Commissioner’s Privacy Awareness Week message to businesses
Protecting privacy is good for business, especially in today’s digital economy. When people trust that a business will treat their right to privacy with respect, they will participate in the economy – especially the digital economy – with confidence.
The theme of this year’s Privacy Awareness Week is Back to Basics: Privacy Foundations. Treating privacy as a fundamental right is part of the foundation of a successful business.
Money and resources spent on protecting and promoting privacy – on creating a “culture of privacy” – are smart investments in trust and the security of Canadians.
Having a culture of privacy means “privacy by design:” making privacy protection a priority, embedding it into everything that your business does with customers’ personal information, so that privacy protection is integral to your business instead of a regulatory irritant or a box to tick.
Ways to create a culture of privacy include:
- Limiting the amount of information you collect from customers to only what you need
- Using the information only in the way that you told the customer you would
- Keeping the information only as long as it is necessary
- Disclosing the information only to those who need to know – and making sure that the customer is aware of who you will be disclosing it to
- Having clear policies about how sensitive personal information is to be treated
- Training staff on the importance of protecting privacy
- Putting monitoring mechanisms in place to ensure that the policies are being followed
- Being ready to respond to a privacy breach, including knowing when breaches need to be reported
In the past year, my Office has reported on two investigations into multi-national companies that would not have been necessary if those companies had followed privacy by design principles. In the case of Tim Hortons, the company’s app collected far more information than it needed. For its part, Home Depot shared information that it collected with Facebook without the knowledge or consent of its customers.
Personal privacy is not a right that anyone should have to surrender in the name of innovation or profit.
In those rare instances where there is a conflict between privacy rights and private or public interests, privacy can and should prevail. This builds trust. Further, creating a culture of privacy at the front end, instead of after-the-fact, is a good investment that will help your business avoid most conflicts.
The OPC website also has a wealth of information about private-sector responsibilities and obligations under the Personal Information and Protecting Electronic Documents Act (PIPEDA), including our Privacy Guide for Businesses. Our Business Advisory Directorate is available for consultations to help you understand what you need to do to comply with the law.
Philippe Dufresne, Privacy Commissioner of Canada