Privacy By Design

By ZARAH WALPOLE

I just got back from a Privacy Law Summit. It was a fascinating and educational day with many interesting and knowledgeable speakers. I thought I would use this month’s column to share some of the practical advice I gained. A highlight of the day was the key note address from Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario (www.ipo.on.ca). Dr. Cavoukian is a dynamic speaker with an international reputation for protecting privacy.  She is committed to the concept of “Privacy by Design”. Her goal is for governments, designers, developers and businesses to imbed protection of privacy in everything they do – not tack it on as an afterthought. I think it is a useful approach and reflects the trend in protecting privacy. 

As I’m sure you are well aware, all organizations now have legal obligations to protect the privacy of their employees’ and clients’ personal information. The focus of privacy law is that organizations must obtain an individual’s consent when they collect, use or disclose an individual’s personal information. Consent can either be explicit or implied depending upon the sensitivity of the information and the individual’s reasonable expectations. The individual has a right to access personal information held by an organization and challenge its accuracy, if needed. Personal information can only be used for the purpose for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again.

In addition to these obligations, you need to ensure the security of the personal information your business controls. Business owners often hold highly sensitive information about their clients. While new technologies give us an increased ability to collect, store and transmit data, our clients are justifiably concerned about insuring that they will not be the victims of identity theft. Dr. Cavoukian provided a number of low-tech solutions to, what is often seen as, the high tech problem of preventing privacy data breaches.

1. Prepare and update an inventory of all personal data collection points, uses, assets, and disclosures. You cannot protect what you don’t know exists.
2. Secure your sensitive data with both physical (passwords, keys, safes) and administrative (who has access) safeguards.
3. Use and change passwords, especially on mobile devices (laptops, palms). If an item is lost or stolen, you’ve only lost the hardware, not the data.
4. Securely destroy all unnecessary personal information. Use a shredder. Placing paper with personal information straight into the recycling bin is not enough.
5. Vet employees with access to personal information, including all temporary, part-time employees and outside contractors.
6. Create a culture of privacy. Train staff to recognize privacy threats.
7. If a breach occurs, lead with openness and transparency. Contain the damage, notify affected parties and fix the problem.

 

It’s my belief that protecting client privacy will only gain in importance as the power of technology increases. Take steps now to make data security and informed consent an automatic part of the way you do business.

 

<-Back

---

The above is not intended to constitute legal advice. Please contact a lawyer to clarify your legal rights.