interested In

Entry written by Heather Ormerod, Senior Communications Advisor, Office of the Privacy Commissioner of Canada.

Once a year, privacy advocates and enthusiasts around the world get the chance to collectively shine a spotlight on the issue of online privacy.

Data Privacy Day, which is celebrated annually on January 28, is an annual international celebration designed to promote awareness about privacy and education about best privacy practices. Granted, it doesn’t rank up there with Canada Day or Thanksgiving in terms of food, fun or festivity, nevertheless it is a date worth circling on the calendar.

In this digital age, where our online activities can so easily be tracked, stored, shared and analyzed, and we are under constant pressure to share more and more personal information, we are all feeling a bit uneasy about all that personal data floating around in cyberspace.

It’s not that we want to turn our backs on the limitless potential of the Internet. We just need to figure out how we can all limit the potential for online personal information to be misused and abused.

The answer? When it comes to sharing personal information, think less is more.  

Once our personal information is on the Internet, we have very little control over who sees it, how it is used, or how long it will be available. By sharing less personal information, we can help limit our exposure and the risks of our personal information being misused, abused or disclosed without consent.

So, whether we are social networking, using an app on a mobile device, or signing up for discounts and deals, we need to think carefully about the personal information we are putting into cyberspace.

Less is more is also good advice for businesses and organizations that collect personal information. Collecting and holding excess data raises the risks for customers, but it is also costly for businesses because it increases the risk of data breaches, which can be damaging to businesses’ reputations and expensive to clean up.

This week, the Office of the Privacy Commissioner of Canada is pleased to join governments, privacy professionals, corporations, academics and students from around the world, in marking Data Privacy Day.

Our Office will be engaging in a number of activities in the week to leading up to January 28, such as the launch of some new youth privacy tools, and presentations to youth, public servants, businesses and staff. The Office has also produced some new resources, such as posters and graphics which can be used to raise awareness of privacy in any organization.

For more information on the Office’s Data Privacy Day activities and resources, go to our Data Privacy Day web page or http://www.priv.gc.ca/.

Given the time of year, many Canadians are spending time in malls. 

By now, most have come to terms with the fact that security cameras survey nearly every corner of every store. 

This is well known – and if stores obey Canada’s private sector privacy law, they provide notice.

In short, if you’re out shopping, you’re informed that you’re on camera.

But now, how would you feel if there were people on the other side of the cameras, not simply monitoring to see what you might steal, but instead keeping tabs on the specific stores you visited … of the specific brands, styles, colours and sizes of clothes you tried on … on the magazines you leafed through at a newsstand … of what exactly you ordered from the food court … in addition to everything you actually bought from stores during your visit?  

Copious notes would be recorded throughout and filed upon your exit. 

Upon returning, you would be recognized and new data would be entered into your file accordingly.

This may sound far-fetched, but something similar is happening regularly to eight in 10 Canadians aged 16 and older, according to Statistics Canada’s latest figures.

While it’s not actually happening to people browsing in malls, it is happening to most anyone browsing online, through a practice called behavioural advertising.

Online advertising used to consist of mini billboards that came up for everyone who visited a certain page or made a particular search query.

Today, increasingly, ads are based on profiles compiled on us by tracking our browsing activity over time. 

It’s usually carried out by third-parties who follow users via cookies or web beacons.

These effectively lay a trail of digital bread crumbs which are tracked and analyzed to determine your interests based on where and what you click and, in turn, what ads may interest you which are effectively “beamed” onto pages upon your visit.

Some people appreciate ads being tailored to them.

Others might feel like they’re browsing in that earlier-described mall.    

Either way, the information involved in this practice can identify individuals and will generally constitute personal information under Canada’s private sector privacy law.

As a result, individuals must be made aware of what’s happening when they browse and provide meaningful consent. 

If you were unaware of this practice, you’re not alone. In general, to find out you’re being tracked, you need to dig down deep into a typical website’s lengthy, legalistic privacy policy.

To be fair, this is a fairly new practice in the still evolving digital world. Some advertisers are making an effort to inform users and many may be unsure how to ply their trade in compliance with privacy law.

For example, what constitutes meaningful consent?

This is why my Office has just released a new guidance which explains that “opt-out” consent may be used so long as some conditions are met.

First, individuals must be:

• made aware of the purposes for the practice in a manner that is clear, obvious and understandable.  In other words, one shouldn’t have to hunt for it;
• informed of these purposes at or before the time of collection and should be provided with information about the parties involved in the advertising; and
• able to easily opt-out of the practice, ideally at or before the time the information is collected.

In addition, the opt-out should both take effect immediately and be persistent, while the information collected and used:

• must be limited, to the extent practicable, to non-sensitive information (for example, avoiding sensitive data such as health information); and
• should be destroyed as soon as possible or “anonymised,” so if someone gains access to it through say hacking, it can’t be used to identify specific individuals.

Further, the use of tracking techniques of which users are unaware and can’t decline such as web bugs, web beacons and super cookies in the current context of behavioural advertising should be avoided.

On top of this, websites specifically aimed at kids should not allow tracking for behavioural advertising, as it is difficult to obtain meaningful consent from children. 

Attention to this is needed as a recent report noted 40 percent of kids aged two to four have used a smartphone, tablet or video iPod.

All told, in the months to come, we’ll be watching the watchers to see that our guidance is being followed. 

And if we see troubling trends, we’ll take enforcement action.

Many people would tend to think of Internet content as being free.

And indeed, we can spend seemingly endless hours reading online news articles and watching Youtube videos, all without handing over a penny.

But is there a cost?

One might say that depends on how much you value your privacy.

One thing beyond dispute however, is the fact that advertisers see immense value in the data trails we create when surfing the web.

Our IP number can reveal the city or region in which we live.

Our web traffic can provide a pretty strong sense of what we’re interested in, particularly if it shows we travel to the same sites regularly or even daily.

All this to say, once a site you visit provides you with a cookie, advertisers follow the trail of crumbs.

In the end, they target and tailor ads to your perceived interests which appear on various sites you visit.

Some may see benefits in this as they’d prefer being offered products and services that do indeed correspond to their interests.

Others may chafe at the thought of being ceaselessly monitored.

For anyone who wants to learn more about behavioural advertising, I invite you to click here to read our latest fact sheet.

And stay tuned. You’ll be hearing more from us on this in the weeks to come in the form of new information for organizations

As a small business owner, you wear many hats. You’re the Chief Executive Officer, the Chief Financial Officer, the VP of Marketing and Sales. And of course, you’re also the Chief Information Officer and Chief Privacy Officer. While big business has the budget to keep legal advisers on retainer to deal with privacy issues, this isn’t a likely option for you.

This is one of the major reasons why the Office of the Privacy Commissioner has developed a suite of tools and resources over the years to help you meet your privacy obligations and build trust with your customers and clients. 

By running your business, you’re making an important contribution to the economy and your community. And it’s our pleasure to do what we can to make things easier for you. Speaking of which, listed below, you’ll find all of these tools in one place.

Cybersecurity for Small Business Articles:

• Steps toward stronger cybersecurity for your business

Guidance for Small Businesses:

• A Guide for Businesses and Organizations
• Privacy Guide for Small Businesses: The Basics
• Guidelines for Processing Personal Data Across Borders

Online Tools:

• Privacy for Small Business online tool
• Securing Personal Information: A Self-Assessment Tool for Organizations

 Fact Sheets:

• Complying with the Personal Information Protection and Electronic Documents Act
• Determining the appropriate form of consent under the Personal Information Protection and Electronic Documents Act
• Privacy Legislation in Canada
• Truncated Credit Card Numbers – Why stores should print only partial credit card information on customer receipts
• Businesses and Identity Theft
• Organizations’ Guide to Complaint Investigations under the Personal Information Protection and Electronic Documents Act
• Best Practices for the use of Social Insurance Numbers in the private sector
• Introduction to cloud computing

It is vital to give your customers a single point of contact at your organization to deal with privacy issues. Many unhappy consumers have approached the Office of the Privacy Commissioner of Canada upset that they could not find someone within a business who could answer their privacy questions.

No matter how hard you work at enhancing customer loyalty, there will be instances when your organization does not meet your customers’ expectations of privacy. The first step to ensuring customer satisfaction is to acknowledge privacy complaints promptly on receipt.

Give individuals access

Individuals have a right to know what kind of personal information you have about them. If you should receive a request, respond to the request as quickly as possible and no later than 30 days after receipt of the request. Explain how the information is or has been used and provide a list of any organizations to which the information has been disclosed. Give individuals access at minimal or no cost and make sure the requested information is understandable.

Provide recourse

Develop simple and easily accessible complaint procedures which inform complainants of their avenues of recourse. These include your organization’s own complaint procedures, those of industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada. Correct any inaccurate personal information or modify policies and procedures based on the outcome of the complaint, and ensure that staff in the organization are aware of any changes to these policies and procedures. Notify individuals of the outcome of investigations clearly and promptly, informing them of any relevant steps taken.

Educate your employees regularly

Your organization’s privacy policy is a critical tool to safeguard your customers’ personal information. It is your responsibility to ensure your employees are aware of your company’s policy and the circumstances under which they may and may not collect, use or disclose customer information—and that they understand the reasons for collecting information.

Handling a complaint fairly and appropriately may help to preserve or restore the individual’s confidence in your organization and help you maintain a positive reputation among the public.

For more information, go to our Guide for Businesses and Organizations.

To access small business tools developed by the Office of the Privacy Commissioner of Canada, click on: http://www.priv.gc.ca/resource/sbw/2011/index_e.cfm

Private sector privacy legislation requires organizations to build privacy policies that outline how they collect, use and disclose their customers’ personal information. That process need not be difficult. Below, is a checklist of actions that represent some of the key elements for compliance with the federal law. While the list is not exhaustive, it will help build the essential elements of your new privacy policy.

Keep it simple.
Your policy should be clear, concise and written in plain language so it is easy to understand. It should provide enough details to help your customers understand how you manage their information.

Review other privacy policies.
Online you can find policies of organizations similar to yours. Although our office does not endorse specific privacy policies, we have found that the financial services sector and telecommunications companies have mature policies worth emulating. Gain more insight into the requirements of your privacy policy by reviewing the principles in Schedule 1 of PIPEDA, which can be found online at priv.gc.ca.

Collect only what you need.
You can collect only information that is needed for your business purposes—for example, to manage a commercial relationship and provide ongoing service, to bill and collect for products or services, to market to individuals, and to meet legal and regulatory requirements.

Be open about when personal information may be disclosed.
You must indicate in your policy if you intend to disclose customer information to an affiliate or partner organization, or any other third party. You needn’t necessarily name each organization, but provide a general idea of the types of companies in question. And you must give your customers the opportunity to consent.

Tell customers when information will be stored outside of Canada.
The use of a third-party information processor, such as a company that provides payroll services, increases the likelihood that information under your control will be stored outside Canada. You must be open with your customers about this possibility.

Be open about how you safeguard information.
The risk of identity theft and other unauthorized uses of personal information is always present and ever changing. It’s critical to keep the personal information in your care safe and secure. Customers and employees will appreciate your candour about how you intend to protect their information from such abuses.

Let customers know how long you will keep information.
PIPEDA requires that you must keep personal information only for as long as it is needed to fulfill your purposes. If legislation such as the Income Tax Act authorizes you to store personal information over a long period, consider disclosing that in your privacy policy.

Consider employees separately.
Typically, organizations’ purposes for collecting, using and disclosing employee information are to administer payroll, pension, benefit and departure provisions; to provide employee programs; to manage company property; and to hire and retain a highly skilled workforce. Because these purposes are different than those for collecting customers’ information, they warrant a separate section in your privacy policy.

Make yourself available for questions.
Let individuals know how to contact your organization for privacy information, either through email or through a toll-free number. Also, tell customers they can contact the Office of the Privacy Commissioner at 1 800 282-1376 if they are unsatisfied with your response to their privacy concern.

In tomorrow’s blog post we will discuss your responsibilities when it comes to privacy complaints.

To access small business tools developed by the Office of the Privacy Commissioner of Canada, click on: http://www.priv.gc.ca/resource/sbw/2011/index_e.cfm

The federal, Alberta and British Columbia Privacy Commissioners have created an online tool that will help small and medium-sized businesses better safeguard the personal information of customers and employees.

The Securing Personal Information: A Self-Assessment Tool for Organizations is a detailed online questionnaire and analysis tool that helps organizations gauge how well they are protecting personal information, in keeping with the applicable private-sector privacy law.

The tool is comprehensive and detailed, but also offers users the flexibility of focusing on areas most relevant to their own enterprise. The self-assessment and analysis process results in a framework that organizations can use to systematically evaluate and improve their data-security practices.

The Securing Personal Information Self-Assessment Tool is available via the commissioners’ websites: www.priv.gc.ca; www.oipc.ab.ca; and www.oipc.bc.ca.

To access all of the small business tools developed by the Office of the Privacy Commissioner of Canada, click on: www.priv.gc.ca/resource/sbw/2011/index_e.cfm

 PIPEDA and Your Practice — A Privacy Handbook for Lawyers was launched by the Office of the Privacy Commissioner of Canada at the Canadian Bar Association Canadian Legal Conference and Expo 2011. This new handbook explains how the Personal Information Protection and Electronic Documents Act (PIPEDA) relates to the everyday practice of Canadian lawyers in private sector.

PIPEDA covers the collection, use and disclosure of personal information in the course of commercial activities. Like other organizations in Canada, lawyers and law firms in private practice must comply with these or other requirements of applicable privacy legislation in their jurisdictions.

“While lawyers may be familiar with privacy laws in general, they may benefit from  some concrete guidance on how to apply the laws to their own practice,” says Patricia Kosseim, General Counsel for the Office of the Privacy Commissioner of Canada. “Canadian lawyers have a leadership opportunity to serve as exemplars of ethical and respectful conduct on behalf of their profession and the clients they serve.”

PIPEDA and Your Practice—A Privacy Handbook for Lawyers was written by lawyers for lawyers. It explains how PIPEDA relates to the everyday practice of Canadian lawyers in the private sector.

Read the handbook for more information on:

• Practical privacy issues that arise in the day to day management of a law practice
• How to uphold best privacy practices in the course of litigation

The handbook is available at PIPEDAhandbookforlawyers.priv.gc.ca.

On our website this week, we’re launching a new online tool to help businesses better safeguard customer and employee information.

It features a detailed online questionnaire and analysis tool that helps organizations gauge how well they are protecting personal information, in keeping with the applicable private-sector privacy law.

Developed jointly by the federal, Alberta and British Columbia privacy commissioners’ offices, the tool can be used by any private-sector organization, particularly small and medium-sized businesses.

Try it out yourself here.

In today’s technology-driven, ever-connected world, privacy can be difficult to come by, and equally difficult to ensure. This is true not only in terms of what kind of information you should share, but also in terms of what kind of information you should collect. For small businesses, this task can be especially daunting because it is not always viable to have a specific team (or person) solely dedicated to determining what kind of information should be collected.

The Office of the Privacy Commissioner of Canada has created a tool that can help small businesses achieve their privacy goals and draft a privacy policy suitable for their organization. The tool provides a range of questions that deal with what sort of information a small business collects from its customers or clients, and then considers what sort of information is necessary for the organization’s purposes. This can help reduce the amount of consumer information the business collects, as well as pinpoint the types of information that are necessary to include in a privacy policy.

The tool provides a basic diagnostic analysis based on the answers the respondent provides. It then uses those answers to determine the current state of information collection and protection in the business, and ultimately provides guidance in terms of things to consider regarding sensitive information. Once the questionnaire is completed, the tool creates a “Privacy Plan” for the small business, which includes:

• An information audit of the business
• Consent provisions required specifically for the business
• A security plan
• A sample privacy brochure for customers
• A training needs assessment

If you have a small business, are thinking of starting one, or are just genuinely curious, we encourage you to give this tool a try! (Located here).