Private sector privacy legislation requires organizations to build privacy policies that outline how they collect, use and disclose their customers’ personal information. That process need not be difficult. Below, is a checklist of actions that represent some of the key elements for compliance with the federal law. While the list is not exhaustive, it will help build the essential elements of your new privacy policy.
Keep it simple.
Your policy should be clear, concise and written in plain language so it is easy to understand. It should provide enough details to help your customers understand how you manage their information.
Review other privacy policies.
Online you can find policies of organizations similar to yours. Although our office does not endorse specific privacy policies, we have found that the financial services sector and telecommunications companies have mature policies worth emulating. Gain more insight into the requirements of your privacy policy by reviewing the principles in Schedule 1 of PIPEDA, which can be found online at priv.gc.ca.
Collect only what you need.
You can collect only information that is needed for your business purposes—for example, to manage a commercial relationship and provide ongoing service, to bill and collect for products or services, to market to individuals, and to meet legal and regulatory requirements.
Be open about when personal information may be disclosed.
You must indicate in your policy if you intend to disclose customer information to an affiliate or partner organization, or any other third party. You needn’t necessarily name each organization, but provide a general idea of the types of companies in question. And you must give your customers the opportunity to consent.
Tell customers when information will be stored outside of Canada.
The use of a third-party information processor, such as a company that provides payroll services, increases the likelihood that information under your control will be stored outside Canada. You must be open with your customers about this possibility.
Be open about how you safeguard information.
The risk of identity theft and other unauthorized uses of personal information is always present and ever changing. It’s critical to keep the personal information in your care safe and secure. Customers and employees will appreciate your candour about how you intend to protect their information from such abuses.
Let customers know how long you will keep information.
PIPEDA requires that you must keep personal information only for as long as it is needed to fulfill your purposes. If legislation such as the Income Tax Act authorizes you to store personal information over a long period, consider disclosing that in your privacy policy.
Consider employees separately.
Typically, organizations’ purposes for collecting, using and disclosing employee information are to administer payroll, pension, benefit and departure provisions; to provide employee programs; to manage company property; and to hire and retain a highly skilled workforce. Because these purposes are different than those for collecting customers’ information, they warrant a separate section in your privacy policy.
Make yourself available for questions.
Let individuals know how to contact your organization for privacy information, either through email or through a toll-free number. Also, tell customers they can contact the Office of the Privacy Commissioner at 1 800 282-1376 if they are unsatisfied with your response to their privacy concern.
In tomorrow’s blog post we will discuss your responsibilities when it comes to privacy complaints.
To access small business tools developed by the Office of the Privacy Commissioner of Canada, click on: http://www.priv.gc.ca/resource/sbw/2011/index_e.cfm