You Might be Interested In

Many people would tend to think of Internet content as being free.

And indeed, we can spend seemingly endless hours reading online news articles and watching Youtube videos, all without handing over a penny.

But is there a cost?

One might say that depends on how much you value your privacy.

One thing beyond dispute however, is the fact that advertisers see immense value in the data trails we create when surfing the web.

Our IP number can reveal the city or region in which we live.

Our web traffic can provide a pretty strong sense of what we’re interested in, particularly if it shows we travel to the same sites regularly or even daily.

All this to say, once a site you visit provides you with a cookie, advertisers follow the trail of crumbs.

In the end, they target and tailor ads to your perceived interests which appear on various sites you visit.

Some may see benefits in this as they’d prefer being offered products and services that do indeed correspond to their interests.

Others may chafe at the thought of being ceaselessly monitored.

For anyone who wants to learn more about behavioural advertising, I invite you to click here to read our latest fact sheet.

And stay tuned. You’ll be hearing more from us on this in the weeks to come in the form of new information for organizations

As a small business owner, you wear many hats. You’re the Chief Executive Officer, the Chief Financial Officer, the VP of Marketing and Sales. And of course, you’re also the Chief Information Officer and Chief Privacy Officer. While big business has the budget to keep legal advisers on retainer to deal with privacy issues, this isn’t a likely option for you.

This is one of the major reasons why the Office of the Privacy Commissioner has developed a suite of tools and resources over the years to help you meet your privacy obligations and build trust with your customers and clients. 

By running your business, you’re making an important contribution to the economy and your community. And it’s our pleasure to do what we can to make things easier for you. Speaking of which, listed below, you’ll find all of these tools in one place.

Cybersecurity for Small Business Articles:

• Steps toward stronger cybersecurity for your business

Guidance for Small Businesses:

• A Guide for Businesses and Organizations
• Privacy Guide for Small Businesses: The Basics
• Guidelines for Processing Personal Data Across Borders

Online Tools:

• Privacy for Small Business online tool
• Securing Personal Information: A Self-Assessment Tool for Organizations

 Fact Sheets:

• Complying with the Personal Information Protection and Electronic Documents Act
• Determining the appropriate form of consent under the Personal Information Protection and Electronic Documents Act
• Privacy Legislation in Canada
• Truncated Credit Card Numbers – Why stores should print only partial credit card information on customer receipts
• Businesses and Identity Theft
• Organizations’ Guide to Complaint Investigations under the Personal Information Protection and Electronic Documents Act
• Best Practices for the use of Social Insurance Numbers in the private sector
• Introduction to cloud computing

It is vital to give your customers a single point of contact at your organization to deal with privacy issues. Many unhappy consumers have approached the Office of the Privacy Commissioner of Canada upset that they could not find someone within a business who could answer their privacy questions.

No matter how hard you work at enhancing customer loyalty, there will be instances when your organization does not meet your customers’ expectations of privacy. The first step to ensuring customer satisfaction is to acknowledge privacy complaints promptly on receipt.

Give individuals access

Individuals have a right to know what kind of personal information you have about them. If you should receive a request, respond to the request as quickly as possible and no later than 30 days after receipt of the request. Explain how the information is or has been used and provide a list of any organizations to which the information has been disclosed. Give individuals access at minimal or no cost and make sure the requested information is understandable.

Provide recourse

Develop simple and easily accessible complaint procedures which inform complainants of their avenues of recourse. These include your organization’s own complaint procedures, those of industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada. Correct any inaccurate personal information or modify policies and procedures based on the outcome of the complaint, and ensure that staff in the organization are aware of any changes to these policies and procedures. Notify individuals of the outcome of investigations clearly and promptly, informing them of any relevant steps taken.

Educate your employees regularly

Your organization’s privacy policy is a critical tool to safeguard your customers’ personal information. It is your responsibility to ensure your employees are aware of your company’s policy and the circumstances under which they may and may not collect, use or disclose customer information—and that they understand the reasons for collecting information.

Handling a complaint fairly and appropriately may help to preserve or restore the individual’s confidence in your organization and help you maintain a positive reputation among the public.

For more information, go to our Guide for Businesses and Organizations.

To access small business tools developed by the Office of the Privacy Commissioner of Canada, click on: http://www.priv.gc.ca/resource/sbw/2011/index_e.cfm

Private sector privacy legislation requires organizations to build privacy policies that outline how they collect, use and disclose their customers’ personal information. That process need not be difficult. Below, is a checklist of actions that represent some of the key elements for compliance with the federal law. While the list is not exhaustive, it will help build the essential elements of your new privacy policy.

Keep it simple.
Your policy should be clear, concise and written in plain language so it is easy to understand. It should provide enough details to help your customers understand how you manage their information.

Review other privacy policies.
Online you can find policies of organizations similar to yours. Although our office does not endorse specific privacy policies, we have found that the financial services sector and telecommunications companies have mature policies worth emulating. Gain more insight into the requirements of your privacy policy by reviewing the principles in Schedule 1 of PIPEDA, which can be found online at priv.gc.ca.

Collect only what you need.
You can collect only information that is needed for your business purposes—for example, to manage a commercial relationship and provide ongoing service, to bill and collect for products or services, to market to individuals, and to meet legal and regulatory requirements.

Be open about when personal information may be disclosed.
You must indicate in your policy if you intend to disclose customer information to an affiliate or partner organization, or any other third party. You needn’t necessarily name each organization, but provide a general idea of the types of companies in question. And you must give your customers the opportunity to consent.

Tell customers when information will be stored outside of Canada.
The use of a third-party information processor, such as a company that provides payroll services, increases the likelihood that information under your control will be stored outside Canada. You must be open with your customers about this possibility.

Be open about how you safeguard information.
The risk of identity theft and other unauthorized uses of personal information is always present and ever changing. It’s critical to keep the personal information in your care safe and secure. Customers and employees will appreciate your candour about how you intend to protect their information from such abuses.

Let customers know how long you will keep information.
PIPEDA requires that you must keep personal information only for as long as it is needed to fulfill your purposes. If legislation such as the Income Tax Act authorizes you to store personal information over a long period, consider disclosing that in your privacy policy.

Consider employees separately.
Typically, organizations’ purposes for collecting, using and disclosing employee information are to administer payroll, pension, benefit and departure provisions; to provide employee programs; to manage company property; and to hire and retain a highly skilled workforce. Because these purposes are different than those for collecting customers’ information, they warrant a separate section in your privacy policy.

Make yourself available for questions.
Let individuals know how to contact your organization for privacy information, either through email or through a toll-free number. Also, tell customers they can contact the Office of the Privacy Commissioner at 1 800 282-1376 if they are unsatisfied with your response to their privacy concern.

In tomorrow’s blog post we will discuss your responsibilities when it comes to privacy complaints.

To access small business tools developed by the Office of the Privacy Commissioner of Canada, click on: http://www.priv.gc.ca/resource/sbw/2011/index_e.cfm

The federal, Alberta and British Columbia Privacy Commissioners have created an online tool that will help small and medium-sized businesses better safeguard the personal information of customers and employees.

The Securing Personal Information: A Self-Assessment Tool for Organizations is a detailed online questionnaire and analysis tool that helps organizations gauge how well they are protecting personal information, in keeping with the applicable private-sector privacy law.

The tool is comprehensive and detailed, but also offers users the flexibility of focusing on areas most relevant to their own enterprise. The self-assessment and analysis process results in a framework that organizations can use to systematically evaluate and improve their data-security practices.

The Securing Personal Information Self-Assessment Tool is available via the commissioners’ websites: www.priv.gc.ca; www.oipc.ab.ca; and www.oipc.bc.ca.

To access all of the small business tools developed by the Office of the Privacy Commissioner of Canada, click on: www.priv.gc.ca/resource/sbw/2011/index_e.cfm

Understanding how best to manage and protect personal information can be a difficult task for small businesses, so we hope our new mini-quiz will help to identify some issues that organizations need to be aware of.

Because the questions are randomly selected from a repository of questions, you can take the quiz over and over without it becoming repetitive. So take a moment and go through the quiz a few times! We have also linked the answers to related documents on our website so you can easily find out more information on that particular question.

Since there are always new privacy issues emerging, we hope to continue to update this quiz in the future and add new questions.  And we want feedback – this tool is meant for all of you, so let us know what issues you would like the quiz to cover.

Once again, students from the Encounters with Canada program have selected the winners of our annual student video contest! Here are the winners for our 2009 competition:

The three top video artists in the live action category were:

1^st place: Jeffery Burge, Vanessa Caicedo, Alexandra Georgaras, Gareth Imrie and Fiona Sauder of Canterbury High School in Ottawa, Ontario, with a video titled “Think Before You Click”. They win a $100 gift card and an iPod Touch.

2^nd place: David Borish and Mory Kaba of Glebe Collegiate Institute in Ottawa, Ontario, with a video titled “Friend or Foe”. They win a $250 gift card.

3^rd place: Jennifer Paul from Brampton, Ontario, with a video titled “Too Good to be True”. She wins a $150 gift card.

The three top video artists in the animation category were:

1^st place: Tyler Ford and Matthew Kerr of Osgoode Township High School in Metcalfe, Ontario, with a video titled “Privacy: Think Before You Click”. They win a $100 gift card and an iPod Touch.

2^nd place: Rebecca Kartzmart and Emily Patterson of Osgoode Township High School in Metcalfe, Ontario, with a video titled “Carol the Carrot”. They win a $250 gift card.

3^rd place: Scott Piper of Osgoode Township High School in Metcalfe, Ontario, with a video titled “Privacy Matters”. He wins a $150 gift card.

The three top video artists in the French video category were:

1^st place: Benjamin Dion-Weiss of l’École secondaire publique De La Salle in Ottawa, Ontario, with a video titled “Le réseautage social d’après le Comte Hackula”. He wins a $100 gift card and an iPod Touch.

2^nd place: Stéphanie Lemieux and Emily Vendette of l’École secondaire catholique Embrun in Embrun, Ontario, with a video titled “Le Journal de Lisa”. They win a $250 gift card.

3^rd place: Cosmo Darwin of l’École secondaire publique De La Salle in Ottawa, Ontario, with a video titled “Trouvée & Perdu”. He wins a $150 gift card.

The three top video artists in the Junior category were:

1^st place: Mackenzie Giffen, Chris Johnstone, Chris Nattrass, Curtis Sookhoo and Gabriel Zingle of F.R. Haythorne Junior High in Sherwood Park, Alberta, with a video titled “The Spanish Lottery”. They win a $100 gift card and an iPod Touch.

2^nd place: Trevor Aiello, Connor Bergersen, Chad Bullock and Lochlan Thomson of F.R. Haythorne Junior High in Sherwood Park, Alberta, with a video titled “A lesson In Privacy”. They win a $250 gift card.

3^rd place: Matthew Craner, Scott Deshane, Madison Gilchrist, Joe Matishak and Graeme Wyatt of F.R. Haythorne Junior High in Sherwood Park, Alberta, with a video titled “The Phone Number Test”. They win a $150 gift card.

We also recognized seven teachers for their enthusiastic participation in the contest. They were:

• Crystal Getschel, of F.R. Haythorne Junior High in Sherwood Park, Alberta, with 26 entries.
• Majed Mattar, of Osgoode Township High School in Metcalfe, Ontario, with 21 entries.
• Professor Kaduri, of Tanenbaum Community Hebrew Academy of Toronto, Ontario, with 15 entries.
• Grant Holmes, of École secondaire publique De La Salle, Ottawa, Ontario, with 11 entries.
• Carol Shaw, of Woodstock Collegiate Institute, Woodstock, Ontario, with 8 entries.
• Kevin Shae, of Sir Robert Borden High School, Ottawa, Ontario with 6 entries.
• Stephen Willcock, of Canterbury High School, Ottawa, Ontario, with 5 entries.

Each teacher will receive a $250 gift certificate at Indigo Books and Music to use for personal use or for the school they represent.

The videos will be posted as soon as possible to our youth site. They will also be available on our YouTube channel.

We were thrilled with the number and quality of submissions we received for our second competition. We’ll be launching the 2010 contest in May!

On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.

If you own a company, or work for a big one: in the past, you may have had to ensure that your customers’ name and address information (and in some cases credit card and billing information) were safe. Now, many of you are providing technology and tools for your customers to put increasing amounts of personal information online. Does your company have the systems in place to safeguard this information? Do you give your customers the tools and options to control how their information is used?

If you are a user of new and cool technology: in the past a telephone was a telephone, a video game was a video game, a stuffed toy was simply that – a stuffed toy. Today, more and more toys and handheld tools come with the ability to go online. Do you understand how to enjoy your toys and gadgets without putting your personal information at risk?

If you are a parent or guardian, teacher, coach or caregiver: do the young people in your life understand how to use all these new toys and gadgets while keeping their personal information safe? Our office has recently made youth privacy a key priority. Today, we have posted some new resources to the Parents & Teachers section of our youth web site. The resources include information on 12 privacy issues (such as the importance of privacy settings and knowing who your friends are on social networking sites), along with ideas for generating discussion about each issue with young people. You can use these resources to start discussion about personal privacy and the importance of thinking about what you post on the Internet.

Regardless of which group you are in – if you need any information about how to keep personal information secure, visit our web sites – priv.gc.ca and youthprivacy.ca.

As you may have noticed, we held a news conference this morning to announce further progress in our investigation into the privacy practices at Facebook. Our news release is now available, as is Facebook’s.

The changes proposed by Facebook will make it easier for users to make clear and informed decisions about how to share their personal information within the popular social networking site – and with whom.

Importantly, Facebook has announced that it will be making changes to its API. These changes will, effectively, force developers to acknowledge what pieces of information they would like to access in your profile, and why. The changes will also give each user the opportunity to deny an application access to that piece of information.

Here’s an excerpt from our news release:

Third-party Application Developers

Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.”

Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information.  The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.

This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.

As many have rightly pointed out, it seems contradictory to participate in a social network and to then attempt to restrict access to some or all of your personal information.

To us at the Office, users should have the chance to find out what information is being collected by the social networking site or a third party application, and for what reason. Third party applications have long been a concern to members of the privacy advocacy community, since they have had relatively free access to the information stored in your Facebook profile.

If you have any doubt about the extent of the access granted to apps, just take this handy quiz developed by the Northern California chapter of the ACLU – but make sure to delete the app once you’re finished! (Facebook has instructions for that )

Thankfully, Facebook has made it clear that they consider the privacy of their users to be a priority – and maybe even a competitive advantage in comparison to other social networks.

The changes announced today will take months to implement, but the Office will continue to monitor progress on this important issue.

University of Ottawa law professor Michael Geist has launched iOptOut, a website allowing Canadians to opt out of unsolicited phone calls and emails. iOptOut is meant to complement the federal government’s Do-Not-Call list, expected sometime in the fall of this year:

“By registering with iOptOut, you inform the organizations that you select listed in our database that you do not want them to call you. Under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), these organizations would be required to respect your request. At the present time, iOptOut relies on PIPEDA, which overrides Bill C-37’s exemptions.

If an organization contacts you after you make a do-not-call request to it through iOptOut, PIPEDA allows you to enforce your request by filing a complaint with the Privacy Commissioner.”