Public opinion survey

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Canadian Businesses and Privacy-Related Issues

Final Report

Prepared for the Office of the Privacy Commissioner of Canada

Phoenix SPI

February 2012

---

Executive Summary

Phoenix SPI was commissioned by the Office of the Privacy Commissioner of Canada (OPC) to conduct quantitative research with Canadian businesses on privacy-related issues. The purpose was to better understand the extent to which businesses are familiar with privacy issues and requirements, and the types of privacy policies and practices that they have in place. A 16-minute telephone survey was administered to 1,006 companies across Canada, stratified by size of business. The results were weighted by size, sector and region using Statistics Canada data to ensure that they reflect the actual distribution of businesses in Canada. Data collection was conducted December 2-19, 2011. Based on a sample of this size, the results can be considered accurate to within ±3.1%, 19 times out of 20. Results are compared to similar surveys conducted in 2007 and 2010 where relevant. The 2011 survey includes updates and additions to the questionnaire and survey approach to better address the current, evolving privacy environment and cannot, in some cases, be compared with the results of previous waves of the survey.

Privacy Practices

A variety of business 'types' were included in this survey in terms of their target consumer. Thirty-five percent of the companies sell directly to the general public (or subsets of it), while almost as many (34%) sell both to the public and to other businesses/organizations. Almost one quarter (24%) sell only to other businesses/organizations, while 7% provide services that do not fall into any of these categories.

In terms of the types of information collected about customers, the vast majority (93%) collect contact information, such as names, phone numbers, and addresses. More than two thirds (68%) collect location information (e.g. postal codes). Other types of information collected in significant numbers include financial information (39%), opinions, evaluations, and comments (24%), purchasing habits (17%), and medical information (10%). Five percent said they do not collect any of these types of customer information.

Two thirds (66%) of businesses store their customers' personal information on paper records kept on site. As well, 55% store personal information on desktop computers and 47% use on-site servers. Nearly one quarter (23%) use portable devices (e.g. laptops, USB sticks, or tablets), while smaller proportions use cloud computing (8%) and a third party (excluding cloud computing) (7%). Of those firms that use portable devices to store customers’ personal information, 44% use encryption to protect such information.

Canadian businesses use a number of methods to protect the personal information of their customers. Almost three quarters use technological tools, such as passwords, encryption, or firewalls (73%), or physical measures, such as locked filing cabinets, restricting access, or security alarms (72%). About half (51%) use organizational controls, such as policies and procedures. Of those that use technological tools to protect the information, fully 96% use passwords, while 79% use firewalls, and 43% use encryption.

A majority of firms that use passwords (55%) have controls in place to ensure employees use hard-to-guess passwords. Also, most require employees to change their passwords: 16% require this monthly, 17% quarterly, 10% every six months, 12% yearly, and 7% less than this. Twenty-seven percent do not require employees to change their passwords.

Businesses have in place a mix of mechanisms related to privacy. The mechanism that is most widely used, cited by three quarters, is procedures for responding to customer requests for personal information. This is followed, at a distance, by designating someone responsible for privacy (57%). Almost half (48%) have procedures for dealing with customer complaints, while 32% ensure that their staff receive privacy-related training.

Privacy Policy

In total, 62% of businesses have a privacy policy. Executives of companies that do not have a privacy policy were asked why not. The main reason was a perceived lack of need (45%). Other explanations offered with some frequency include the size of the company (being too small) (17%), that the company does not collect personal information on customers (14%), and that they have never thought about it (10%).

Most companies that have a privacy policy update their policy (57%) at least once a year: 4% do so monthly, 5% every three months, 7% every six months, and 41% every year. Sixteen percent update their policy less than yearly, while 20% have never updated their policy. Executives of firms that update their privacy policy were asked under what circumstances they do so. Roughly one quarter mentioned each of the following: scheduled reviews (26%), changes in privacy legislation (25%), and changes in business practices (24%). Significant numbers also identified the occurrence of a problem or breach of privacy (14%), and customer complaints or concerns (13%). Six percent pointed to changes in the technology used by the company.

Most of the companies that update their privacy policy (63%) do not notify their customers about related changes. Conversely, just over one third (35%) do notify customers when changes are made to the policy – 16% do this always, while 19% do so sometimes.

Businesses that share their privacy policy do so in a variety of ways, with no method dominating. The largest proportion (26%) do this verbally, or over the telephone, followed relatively closely by mailing a letter (23%), using printed materials, such as pamphlets and brochures (20%), placing a notice on their company’s website (19%), and emailing customers (18%). Five percent use signs in their offices, stores or other locations.

Privacy as Corporate Objective

When asked to rate the importance their company attributes to protecting privacy (using a 7-point scale), almost half (49%) rated this as extremely important, while a further 28% rated it as at least moderately important. In total, therefore, 77% of Canadian companies attribute considerable importance to protecting privacy. Conversely, 15% attribute relatively little importance to this, offering scores below the mid-point on the scale.

When asked how their company tends to view protecting privacy, 52% said they see it as neither a competitive advantage nor a corporate disadvantage. That said,  39% do view it as a competitive advantage, with 24% seeing it as a significant advantage and 15% a moderate advantage. Few (3%) view protecting privacy as a corporate disadvantage.

Awareness and Impact of Privacy Laws

Executives were asked to rate their company’s awareness of its responsibilities under Canada’s privacy laws (using a 7-point scale). In response, 19% think their firm is extremely aware of its responsibilities, while a further 35% claimed high awareness (scores of 5-6). In total, a slight majority (54%) offered positive scores above the mid-point on the scale, indicating a relatively high level of familiarity with their privacy responsibilities. At the other end of the spectrum, 29% offered scores below the mid-point of the scale, suggesting a relatively low level of awareness.

Similarly, executives were asked to rate their level of awareness of PIPEDA, the federal private sector privacy law, using the same scale. The results were roughly similar. Fifteen percent said they were extremely aware of the legislation, while 34% offered scores of five or six. Therefore, almost half (49%) offered positive scores on the scale, once again indicating a relatively high level of familiarity with their responsibilities (35% offered scores below the scale's mid-point). Awareness of PIPEDA specifically is therefore slightly lower than awareness of responsibilities under Canada’s privacy laws more generally.

Canada’s privacy laws have resulted in a range of impacts on Canadian businesses. For 59%, such legislation has increased the level of concern in the company about protecting customers’ personal information. A smaller majority (52%) think these laws have increased their company’s awareness of its privacy obligations, while 47% point to improved security for personal information held by their company. In addition, 36% have improved the training given to staff on privacy obligations, and 27% have had fewer breaches involving customers’ personal information.

Compliance, Breaches and Risk Assessment

Executives were asked how difficult it has been for their company to bring their personal information handling practices into compliance with Canada’s privacy laws. Almost half (49%) were neutral, viewing this as neither easy nor difficult. Most of the rest (34%) rated compliance with privacy laws as easy, while 10% felt that this was difficult for their firm.

A lack of understanding of privacy legislation was identified most often (19%) as the top barrier or challenge in terms of complying with Canada’s privacy laws. Five percent or less cited a number of other barriers: staff/personnel requirements (5%), staff education/ awareness (4%), cost of compliance (other than staff) (3%), difficulties keeping personal information secure (3%), and challenges posed by new technology (3%). Sixteen percent did not think there were any challenges to compliance, while 38% offered no response.

When asked to rate their level of concern about a data breach where personal information is compromised, 40% offered scores above the mid-point of the 7-point scale, suggesting significant concern about a data breach. Thirty-one percent of surveyed companies have guidelines in place in the event of a breach. The vast majority (96%) of businesses have never experienced a breach where customers' personal information was compromised.

Approximately one quarter (26%) of businesses have policies or procedures in place to assess privacy risks related to their business. This includes assessing privacy risks associated with the development or use of new products or technologies.

Third Parties

Approximately two thirds (68%) claimed to be aware that when a company transfers personal information to a third party for processing, storage or other services, it remains accountable for that information (this can include the use of cloud computing). Only 9% of businesses collect personal information from customers and send it to another company for processing, storage or other services, and just over half (54%) of these firms have a contract, or some other means, in place to ensure there is appropriate protection for their company’s personal customer information.

Cooperation with Law Enforcement and Government

Almost one third of businesses evaluate customer data for the purposes of identifying and reporting suspicious or unlawful activity to law enforcement or government security agencies. Nine percent do this routinely, 6% do this sometimes, and 17% do this rarely. Of the companies that evaluate customer data for this purpose, 28% said their company is asked to do this more often today than five years ago.

Communications

The Internet (40%) is the main place that executives would go if they needed information about their company’s responsibilities under Canada’s privacy laws (an additional 5% identified Google specifically). Following this, 30% would turn to the federal government. Other sources mentioned with some frequency include provincial governments (11%), the company’s internal resources (10%), and legal counsel (6%).

Only 13% of surveyed businesses have ever sought clarification of their privacy-related responsibilities. Of those that did, the top go-to source was the Internet (28%). Other top sources include industry experts, consulting firms, and education sources (16%), a firm's internal resources (15%), industry associations (13%), lawyers (12%), and government, including the privacy commissioner (12%).

Education and Training

Executives were asked to assess the usefulness of training on what companies need to do to comply with Canada’s privacy laws. In total, 31% rated the usefulness of such training positively, compared with 52% who rated it negatively. Executives who rated privacy training as at least moderately useful for their company were asked to identify the most effective way to receive this training. Almost two thirds (64%) pointed to web-based seminars, followed by 56% who mentioned self-help materials and tools. A strong minority (39%) identified in-person seminars in different cities.

Office of the Privacy Commissioner of Canada

Forty percent of surveyed executives said they were aware that the OPC has information and tools available to companies to help them comply with their privacy obligations. Of those who were aware, 19% said their company has used OPC resources. By far, the most used resource was the OPC website, identified by almost half (47%) of those companies that have used OPC resources. Other resources that were used include OPC publications (14%), general information (7%), the OPC information centre (4%), and an OPC exhibit or presentation (3%). When asked to rate these resources in terms of how useful they were in helping the company meet its privacy obligations, 72% offered positive scores, indicating their view that these resources were at least moderately useful (16% said they were extremely useful). Relatively few (8%) rated the tools as not useful.

Privacy-Related Subgroup Differences

A major distinguishing factor in terms of how businesses address privacy-related issues is company size.^{Footnote 1} Larger companies are more likely to collect information on their customers, to use various technological, physical, and organizational controls to protect that information, to seek out information about their privacy responsibilities, and to think privacy training would be helpful. In terms of the OPC, larger companies were more likely to be aware that the OPC has resources available to help them with privacy-related issues and to have used these resources. Even so, larger companies were more likely than smaller ones to identify internal resources and legal counsel as sources of privacy information. These tendencies suggest that smaller companies may be most in need of the OPC’s resources (given a lack of internal alternatives), but are least aware of them. That said, smaller companies attributed less importance to protecting privacy than did larger ones. Other factors that significantly aligned with a greater tendency of a company to collect personal information, to have mechanisms to protect that information, and to enhance knowledge about privacy issues through various means included industry type and the number of different locations the company has.

In terms of attitudes and perspectives towards privacy issues, companies that perceive protecting privacy as being relatively important are relatively aware of their privacy obligations, perceive compliance with privacy laws to be difficult, and are relatively concerned about data breaches were more likely to collect personal information on their customers, to have in place policies and procedures for protecting the personal information in their possession, and to inform themselves of their privacy obligations.

Introduction

Phoenix Strategic Perspectives Inc. (Phoenix) was commissioned by the Office of the Privacy Commissioner of Canada (OPC) to conduct quantitative research with Canadian businesses on privacy-related issues.

Background and Objectives

The OPC is an advocate for the privacy rights of Canadians with the powers to investigate complaints and conduct audits under two federal laws, publish information about personal information-handling practices in the public and private sectors, and conduct research into privacy issues.  As part of this mandate, the OPC is responsible for enforcing the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta, and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally-regulated private sector and to personal information in interprovincial and international transactions.

Given the rapid rate of technological innovation and the disintegration of borders, issues of privacy are evolving and becoming of greater importance and complexity. In December 2010, Parliament passed amendments to PIPEDA so as to become more responsive to this evolution. In September, Parliament reintroduced further amendments to the Act.

Against this backdrop, there is a need for the OPC to better understand the following with respect to Canadian businesses in their dealing with privacy issues:

• The extent to which businesses are familiar with privacy issues and requirements.
• The type of privacy policies and practices that businesses have in place.
• Businesses’ compliance with the law with respect to privacy.
• Businesses’ awareness and responses in regards to emerging privacy issues and practices.

This research addresses these objectives and will be used to guide the OPC’s approach to fulfilling its mandate with respect to Canadian businesses.

Research Design

To meet the research objectives, a telephone survey was administered to 1,006 businesses across Canada.  

The following specifications applied to the survey:

• The target respondent was a senior decision maker with responsibility and knowledge of their company’s privacy and security practices.
• A detailed interviewer briefing note was prepared by Phoenix (and approved by the OPC) to brief interviewers and guide the data collection process.
• A telephone pre-test was conducted in English and French, with 10 interviews in each official language. Interviews were digitally recorded for review afterwards.
• Upon completion of the pre-test, Phoenix listened to the interviews and reviewed the resulting data. The data collected during the pre-test was not included in the final survey dataset because changes were made to the questionnaire as a result.
• Interviews averaged 15.8 minutes and were conducted in the respondent’s official language of choice.
• Calling was conducted at different times of the day and the week to maximize the opportunity to establish contact.
• Up to 10 call-backs were attempted to reach potential respondents before a sample record was retired.
• The sample was carefully monitored throughout the data collection period to ensure effective sample management to keep the study on target and maximize response rates.
• The survey was registered with MRIA’s national survey registration system.
• Sponsorship of the study was revealed (i.e. OPC).
• Data collection was conducted December 2-19, 2011.

All work performed adhered to or surpassed industry standards as determined by the Marketing Research and Intelligence Association (MRIA), the industry association for survey research, as well as applicable federal legislation (PIPEDA). In addition, all work was performed in accordance with the Standards for the Conduct of Government of Canada Public Opinion Research – Telephone Surveys.

Sample Design

A stratified random sampling approach was used for the data collection. The sampling frame was purchased from Dun & Bradstreet (D&B).  A random sample frame was generated based on a sample-to-completion ratio of 10:1 for each of the three target business size quotas. The following table presents the number of sample records used to acquire the sample sizes for each business size group.

Business Size	No. of Sample Records	Sample Size
Small (1-19 employees)	N=5,998	N=502
Medium (20-99 employees)	N=2,744	N=304
Large (100+ employees)	N=1,797	N=200

Additionally, the sample frame was generated in proportion to business population by region within each of the three business size groups. In total, 1,006 interviews were conducted. The interviews were distributed by region as follows:

Region	Sample Size
Atlantic Canada	66
Quebec	217
Manitoba and Saskatchewan	77
Alberta	140
British Columbia	155
GTA	149
Rest of Ontario	202

Weights were applied to the final data to adjust for the sample design. Data was weighted to the national proportion of businesses to ensure representation by size, region and industry. Canadian statistics for the number of businesses by size, region and industry were obtained through the Business Register produced by Statistics Canada.

The weighting scheme was based on three variables: business size, region and industry. The Statistics Canada “Indeterminate” category of businesses was excluded from the business size distributions used to weight the survey data.

Three sets of weights were created for each of: 1) the overall results, 2) the regional results, and 3) the results by business size. The details are as follows:

• For the overall weight, results were first weighted by business size in each region. Three size breaks (1-9 employees, 20-99 employees and 100+ employees) and seven regions (British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, and the Atlantic provinces) were used. They were then weighted by industry on a national level using the North American Classification System (NAICS).
• For the regional results, a second weight was developed based on region (Newfoundland and Labrador, New Brunswick, Nova Scotia and Prince Edward Island, Quebec, Ontario, Manitoba, Saskatchewan, Alberta and British Columbia) and industry (again using the NAICS). As with the overall weight, the regional results were weighted at the national level only by industry.
• For the results by business size, a third weight was developed based on business size (1-9 employees, 20-99 employees and 100+ employees). As with the overall and regional weights, the results by business size were weighted at the national level only by industry using the NAICS.

Final Call Dispositions

The following table presents information about the final call dispositions for this survey, as well as the associated response rate (using the MRIA formula)^{Footnote 2} :

Call Disposition Table
Call Disposition	Total
Total Numbers Attempted	10,539
Out-of-scope - Invalid	1,652
Unresolved (U)	2,551
No answer/Answering machine	2,551
In-scope - Non-responding (IS)	1,978
Language barrier	42
Incapable of completing (ill/deceased)	52
Callback (Respondent not available)	1,884
Total Asked	4,358
Refusal	3,111
Termination	76
In-scope - Responding units (R)	1,171
Completed Interview	1,006
NQ - Quota Full - Company Size	106
NQ - Q1 (NOT FOR PROFIT/DK/REF)	59
Refusal Rate	73.13
Response Rate	13.18

Notes to Readers

• Reference is made to findings from similar surveys conducted in 2007 and 2010 among Canadian businesses. Since weighting procedures and, in some cases, question wording differs among the three surveys, comparisons over time should be interpreted with caution.
• All results in the report are expressed as a percentage, unless otherwise noted.
• Throughout the report, percentages may not always add to 100 due to rounding.
• Demographic and other subgroup differences are identified in the report. The text describing these differences throughout the report is put in a box for easy identification. Only subgroup differences that are statistically significant at the 95% confidence level or are part of pattern or trend are reported. For more information on subgroup analysis in this report, please see the subgroup analysis section below.

For the analysis of subgroups, characteristics have been grouped as follows:

Demographic Categories

• Core Industries^{Footnote 3}:
  • Accommodation and Food Services
  • Administrative & Support, Waste Management and Remediation Services
  • Arts, Entertainment and Recreation
  • Educational Services
  • Finance and Insurance*
  • Health Care and Social Assistance
  • Information and Cultural Industries
  • Professional, Scientific and Technical Services
  • Public Administration
  • Real Estate and Rental and Leasing
  • Retail Trade
  • Transportation and Warehousing
  • Utilities
• Non-Core Industries:
  • Agriculture, Forestry, Fishing and Hunting
  • Construction
  • Management of Companies and Enterprises
  • Manufacturing
  • Mining and Oil and Gas Extraction
  • Other Services (except Public Administration)
  • Wholesale Trade
  • Other
• Region:
  • Pacific (B.C., Yukon Territory)
  • Prairie (includes Northwest Territories)
  • Ontario (includes Nunavut)
  • Quebec
  • Atlantic Canada
• Business size:
  • Self-employed (1 employee)
  • 2-19 employees
  • 20-99
  • 100 or more employees
• Region:
  • Quebec
  • Atlantic Canada
  • Alberta
  • British Columbia
  • Greater Toronto Area (GTA)
  • Ontario (including GTA)
  • The Prairies (SK,MB)
• Company Business Model:
  • Sells directly to consumers
  • Sells directly to other businesses/organizations
  • Sells directly to both consumers and other businesses/organizations
• Revenues:
  • Less than $1,000,000
  • $100,000 to just under $10,000,000
  • $10,000,000 to just under $20,000,000
  • More than $20 million
• Company Location:
  • It operates at this location only
  • Other locations, but only in province
  • Locations in other provinces, but only in Canada
  • Other locations, including outside Canada

Attitudinal Categories

• Perceived Importance of Protecting Privacy:
  • Unimportant  (1-3)
  • Neither (4)
  • Important (5-7)
• Awareness of Privacy Obligations :
  • Unaware (1-3)
  • Neither (4)
  • Aware (5-7)
• Perceived Difficulty of Compliance:
  • Easy (1-3)
  • Neither (4)
  • Difficult (5-7)
• Concern Over Data Breach
  • Unconcerned (1-3)
  • Neither (4)
  • Concerned (5-7)

Appended to the report are copies of the questionnaire in English and French.

Privacy Practices

This section outlines the practices in which businesses engage as they relate to the protection of customers’ personal information. This includes the types of customers/clients a business has, as well as the type of information they collect, how they use it, and what procedures and policies are in place to protect this information.

Variety of Company Types in Terms of Customers Served

Business representatives included in this survey work for a variety of company types in terms of the company’s target consumer. Thirty-five percent of the companies sell directly to consumers; that is, members of the general public or some subset of the public. A similar proportion (34%) sell both to the general public and to other businesses/ organizations. One quarter (25%) of the companies sell only to other businesses/organizations, while 7% provide services that do not fall into any of these categories.

Contact Information—Most Common Type of Personal Information Collected

In terms of the types of information collected about customers, the vast majority (93%) of companies collect contact information, such as names, phone numbers, and addresses. More than two thirds (68%) collect location information, such as postal codes. Other types of information mentioned by significant numbers include financial information, such as invoices credit cards, or banking records (39%), opinions, evaluations, and comments (24%), purchasing habits (17%), and medical information (10%). Five percent indicated that they collect company or personal records in general.

Information included in the 'other' category are Social Insurance Numbers, tax information, birth dates, credit checks, and identification information. In total, 5% said they do not collect any of these types of customer information^{Footnote 4}.

Most Companies Collect Two to Three Types of Information

In terms of diversity of information collected, most companies (53%) collect either two (29%) or three (24%) different categories of information mentioned above. A quarter collect more than that, while 22% collect less.

On-Site Paper Records—Most Common Way of Storing Personal Information

Two thirds (66%) of Canadian businesses store personal information on their customers via paper records kept on site. The next most common ways of storing customers’ personal information was desktop computers (55%), followed by on-site servers (47%). Nearly one quarter (23%) use portable devices, such as laptops, USB sticks, or tablets, while smaller proportions use cloud computing (8%) and a third party (excluding cloud computing) (7%).^{Footnote 5}

Most Use Multiple Methods of Storing Information

Just over two thirds (67%) of Canadian businesses use more than one method of storing the personal information they collect on their customers. The largest proportion (36%) use two methods. Conversely, 29% use only one method, while 5% do not use any.

Strong Minority Use Encryption on Portable Devices

Business executives whose firms use portable devices, such as laptops, USB sticks, or tablets, to store their customers’ personal information were asked whether or not their company uses encryption to protect information stored in this way. Forty-four percent indicated that they did, whereas 48% said they did not. Seven percent were uncertain.

Most Use Variety of Methods to Protect Customer Information

Canadian businesses use a number of methods to protect the personal information of their customers. Almost three quarters use technological tools, such as passwords, encryption, or firewalls (73%), or physical measures, such as locked filing cabinets, restricting access, or security alarms (72%). A slim majority (51%) use organizational controls, such as policies and procedures.

A small number use other methods, such as shredding/destroying information and keeping the information at home. Eight percent said they take no measures.

Looked at somewhat differently, 66% of Canadian businesses use more than one method to protect the personal information of their customers. Conversely, 33% use only one.

Passwords—Most Common Technological Tool Used to Protect Information

Of those that reported using technological tools to protect customer information, the vast majority (96%) of such companies use passwords. As well, 79% use firewalls, while 43% use encryption.

Of businesses that use passwords, 55% have controls in place to ensure that employees use hard-to-guess passwords. Also, most require their employees to change their passwords: 16% require this monthly, 17% quarterly, 10% every six months, 12% yearly, and 7% less than this. Just over a quarter (27%) do not require their employees to change their passwords.

Mixed Experience in Terms of Privacy Practices in Place

Business representatives were asked whether they had in place a series of mechanisms related to privacy practices. These mechanisms included:

• Having designated someone in their company to be responsible for privacy issues and personal information that the company holds
• Having staff receive training on appropriate information practices and responsibilities under Canada’s privacy laws
• Having procedures in place for responding to customer requests for access to their personal information
• Having procedures in place for dealing with complaints from customers who feel that their information has been handled improperly

The mechanism that is most widely used, cited by three quarters, is procedures for responding to customer requests for personal information. This is followed, at a distance, by designating someone responsible for privacy (57%). Almost half (48%) have procedures for dealing with customer complaints, while only 32% ensure that their staff receive training.

Practices to Protect Privacy Not Extensively Varied

Of the mechanisms outlined above, most companies (55%) either utilize none of them (26%) or else just one (29%). Conversely, 44% have more than one of these mechanisms in place.

Since 2007, there has been an increase in the proportion of Canadian businesses that have procedures in place for responding to customer requests for personal information, though this increase has not been consistent. In 2007, 68% of businesses had such procedures, while in 2010 this proportion dipped to 61%, then rose again in 2011 to 75%. Conversely, 2011 saw modest declines in the proportion of businesses with procedures for dealing with customer complaints (48% vs. 54% in 2010; 58% in 2007) and having staff receive privacy-related training (32% vs. 37% in 2010 vs. 33% in 2007).^{Footnote 6}

Privacy Policy

This section addresses business’ use of a privacy policy, including reasons for having or not having a privacy policy, frequency of updating the policy, and approaches to sharing the policy with customers.

Most Canadian Businesses Have Privacy Polices

Just over three in five business executives said their company has a privacy policy. Conversely, 35% said they did not, while 3% were uncertain.

Perceived Lack of Need—Top Reason for Not Having Privacy Policy

Executives who said their company does not have a privacy policy were asked why not. The most common reason was a perceived lack of need (45%). Other reasons mentioned with some frequency include the size of the company (being too small) (17%), that the company does not collect personal information on customers (14%), and that they have never thought about it (10%).

Smaller proportions pointed to not having time to develop a privacy policy (4%), and that policies are handled by another office (3%). Included in the ‘other’ category are being in the process of developing a privacy policy and not knowing how to develop a privacy policy.

Most Update Privacy Policy at Least Yearly

The majority of companies that have a privacy policy update their policy (57%) at least once a year: 4% do so monthly, 5% every three months, 7% every six months, and 41% every year. Sixteen percent update their policy less than once a year, while 20% have never updated their policy.

Variety of Reasons for Updating Privacy Policy

Business executives who said their firm updates their privacy policy were asked under what circumstances they do so. Roughly one quarter mentioned each of the following: scheduled reviews (26%), change in privacy legislation (25%), and changes in business practices (24%). Significant numbers also mentioned the occurrence of a problem or breach of privacy (14%), and customer complaints or concerns (13%). Six percent pointed to changes in the technology used by the company.

Majority Do Not Notify Customers of Changes to Privacy Policy

Most of the companies that update their privacy policy (63%) do not notify their customers about changes to the policy. Conversely, just over one third (35%) do notify customers when their company makes changes to the policy – 16% do this always, while 19% do so sometimes.

Numerous Ways of Sharing Privacy Policy with Customers

Businesses that share their privacy policy do so in a variety of ways, with no method dominating. The largest proportion (26%) do this verbally, or over the telephone, followed relatively closely by mailing a letter (23%), using printed materials, such as pamphlets and brochures (20%), placing a notice on their company’s website (19%), and emailing customers (18%). Five percent use signs in their offices, stores or other locations. In terms of other ways of sharing their privacy policy, some said they do so in whatever way customers wish to be contacted, or that they generally keep this information current for all customers.

Privacy as Corporate Objective

This section explores how companies perceive the importance of protecting privacy, as well as whether they consider this to be an area of corporate advantage.

Most View Protecting Privacy as Very Important

Executives were asked to rate the importance their company attributes to protecting privacy (using a 7-point scale: 1 = not important at all, 7 = extremely important). Almost half (49%) rated this as extremely important, while a further 28% rated it as at least moderately important (scores of 5-6). In total, therefore, 77% of Canadian companies attribute considerable importance to protecting privacy.

Conversely, 15% attribute relatively little importance to the protection of privacy, offering scores below the mid-point on the scale.

Many View Protecting Privacy as Competitive Advantage

When asked how their company tends to view protecting privacy, about half of surveyed executives (52%) said they see it as neither a competitive advantage nor a corporate disadvantage. That said, 39% do view it as a competitive advantage, with 24% seeing it as a significant advantage and 15% a moderate advantage. Few (3%) view protecting privacy as a corporate disadvantage.

Awareness and Impact of Privacy Laws

This section explores executives’ awareness of privacy laws in Canada, as well as how their companies have reacted to the implementation of such laws. Questions in this section were prefaced with the following description of Canada’s privacy laws:

The federal government’s privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA sets out rules that govern how businesses engaged in commercial activities should protect personal information. In Alberta, BC and Quebec, the private sector is governed by provincial laws, which are considered to be similar to the federal law.

Moderate Awareness of Company’s Responsibilities Under Canada’s Privacy Laws

Business executives were asked to rate their company’s awareness of its responsibilities under Canada’s privacy laws, using a 7-point scale (1 = not at all aware, 7 = extremely aware). Almost one in five (19%) think their firm is extremely aware of its responsibilities, while an additional 35% claimed high awareness (scores of 5-6). In total, a slight majority (54%) offered positive scores above the mid-point on the scale, indicating a relatively high level of familiarity with their privacy responsibilities.

At the other end of the spectrum, 29% offered scores below the mid-point of the scale, suggesting a relatively low level of awareness.

Over time, the reported level of awareness of a company’s responsibilities under Canada’s privacy laws amongst businesses has declined modestly. In 2011, business executives were less likely to say that their company’s level of awareness in this regard is very high (6-7), but were more likely to say it was moderately high (3-5) or low (1-2).^{Footnote 7}

Moderate Awareness of PIPEDA

Executives were also asked to rate their level of awareness of PIPEDA, the federal government’s privacy law, using the same 7-point scale. The results were roughly similar. Fifteen percent said they were extremely aware of the legislation, while 34% offered scores of five or six. Nearly half (49%) offered positive scores above the mid-point on the scale, once again indicating a relatively high level of familiarity with their responsibilities. However, 35% offered scores below the mid-point of the scale, suggesting a relatively low level of awareness.

Awareness of PIPEDA specifically is therefore slightly lower than awareness of responsibilities under Canada’s privacy laws more generally.

Privacy Laws Have Had a Range of Impacts for Companies

Representatives of Canadian business were asked about what kinds of impacts Canada’s privacy laws have had on their respective companies. The largest proportion (59%) said that Canada’s privacy laws rendered their company more concerned about protecting customers’ personal information. A smaller majority (52%) said that these laws have increased their company’s awareness of its privacy obligations.

Forty-seven percent reported that, as a result of Canada’s privacy laws, they have improved security associated with personal information held by their company. In addition, 36% have improved the training given to staff on privacy obligations, and 27% have had fewer breaches involving customers’ personal information.

Business executives were less likely in 2011 to say their company experienced each of the impacts outlined in the preceding chart than they were in 2010.^{Footnote 8} Percentage gaps between 2010 and 2011 ranged from 5-10% across the various impacts.

A little over half (53%) of executives reported that their company has experienced two or more of the impacts outlined in the preceding chart. Correspondingly, slightly less than half cited only one of these impacts (25%) or none at all (22%).

Compliance, Breaches and Risk Assessment

This section explores perceptions related to the difficulty of complying with Canada’s privacy laws, barriers to such compliance, issues related to data breaches, and approaches to assessing privacy risks.

Half Assess Firm’s Compliance Experience as Neither Easy nor Difficult

Business executives were asked how difficult it has been for their company to bring their personal information handling practices into compliance with Canada’s privacy laws (using a 7-point scale: 1 = extremely easy, 7 = extremely difficult). Almost half (49%) were neutral, viewing this as neither easy nor difficult. Most of the rest (34%) rated compliance with Canada’s privacy laws as easy, while only 10% felt that this was difficult for their company.

Over time, the perceived difficulty of bringing personal information handling practices into compliance with Canada’s privacy laws has increased modestly, while the perception that it is very easy has decreased.

Lack of Understanding of Legislation—Top Barrier to Compliance

A lack of understanding of privacy legislation was identified most often (19%) as the top barrier or challenge in terms of complying with Canada’s privacy laws. Five percent or less cited a number of other barriers: staff/personnel requirements (5%), staff education/ awareness (4%), cost of compliance (other than staff) (3%), difficulties keeping personal information secure (3%), and challenges posed by new technology (3%). Included in the ‘other’ category, each cited by 2% or less were: keeping up to date with the law; too much paperwork/bureaucracy; barriers to accessing information; difficulties with consistently implementing policy; customer awareness; and the volume of information to protect. Sixteen percent did not think there were any challenges to compliance, while 38% offered no response.

Polarized Levels of Concern Over Data Breaches

Surveyed executives were asked to rate their level of concern about a data breach, where the personal information of their customers is compromised. They were asked to use a 7-point scale (1 = not at all concerned; 7 = extremely concerned).

One third, the largest proportion, said they were not at all concerned about a data breach, while the second largest proportion, 23% said they were extremely concerned. In total, 40% offered scores above the mid-point of the scale, suggesting significant concern about a data breach.

Before being asked this question, executives were provided with the following information:

Sometimes, sensitive personal information that is held by a company about their customers is compromised. This can be due to a range of things, such as criminal activity, a flaw in the company’s security system, or employee error, such as misplacing a laptop or other device.

Over time, Canadian businesses have become somewhat more polarized in their level of concern over a data breach. Compared with 2010, 2011 has seen an increase in the proportion of businesses that are very concerned over such a breach (40% vs. 35%), as well as those less or not concerned at all (49% vs. 42%). Conversely, there has been a decline in those that are more moderate in their level of concern over a breach (9% vs. 21%).

Less than One Third Have Guidelines for Responding to Breach

Thirty-one percent of surveyed companies have guidelines in place in the event of a breach where the personal information of their customers is compromised. Conversely, 63% do not. Six percent of surveyed executives were unsure.

Relatively Few Have Ever Experienced a Breach

The vast majority (96%) of businesses have never experienced a breach where the personal information of their customers was compromised. Conversely, only 3% have (1% were unsure).

Since 2010, the proportion of companies that have guidelines in place to address a potential data breach, as well as the proportion that have ever experienced a breach, have remained relatively constant.

Business representatives whose companies have experienced a breach were asked what steps their company took to address the situation. The most common response was notifying individuals who were affected (n=16). Other responses included resolving the issue with those involved directly (n=6), notifying law enforcement (n=5), following proper procedure (n=4), reviewing the company’s privacy policy or procedures (n=4), implementing or enhancing a security system (n=4), notifying government agencies (n=4), obtaining legal counsel or taking legal action (n=3), issuing training or re-training for staff (n=2), notifying company’s internal resources (n=1), and obtaining information from government (n=1).

One Quarter Have Procedures for Assessing Privacy Risks

Approximately one quarter (26%) of Canadian businesses have policies or procedures in place to assess privacy risks related to their business. This includes assessing privacy risks associated with the development or use of new products or technologies.

Conversely, 67% of businesses do not have any such policies or procedures.

Third Parties

This section addresses companies use of third parties for processing, storage, and other services with relation to customers’ personal information.

Two thirds Aware of Accountability for Information Transferred to Third Party

Approximately two thirds (68%) claimed to be aware that when a company transfers personal information to a third party for processing, storage or other services, which can include the use of cloud computing, it remains accountable for that information. Conversely, 31% were not aware of this accountability.

Few Use Third Parties, Half That do Have Means to Ensure Information Protection

Only about one in ten (9%) Canadian businesses collect personal information from customers and send it to another company for processing, storage or other services.

Of those that do make such use of third parties, just over half (54%) reported having a contract, or some other means, in place to ensure there is appropriate protection for their company’s personal customer information.

In 2011, a smaller proportion of business executives reported that their company uses third parties with regard to the handling of their customers’ personal information than did so in 2010 (9% vs. 18%).^{Footnote 9} A slightly larger proportion (54% vs. 50%) have a contract in place to safeguard the information they transfer to a third party.

Cooperation with Law Enforcement and Government

This section addresses issues relating to the extent of companies' cooperation with law enforcement and government in accordance with privacy laws.

One third Evaluate Customer Data to Report Suspicious or Unlawful Activity

Almost one third of businesses evaluate customer data for the purposes of identifying and reporting suspicious or unlawful activity to law enforcement or government security agencies, at least to some degree. Nine percent do this routinely, 6% do this sometimes, and 17% do this rarely. Conversely, 64% said their company never does this.

Of the companies that evaluate customer data for the purposes of identifying and reporting suspicious or unlawful activity, 28% said their company is asked to do this more often today than five years ago.

Communications

This section presents participant feedback on the sources and channels their companies use to gather information relating to privacy issues.

Internet—Top Potential Source of Information on Privacy Laws

The Internet (40%) is the main place that executives would go if they needed to obtain more information about their company’s responsibilities under Canada’s privacy laws (an additional 5% identified Google specifically). The next largest proportion, 30%, said they would turn to the federal government. Other sources mentioned with some frequency include provincial governments (11%), the company’s internal resources (10%), and legal counsel (6%).

Included in the 'other' category are industry associations, unspecified government resources, telephone, the police/RCMP, and local/municipal government.^{Footnote 10}

Little Interest in Privacy Information in Other Languages

Only 3% of business executives said they would be interested in information about their company’s responsibilities under Canada’s privacy laws in languages other than English or French.

The languages that were identified by those executives interested in information in other languages (n = 38), each of which was mentioned by very small numbers, include Chinese/Mandarin, Dutch, Italian, Filipino, Punjabi, Portuguese, and Spanish.^{Footnote 11}

Internet—Top Source for Clarification of Privacy Responsibilities

Only 13% of surveyed businesses have ever sought clarification of their responsibilities under Canada’s privacy laws. Conversely, 83% have not done this.

Of those that have sought clarification, the top go-to source was the Internet (28%). Other sources mentioned with some frequency include industry experts, consulting firms, and education sources (16%), a company’s internal resources (15%), industry associations (13%), lawyers (12%), and government/the privacy commissioner (12%).

In 2011, fewer business executives reported having sought clarification of their responsibilities under Canada’s privacy laws than did so in 2007 or 2010 (13% vs. 22%).

Business executives in 2011 were less likely than in 2010 to cite lawyers (12% vs. 36%) and government/the Privacy Commissioner of Canada specifically as sources of this clarification (34% vs. 12%). They were more likely to cite the Internet (28% vs. 18%), industry experts, consulting firms, and education sources (16% vs. 2%), internal resources (15% vs. 6%), and industry associations (13% vs. 4%).

Education and Training

This section addresses company’s perceptions of privacy-related education and training as well as preferred channels to receive this training.

Mixed Views on Usefulness of Privacy Training

Business representatives were asked to rate how useful it would be for their company to be able to get training on what companies need to do to comply with Canada’s privacy laws (using a 7-point scale: 1 = not useful at all; 7 = extremely useful). Almost one-third (31%) offered positive scores on the scale, indicating that privacy-related training would be useful to their company. The largest proportion (32%) gave this the lowest rating, clearly indicating that such training would not be useful at all to their company. An additional 20% offered scores below the scale's mid-point, suggesting a clear lack of interest in such training.

Note that 31% rated the perceived usefulness of such training positively (scores of 5-7), compared with 52% who rated it negatively (scores of 1-3).

Over time, executives have become more polarized in their view of the usefulness of privacy training. Since 2007, a greater proportion view privacy training as relatively important (5-7) (31% vs. 26% in 2007; 23% in 2010), as well as relatively unimportant (1-3) (52% vs. 39% in 2007; 42% in 2010), whereas fewer rate it in between (4) (14% vs. 34% in 2007; 33% in 2010).

Web-based Seminars—Preferred Channel for Receiving Privacy Training

Executives who rated privacy training as at least moderately useful for their company (scores of 4-7) were asked what they thought would be the most effective way to receive this training. Almost two thirds (64%) pointed to web-based seminars, followed by 56% who mentioned self-help materials and tools, like information packages available online. A strong minority (39%) identified in-person seminars in different cities.

Over time, there has been an increase in demand for in-person seminars in different cities (39% in 2011 vs. 22% in 2007; 14% in 2010) and a decrease in demand for self-help tools available online (56% vs. 73% in 2007; 79% in 2010). Web-based seminars were not asked about specifically in previous waves of the survey.

Office of the Privacy Commissioner of Canada

This section explores levels of awareness of resources available through the Office of the Privacy Commissioner, as well as use of such resources and assessments of them.

Strong Minority Aware of OPC Resources, Most Have Not Used Resources

Forty percent of surveyed executives said they were aware that the Office of the Privacy Commissioner of Canada has information and tools available to companies to help them comply with their privacy obligations. Conversely, 60% were not aware of this.

Of those who were aware of OPC resources, almost one in five (19%) said their company has used them, whereas 75% said they have not.

In 2011, Canadian businesses appear to be less aware of the availability of OPC resources than in 2010 (40% vs. 55%). They were also less likely to have ever used these resources (19% vs. 36%). ^{Footnote 12}

OPC Website—Most Used Resource

Those whose companies have used OPC resources were asked which resources they have used. By far, the most used resource was the OPC website, identified by almost half (47%). Other resources that were used include OPC publications (14%), general (unspecified) information (7%), the OPC information centre (4%), and an OPC exhibit or presentation (3%).

OPC Resources Seen to be Useful

Executives of companies that have used OPC resources were asked to rate these resources in terms of how useful they were in helping their company meet its privacy obligations. To do this, they used a 7-point scale (1 = not useful at all; 7 = extremely useful). In total, 72% offered positive scores on the scale, indicating their view that these resources were at least moderately useful (16% said they were extremely useful). Relatively few (8%) rated the tools as not very useful (scores of 1-3).

In 2011, businesses were more likely to think of OPC resources as useful (5-7) than they were in 2010 (72% vs. 55%).

Those who offered low assessments of the usefulness of OPC resources (scores of 1-3; n=7) were asked why they found the resources or information not very useful. Answers included that it was too difficult to understand, that OPC personnel were not helpful, that they don’t trust the information, and that it was difficult to find the information.

Characteristics of Survey Respondents

The following table presents the characteristics of survey respondents (using unweighted data).

Characteristics of Survey Respondents

Company Locations	Total
Base (N)	1,006
Operates at this location alone	61%
Other locations, but only in this province	17%
Locations in other provinces, but only in Canada	10%
Other locations, including outside of Canada	11%
DK/NR	1%
Region	Total
Base (N)	1,006
Atlantic	7%
Quebec	22%
Greater Toronto Area (GTA)	15%
Rest of Ontario (excluding GTA)	20%
Prairies	8%
Alberta	14%
British Columbia	15%
Number of Employees	Total
Base (N)	1006
1-19	50%
20-99	30%
100+	20%
Company 2010 Revenues	Total
Base (N)	1006
Less than $100,000	10%
$100,000 to just under $250,000	10%
$250,000 to just under $500,000	8%
$500,000 to just under $1,000,000	9%
$1,000,000 to just under 5,000,000	19%
$5,000,000 to just under 10,000,000	7%
$10,000,000 to just under 20,000,000	6%
$20,000,000 or more	11%
DK/NR	21%
Industry	Total
Base (N)	1006
Retail Trade	13%
Professional, Scientific and Technical Services	8%
Health Care and Social Assistance	3%
Accommodation and Food Services	9%
Finance and Insurance	7%
Transportation and Warehousing	6%
Information and Cultural Industries	2%
Arts, Entertainment and Recreation	3%
Real Estate and Rental and Leasing	3%
Educational Services	1%
Public Administration	1%
Utilities	1%
Administrative & Support, Waste Management and Remediation Services	<1%
Other Services (Except Public Administration)	16%
Construction	8%
Manufacturing	10%
Wholesale Trade	3%
Agriculture, Forestry, Fishing and Hunting	4%
Mining and Oil and Gas Extraction	3%
Distribution	1%
Management of Companies and Enterprises	1%
Position within Company	Total
Base (N)	1006
Owner, President or CEO	35%
General Manager/Other Manager	25%
Administration	7%
Vice President	3%
HR/Operations	10%
Privacy Analyst/officer/coordinator	2%
Accounting	3%
Other	15%

---

Appendix

Questionnaire

Office of the Privacy Commissioner
Business Survey 2011

Final Version: Dec.1, 2011

Hello, my name is ________. I’m calling on behalf of Phoenix, a public opinion research company. We’re conducting a survey for the Privacy Commissioner of Canada to better understand the needs and practices of businesses across the country in relation to Canada’s privacy laws.

May I speak to the person in your company who is the most familiar with the types of personal information collected about your customers, and how this information is stored and used. This may be your company’s Privacy Officer if you have one.

• IF PERSON IS AVAILABLE, CONTINUE. REPEAT INTRODUCTION IF NEEDED.
• IF NOT AVAILABLE, SCHEDULE CALL-BACK.

The survey takes about 15 minutes and is voluntary and completely confidential. Your answers will remain anonymous. May I continue?

[ ] Yes, now (CONTINUE)
[ ] No, call later. Specify date/time: Date:    Time:
[ ] Refused (THANK & DISCONTINUE)

---

Interviewer Notes:

IF RESPONDENT ASKS ABOUT THE LENGTH OF THE SURVEY, INFORM HIM/HER IT IS SHOULD TAKE APPROXIMATELY 15 MINUTES.

IF RESPONDENT QUESTIONS THE VALIDITY OF THE SURVEY, ASK HIM/HER TO CALL HEATHER ORMEROD OF THE OFFICE OF THE PRIVACY COMMISSIONER AT 613-947-8416 (OR HAVE HEATHER CALL THE RESPONDENT). OR THE RESPONDENT CAN CALL THE NATIONAL SURVEY REGISTRATION SYSTEM (SEE BELOW).

IF RESPONDENT ASKS, THE SURVEY IS REGISTERD WITH THE NATIONAL SURVEY REGISTRATION SYSTEM:  
The registration system has been created by the survey research industry to allow the public to verify that a survey is legitimate, get information about the survey industry or register a complaint. The registration system’s toll-free phone number is 1-888-602-6742 ext. 8728.

SOME QUESTIONS ARE TRACKING QUESTIONS THAT WERE USED IN EARLIER SURVEYS. TRACKING QUESTIONS ARE IDENTIFIED AS FOLLOWS: T2010 = TRACKING (T) FROM THE 2010 BUSINESS SURVEY.

HEADINGS IN BLUE SHOULD NOT BE READ TO RESPONDENTS

FOR ALL QUESTIONS, INCLUDE 'DON’T KNOW/NO RESPONSE' OPTION

---

1. Which of the following best describes your company? (READ LIST, ACCEPT ONE RESPONSE) T2010
   1. It sells directly to consumers
   2. It sells directly to other businesses/organizations
   3. It sells directly both to consumers and other businesses/organizations
   • Other, please specify: _____________________

   (DO NOT READ: NOT FOR PROFIT, THANK AND TERMINATE; DK/NR, THANK AND TERMINATE)

2. Approximately how many employees work for your company in Canada? Please include part-time employees as full-time equivalents. (DO NOT READ LIST)
   1. One (i.e. self employed)
   2. 2-4
   3. 5-9
   4. 10-19
   5. 20-49
   6. 50-99
   7. 100-149
   8. 150-199
   9. 200-249
   10. 250-299
   11. 300-499
   12. 500-999
   13. 1,000-4,999
   14. More than 5,000

Section 1: Privacy Practices

I’d like to begin by asking you about the types of personal information held by your company about your customers. By personal information, I mean things like a customer’s name, age, address, income, or email address. It also includes information like opinions, what they have purchased, credit or loan records, and records of a dispute between a consumer and a merchant. T2010 MODIFIED

3. Which of the following types of information does your company collect about your customers? (READ LIST. ACCEPT ALL THAT APPLY) T2010 MODIFIED
   1. Contact information, such as names, phone numbers, and addresses
   2. Opinions, evaluations, and comments
   3. Purchasing habits
   4. Financial information such as invoices, credit cards, or banking records
   5. Medical information
   6. Location information, such as postal codes
   • Other information. If so, please specify: ______________
   7. None of the above (DO NOT READ)
4. In which of the following ways does your company store personal information on your customers? Is the information…? (READ LIST. ACCEPT ALL THAT APPLY) T2010 MODIFIED
   1. Stored on-site on paper
   2. Stored on-site on servers
   3. Stored on desktop computers
   4. Stored on portable devices, such as laptops, USB sticks, or tablets
   5. Stored electronically through cloud computing*
   6. Stored through a third party, not including cloud computing**
   7. Stored in some other way: If so, please specify ___________

*INTERVIEWER NOTE: IF RESPONDENT IS NOT CLEAR WHAT CLOUD COMPUTING IS, SAY THAT CLOUD COMPUTING REFERS TO THE DELIVERY OF COMPUTING RESOURCES OVER THE INTERNET. INSTEAD OF KEEPING DATA ON YOUR OWN HARD DRIVE OR UPDATING APPLICATIONS FOR YOUR NEEDS, YOU USE A THIRD PARTY’S SERVICE OVER THE INTERNET, AT ANOTHER LOCATION, TO STORE YOUR INFORMATION OR USE ITS APPLICATIONS.
**INTERVIEWER NOTE: FOR THIS QUESTION, CLOUD COMPUTING SHOULD BE RECORDED SEPARATELY FROM STORAGE BY A THIRD PARTY.

IF INFORMATION 'STORED ON PORTABLE DEVICES', ASK:

5. Does your company use encryption to protect the personal information you store on portable devices, such as laptops, USB sticks, or tablets?
   1. Yes
   2. No

ASK EVERYONE:

6. What steps do you take to protect the personal information on your customers? (READ LIST. ACCEPT ALL THAT APPLY) T2010 MODIFIED
   1. Physical measures, such as locked filing cabinets, restricting access, or security alarms.
   2. Technological tools, such as passwords, encryption, or firewalls.
   3. Organizational controls, such as policies and procedures.
   4. Some other measure. If so, please specify: ______________
   5. No measures taken

IF 'TECHNOLOGICAL TOOLS' USED, ASK:

7. Which of these technological tools do you use? (READ LIST. ACCEPT ALL THAT APPLY)
   1. Passwords
   2. Encryption
   3. Firewalls

IF 'PASSWORDS' USED, ASK NEXT TWO QUESTIONS:

8. How often do you require employees to change their passwords? (DO NOT READ LIST. ACCEPT ONE RESPONSE)
   1. Monthly
   2. Quarterly
   3. Every six months
   4. Once a year
   5. Less than this
   6. VOLUNTEERED: Do not require employees to change passwords
9. Do you have any controls in place to ensure that employees use hard-to-guess passwords?
   1. Yes
   2. No

ASK EVERYONE:

10. Have you designated someone in your company to be responsible for privacy issues and personal information that your company holds? T2010 MODIFIED
    1. Yes
    2. No
11. Have any of your staff received training on appropriate information practices and responsibilities under Canada’s privacy laws? T2010
    1. Yes
    2. No              SKIP NEXT QUESTION
12. Does your company have procedures in place for responding to customer requests for access to their personal information? T2010 MODIFIED
    1. Yes
    2. No
13. Does your company have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly? T2010 MODIFIED
    1. Yes
    2. No

Section 2: Privacy Policy

14. Does your company have a privacy policy?
    1. Yes              SKIP NEXT QUESTION
    2. No

ASK IF NO PRIVACY POLICY:

15. What's the main reason why your company doesn’t have a privacy policy? (DO NOT READ LIST. ACCEPT ONE RESPONSE)
    1. Do not think it is necessary
    2. Never thought about it
    3. Company does not collect personal information on customers
    4. In the process of developing privacy policy
    5. Don’t know how to develop privacy policy
    • Other (specify): ________________

THOSE WHO DO NOT HAVE PRIVACY POLICIES GO TO NEXT SECTION.

16. How often do you update your privacy policy? (READ LIST)
    1. Once a month or more
    2. Once every 3 months
    3. Once every 6 months
    4. Once a year
    5. Less than once a year
    6. Never              GO TO NEXT SECTION
17. Under what circumstances do you update your privacy policy? By this I mean, what conditions or events prompt your company to update the policy? (DO NOT READ LIST; ACCEPT MULTIPLE RESPONSES)
    1. When there are changes in legislation
    2. New marketing campaign
    3. Changes in business practices
    4. Changes in technologies organization uses
    5. During scheduled reviews (e.g. once a year)
    • Other, Specify: ____________________
18. Do you notify customers when you make changes to your privacy policy? Would you say you do this…?
    1. Always
    2. Sometimes
    3. Never

IF 'ALWAYS/SOMETIMES' ASK:

19. How do you share your privacy policy with customers? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES)
    1. Email
    2. Notice on website
    3. Mail letter to customer
    4. Signs in offices/stores/elsewhere
    • Other, Specify: ____________________

Section 3: Privacy as Corporate Objective

20. What importance does your company attribute to protecting privacy? Please use a scale from 1 to 7, where 1 means that this is not an important corporate objective at all, and 7 means it is an extremely important objective.
21. How does your company tend to view protecting privacy? Would you say you see this as a significant competitive advantage, a moderate competitive advantage, a moderate corporate disadvantage, a significant corporate disadvantage, or neither a competitive advantage nor a corporate disadvantage?

Section 4: Awareness and Impact of Privacy Laws

The federal government’s privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA (PRONOUNCED PIP-EE-DAH) sets out rules that govern how businesses engaged in commercial activities should protect personal information. In Alberta, BC and Quebec, the private sector is governed by provincial laws, which are considered to be similar to the federal law. T2010 MODIFIED

22. How would you rate your company’s awareness of its responsibilities under Canada’s privacy laws? Please use a scale from 1 to 7, where 1 is not at all aware, and 7 is extremely aware. T2010 MODIFIED
23. As a result of Canada’s privacy laws, would you say your company…? (READ/RANDOMIZE LIST. ACCEPT ALL THAT APPLY) T2010 MODIFIED
    1. Has increased its awareness of its privacy obligations.
    2. Has improved the training given to staff on privacy obligations.
    3. Is more concerned about protecting customers' personal information.
    4. Has improved security associated with personal information held by your company on its customers
    5. Has had fewer breaches* involving customers' personal information

    * INTERVIEWER NOTE. IF RESPONDENT DOES NOT KNOW WHAT A BREACH IS, INFORM HIM/ HER THAT A SECURITY BREACH IS WHERE THE CONFIDENTIALITY OF PERSONAL INFORMATION HAS BEEN COMPROMISED IN ONE WAY OR ANOTHER (E.G. EMPLOYEE ERROR, UNAUTHORIZED ACCESS, HACKERS).

24. And thinking specifically about PIPEDA (PRONOUNCED PIP-EE-DAH), the federal government’s privacy law, how would you rate your company’s awareness of this legislation? Please use a scale from 1 to 7, where 1 is not at all aware, and 7 is extremely aware.

Section 5: Compliance, Breaches and Risk Assessment

25. How difficult has it been for your company to bring your personal information handling practices into compliance with Canada’s privacy laws? Please use a scale from 1 to 7, where 1 is extremely easy, 7 extremely difficult and 4 is neither easy nor difficult. T2010 MODIFIED
26. In your view, what is the biggest barrier or challenge in terms of complying with Canada's privacy laws? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES)
    1. Don’t have a clear understanding of the legislation
    2. Staff/personnel time needed
    3. Cost of compliance (non-staff costs)
    • Other, Specify: _______________

    Sometimes, sensitive personal information that is held by a company about their customers is compromised. This can be due to a range of things, such as criminal activity, a flaw in the company’s security system, or employee error, such as misplacing a laptop or other device. T2010 MODIFIED

27. How concerned are you about a data breach, where the personal information of your customers is compromised? Please use a scale of 1 to 7, where 1 is not at all concerned, and 7 is extremely concerned. T2010 MODIFIED
28. Does your company have any guidelines in place in the event of a breach where the personal information of your customers is compromised? T2010
    1. Yes
    2. No
29. Has your company ever experienced a breach where the personal information of your customers was compromised? T2010 MODIFIED
    1. Yes
    2. No              SKIP NEXT SECTION

ASK THOSE WHO HAVE EXPERIENCED A BREACH:

30. What did your company do to address this situation? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES) T2010
    1. Notified individuals who are affected
    2. Notified government agencies who oversee Canada`s privacy laws
    3. Notified law enforcement
    4. Followed proper procedure (general)
    5. Notified company's head office, HR, or privacy department
    6. Obtained legal counsel/took legal action
    7. Resolved issue with individuals responsible for the breach (e.g. termination/reprimand of employee)
    8. Obtained information from government (websites, 1-800 number)
    9. Issued training or re-training for staff
    10. Reviewed privacy policy or practices
    11. Implemented security system or enhanced security
    • Other (specify): ________________

ASK EVERYONE:

31. Does your company have any policies or procedures in place to assess privacy risks related to your business? This includes assessing privacy risks associated with the development or use of new products, services, or technologies.
    1. Yes
    2. No

Section 6: Third Parties

32. Does your company collect personal information from customers and send it to another company for processing, storage or other services? T2010 MODIFIED
    1. Yes
    2. No
33. Were you aware that when a company transfers personal customer information to a third party for processing, storage or other services, which can include the use of cloud computing, it remains accountable for that information?
    1. Yes
    2. No

ASK ONLY THOSE WHO USE THIRD PARTY (Q38) OR CLOUD COMPUTING (Q4):

34. Have you put in place a contract, or other means, to ensure there is appropriate protection for your company's personal customer information that is processed or stored by another company, including through cloud computing*? T2010 MODIFIED
    1. Yes
    2. No

    *ONLY INCLUDE "INCLUDING THROUGH CLOUD COMPUTING" FOR THOSE WHO CURRENTLY USE CLOUD COMPUTING.

Section 7: Cooperation with Law Enforcement and Government

35. Some companies are required to evaluate customer data for the purpose of identifying and reporting suspicious or unlawful activity to law enforcement or government security agencies. What about your company, would you say you do this...? (READ LIST. ACCEPT ONE RESPONSE)
    1. Routinely
    2. Sometimes
    3. Rarely
    4. Never

IF 'ROUTINELY, SOMETIMES, RARELY', ASK:

36. Is your company asked to report suspicious and unlawful activity to law enforcement or government security agencies more often today, than say five years ago?
    1. Yes
    2. No
    3. Were asked one time only (VOLUNTEERED)

Section 8: Communications

37. If you needed to obtain more information about your company’s responsibilities under Canada’s privacy laws, where would you go? (DO NOT READ LIST. ACCEPT ALL RESPONSES) T2010 MODIFIED
    1. Federal government
    2. Provincial government
    3. Company’s internal resources
    4. Legal counsel
    5. Industry association
    • Other, please specify: ___________
38. Would you be interested in information about your company’s responsibilities under Canada’s privacy laws in languages other than English or French?
    1. Yes
    2. No

IF 'YES', ASK:

39. What language would you want to receive this information in?
    • add list of top potential language and 'other/specify' option
40. Has your company ever sought clarification of its responsibilities under Canada’s privacy laws? T2010
    1. Yes
    2. No              SKIP NEXT SECTION

IF 'YES', ASK:

41. Where did you go to seek this clarification? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES) T2010
    1. Internet (general)
    2. Government/Privacy Commissioner
    3. Lawyer
    4. Company/head office expert/internal resource for company
    5. Industry experts, consulting firms, or education sources
    6. Industry association
    • Other, Specify: ________________

Section 9: Education and Training

42. How useful would it be for your company to be able to get training on what companies need to do to comply with Canada’s privacy laws? Please use a scale of 1 to 7, where 1 is not at all useful, and 7 is extremely useful. T2010 MODIFIED

IF SCORES OF 4-7, ASK NEXT QUESTION:

43. And what do you think would be the most effective way to receive this training? (READ LIST. ACCEPT ALL THAT APPLY) T2010 MODIFIED
    1. In-person seminars in different cities
    2. Web-based seminars
    3. Providing self-help materials and tools, like information packages available online
    4. Other, Specify: ___________

Section 10: Office of the Privacy Commissioner of Canada

44. Were you aware that the Office of the Privacy Commissioner of Canada has information and tools available to companies to help them comply with their privacy obligations? T2010 MODIFIED
    1. Yes
    2. No              GO TO NEXT SECTION

IF YES, ASK:

45. Has your company ever used any of these resources? T2010 MODIFIED
    1. Yes
    2. No              GO TO NEXT SECTION

IF YES, ASK:

46. What resources of the Office of the Privacy Commissioner of Canada has your company used? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES)
    1. OPC website
    2. OPC publications
    3. An OPC exhibit or presentation
    4. Called OPC Information Centre (for enquiries)
    • Other, Specify: ________________
47. How useful were the resources or information you received from the Office of the Privacy Commissioner of Canada in terms of helping your company meet its privacy obligations? Please use a scale of 1 to 7, where 1 is not at all useful, and 7 is extremely useful. T2010 MODIFIED

IF YES, ASK:

48. Why were the resources or information not very useful? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES)
    1. Not enough detail
    2. Too difficult to understand
    3. Nothing new/already knew it
    4. Not in preferred format
    5. Not appropriate for business size
    6. Not appropriate for business sector
    • Other, Specify: ________________

Section 11: Corporate Profile

These last questions are for statistical purposes only, and all answers are confidential.

49. In what industry or sector do you operate? If your company is active in more than one sector, please identify the main sector. (DO NOT READ LIST. ACCEPT ONE RESPONSE)
    1. Accommodation and Food Services
    2. Administrative & Support, Waste Management and Remediation Services
    3. Agriculture, Forestry, Fishing and Hunting
    4. Arts, Entertainment and Recreation
    5. Construction
    6. Educational Services
    7. Finance and Insurance
    8. Health Care and Social Assistance
    9. Information and Cultural Industries
    10. Management of Companies and Enterprises
    11. Manufacturing
    12. Mining and Oil and Gas Extraction
    13. Other Services (except Public Administration)
    14. Professional, Scientific and Technical Services
    15. Public Administration
    16. Real Estate and Rental and Leasing
    17. Retail Trade
    18. Transportation and Warehousing
    19. Utilities
    20. Wholesale Trade
    • Other, Specify: ________________
50. What is your own position within the organization? (DO NOT READ LIST. ACCEPT ONE RESPONSE) T2010 MODIFIED
    1. Owner, President or CEO
    2. General Manager/Other Manager
    3. IT Manager
    4. Administration
    5. Vice President
    6. Privacy analyst/officer/coordinator
    7. Legal counsel/lawyer
    8. HR/Operations
    9. Other, Specify: _________
51. In which of the following categories would your company’s 2010 revenues fall? (READ LIST. ACCEPT ONE RESPONSE) T2010 MODIFIED
    1. Less than $100,000
    2. $100,000 to just under $250,000
    3. $250,000 to just under $500,000
    4. $500,000 to just under $1,000,000
    5. $1,000,000 to just under $5,000,000
    6. $5,000,000 to just under $10,000,000
    7. $10,000,000 to just under $20,000,000
    8. More than $20 million
52. Which of the following best describes your company? (READ LIST. ACCEPT ONE RESPONSE) T2010 MODIFIED
    1. It operates at this location alone
    2. There are other locations, but only in this province
    3. There are locations in other provinces, but only in Canada
    4. There are other locations, including outside of Canada

This concludes the survey.
Thank you for your time and feedback, it is much appreciated.