Written By Stephen D. Burns
As your organization works towards compliance with Canada's private sector privacy legislation, consider undertaking these four key steps and their component activities.
Step One: Getting Started
- Develop support within your organization's leadership. Privacy compliance is a corporate governance issue and the support of the Board of Directors and Senior Management Team is essential to a successful privacy compliance program.
- Appoint a Privacy Officer/Manager. This individual should possess the leadership skills necessary to develop and implement the privacy compliance program.
- Determine which law applies: international, federal or provincial/territorial privacy legislation.
Step Two: Understanding the Organization's Privacy Activities
- Understand the existing information practices of the organization. Investigate how the organization collects, uses, discloses, retains, destroys and secures personal information. Consider if an individual's consent is obtained when the personal information is collected for the purpose for which the information is collected, used or disclosed.
- Assess the 'gaps' between practices and legislative requirements. Compare the organization's current activities and practices against the requirements of the applicable privacy legislation and identify the 'gaps' that exist between the organization's practices and the legislative requirements.
Step Three: Developing & Implementing Policies and Practices
- Develop privacy policies and practices. The organization's policies and practices will govern its privacy activities and provide a basis for training its employees and communicating its privacy activities to its customers and third parties.
- Develop an implementation plan. The implementation plan should establish how the organization will: obtain consent from individuals for the collection, use and disclosure of their personal information; manage the exchange of personal information with third party service providers and business associates; manage the changes to its processes and activities required to address the 'gaps' identified above and implement the organization's privacy policies and practices; and, communicate its privacy policies and practices to internal and external parties.
- Train your employees, volunteers and independent contractors. Ensure that your organization is ready for the introduction of the privacy legislation and understands your organization's privacy policies and practices.
- Review or initiate third party service provider or business associate agreements. Ensure that the agreements governing the exchange of personal information contain the necessary privacy representations, warranties, covenants and indemnities to protect the organization.
Step Four: Ongoing Compliance Activities
- Manage access to personal information. Implement mechanisms to ensure that the organization is compliant with the privacy legislation's requirement that an individual be able to access and challenge the accuracy of its personal information. Develop reports to record such activities. Ensure that applicable timelines are met.
- Manage complaints in respect of personal information. Implement mechanisms to ensure that the organization manages complaints from point of receipt to resolution. Ensure that applicable time-lines are met.
- Enforce the organization's privacy policies and practices. Implement mechanisms to ensure that the organization's privacy policies and practices are consistently applied, and develop sanctions where necessary for failure to comply.
- Undertake periodic reviews. Develop a plan for periodic review of documentation, policies, procedures and systems to ensure their timeliness and accuracy.