stats count
Friday, May 20, 2022
Home Technology Data Privacy Day message to companies: Do not just write privacy policies,...

Data Privacy Day message to companies: Do not just write privacy policies, enforce them


Many companies have detailed privacy rules to protect the personal information of customers and employees. But unless the protocols are enforced, they are not worth the paper on which they are written.

This was the Data Privacy Day message from Brent Homan, Deputy Commissioner for Compliance at the Office of the Commissioner of Privacy of Canada (OPC).

“It’s not enough to have protocols,” he said in an interview. “You have to live it out.”

“We looked at the processes and policies many times and we thought, ‘Look good, look great.’ But the problem is that it was not followed. It has not been implemented. “

“While we have seen that many organizations seem to have a robust privacy framework in place, we find, when placed under regulatory scrutiny more frequently than we would like to see, that the framework is sometimes an illusion, and the dynamic responsibilities – including monitoring and the guidance needed to make the framework work is simply not there. ”

The Federal Privacy Commissioner oversees the application of the Personal Information and Electronic Documents Protection Act (PIPEDA), which covers federally regulated industries such as financial institutions, telecommunications companies and transportation companies.

Homan has several examples of investigations from the latest Privacy Commissioner’s annual report to Parliament:

  • a cellular customer of Rogers Communication’s Fido service discovered that a fraudster had more than once accessed the personal information on his account and changed it. This happened even after the complainant added a security PIN number and secret questions to the account to block unauthorized access. The fraudster was convincing enough that Fido staff “circumvented” rules to prevent this from happening.
    “This is an example of how important it is for organizations to implement measures to ensure that employees follow their substantive policies,” Homan said, “especially in cases like these where employees may have incompatible pressure – such as achieving sales targets – which may, perhaps, tempt them to circumvent protocols;
  • an individual was shocked to realize that a help desk technician at a small computer support company used pre-installed remote access software to gain access to his laptop without his permission. Upon investigation by the OPC, the computer services company said the technician had obtained express verbal permission to use remote access software. However, the company could not prove it. In addition, the commission investigator found the company did not take precautions to prevent technicians from accessing sensitive information on customers’ computers.

Homan gave a third example from A 2014 survey from Microsoft Canada, which he said had a strong privacy management program:

  • A Microsoft customer wanted their old email address removed from his records, but found no one could do it. The customer felt that Microsoft did not comply with his request. An OPC investigation found that none of the customer service representatives – who worked for an outside company – were trained to recognize privacy issues and refer them to Microsoft’s Privacy Response Center. Representatives in the Privacy Response Center were also not trained to escalate unresolved privacy issues to Microsoft’s privacy office – and the privacy office did not proactively monitor the privacy response center. “As such,” the report said, “the Microsoft Privacy Office was not in any practical sense responsible for the Privacy Response Center’s handling of clients’ privacy issues.”

These three complaints have all been resolved.

“We believe there are largely good efforts by businesses to maintain customer privacy,” said Homan. . There may be an understanding of key privacy concepts such as obtaining permission or the need to protect [customers’ and employees’] personal information, but there may be a lack of internal expertise to fully understand how to comply with all fair information principles. “These principles cover the fair collection and use of sensitive data.

For example, he said, not all businesses have a formal process for handling complaints. Also, he added, not all firms – especially small businesses – have an individual or team responsible for privacy issues, such as a data privacy officer.

Small firms do not have to have a privacy department, Homan said, but they do need to have at least someone in charge of privacy issues.

Whoever that person (s), Homan said, should include their work

  • be aware of federal or provincial privacy laws and applicable policies;
  • the development of a robust and comprehensive corporate data privacy policy;
  • providing training to all staff on privacy and data security;
  • drafting and managing contracts with third parties that handle the company’s sensitive data to ensure consistency with the firm’s information handling policies.

To assist companies with their privacy initiatives, the OPC has a business advisory department and a company-led website.

Homan also stressed the importance of senior executives showing that they take data privacy seriously, including having a data privacy officer sitting with other members of the C-suite.

“Accountability starts at the top,” he said. “It starts at the C level and ensures it [data privacy] is not something in an email that is thrown around every year. “

“What we do not want to see,” he added, “are fantastic ‘Centers of Expertise’ in privacy organizations – but compliance stops there. Make sure there is involvement [by management] and frontline staff are excited and informed about their obligation to follow the protocols developed by their center of privacy expertise.

“This is the difference between knowing what to do, and doing what you need to do to respect individuals’ privacy.”





Source link

RELATED ARTICLES

Effectively Wild Episode 1851: You Say Tyler, I Say Taylor

Ben Lindbergh and Meg Rowley banter about the rabidity of opossums and Eugenio Suárez's keepie-uppie skills, then discuss the White Sox offense and...

Denver Broncos’ 2022 NFL Draft pick rookie contract breakdown

With rookie minicamp beginning last week, the Denver Broncos worked to get their draft class signed. The team has agreed...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Effectively Wild Episode 1851: You Say Tyler, I Say Taylor

Ben Lindbergh and Meg Rowley banter about the rabidity of opossums and Eugenio Suárez's keepie-uppie skills, then discuss the White Sox offense and...

Denver Broncos’ 2022 NFL Draft pick rookie contract breakdown

With rookie minicamp beginning last week, the Denver Broncos worked to get their draft class signed. The team has agreed...

Recent Comments