Releases new how-to guide on putting policies into practice
HALIFAX, Sept. 5, 2012 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, says it is not enough for organizations to have a privacy policy in place - they must take steps on an ongoing basis to make sure it is reflected in every aspect of their operations. A new paper, released today by the Commissioner at a meeting of the Privacy Section of the Canadian Bar Association, provides a 7-step action plan on how to effectively execute an appropriate privacy policy and embed it in the concrete practices of an organization.
The importance of this issue was highlighted recently when Elections Ontario lost two USB keys containing the unencrypted personal information of as many as 2.4 million voters. Commissioner Cavoukian found in her investigation that the agency's failure to systematically address privacy and security issues was at the root of the problems.
"Privacy policies alone, without a proper strategy for implementation and ongoing compliance procedures, will not protect an organization from privacy risks. The seven recommendations presented in this paper will provide organizations with concrete guidance on how to effectively execute an appropriate privacy policy, and have it reflected in actual practice. This information will be helpful to organizations of any size, and in any sector," Commissioner Cavoukian said.
Organizations should develop privacy education and awareness training programs and designate a knowledgeable "go-to" person for privacy-related queries within the organization, the new document states. In addition, processes and procedures are needed to verify compliance with privacy policies - such as comprehensive privacy audits of the organization and informal audits of the mobile devices of employees, to make sure they are protected by passwords and strong encryption.
Commissioner Cavoukian also warns organizations to be prepared to act if a privacy breach does occur. "A disciplined and immediate response is vital in order to address the situation in a manner that protects individuals, meets the expectations of the public, consumers and regulators, and ultimately preserves the reputation of the organization," she said.
The document entitled, A Policy is Not Enough: It Must be Reflected in Concrete Practices, released today, builds on the proactive approach of Privacy by Design (PbD), developed by the Commissioner, and unanimously approved as an international framework for privacy protection in 2010. PbD seeks to embed privacy into the design specifications of information technologies, organizational practices and networked system architectures, to achieve the strongest protection possible.
About the IPC
The Information and Privacy Commissioner is appointed by, and reports to, the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians. A vital component of the Commissioner's mandate is to help educate the public about access and privacy issues.
SOURCE: Office of the Information and Privacy Commissioner/Ontario
Media contact:
Anne-Marie Tobin
Media Relations Specialist
Direct Line: 416-326-3939
Cell: 416-873-9746
Toll-free: 800-387-0073
[email protected]
Share this article