Public opinion survey

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Canadian Businesses and Privacy-Related Issues

Final Report

Prepared for the Office of the Privacy Commissioner of Canada

Phoenix SPI

December 2013

---

Executive Summary

Phoenix SPI was commissioned by the Office of the Privacy Commissioner of Canada (OPC) to conduct quantitative research with Canadian businesses on privacy-related issues. The purpose was to better understand the extent to which businesses are familiar with privacy issues and requirements, and the types of privacy policies and practices that they have in place. A 15-minute telephone survey was administered to 1,006 companies across Canada, stratified by size of business. The results were weighted by size, sector and region using Statistics Canada data to ensure that they reflect the actual distribution of businesses in Canada. Data collection was conducted November 7-27, 2013. Based on a sample of this size, the results can be considered accurate to within ±3.1%, 19 times out of 20. Results are compared to similar surveys conducted in 2007, 2010 and 2011. The 2013 survey includes modifications to the questionnaire to address the evolving privacy environment.

Collection and Storage of Personal Information

Surveyed business representatives work for a mix of different companies in terms of the type of customers served. In total, 36% of these companies sell directly to consumers (i.e., members of the general public or some subset of it). Almost as many (35%) sell both to the general public and to other businesses/organizations. Approximately one-quarter (26%) sell only to other businesses/organizations.

In terms of the types of customer information collected, virtually all of the surveyed companies (97%) collect contact information, such as names, phone numbers, and addresses. The large majority (83%) collect location information, such as postal codes. Other types of information mentioned with some frequency include opinions, evaluations, and comments (27%), financial information, such as invoices credit cards, or banking records (25%), purchasing habits (18%), and medical information (13%). In terms of diversity of information collected, most companies (65%) collect either two (39%) or three (26%) different categories of information mentioned above. A quarter (24%) collect more than that, while 11% collect less.

Approximately two-thirds (68%) of Canadian businesses use customers’ personal information to help provide service to those customers. Slightly less than one-third (31%) use it to build customer profiles. Also mentioned with some frequency are marketing (17%) and use for financial matters, such as accounting, billing and invoicing (14%).

Three methods are commonly used by Canadian businesses to store personal information about their customers, each identified by a clear majority of business representatives. These include paper records stored on site (62%), the use of on-site servers (58%), and the use of desktop computers (55%). No other methods came close. Nearly one-quarter (24%) use portable devices, such as laptops, USB sticks, or tablets, while smaller numbers use cloud computing (7%) or a third party (excluding cloud computing) (7%).

Personal Information Protection Practices

Business executives whose firms use portable devices, such as laptops, USB sticks, or tablets, to store their customers’ personal information were asked whether or not their company uses encryption to protect information stored in this way. In response, 36% said that they did, whereas 58% said they did not (6% were uncertain).

Canadian businesses use a number of methods to protect the personal information of their customers. More than three-quarters use technological tools, such as passwords, encryption, or firewalls (78%), or physical measures, such as locked filing cabinets, restricting access, or security alarms (78%). Almost two-thirds (65%) use organizational controls, such as policies and procedures. Of those that use technological tools to protect customer information, almost everyone (98%) uses passwords. As well, 82% use firewalls, while 48% use encryption. Of businesses that use passwords, 55% have controls in place to ensure that employees use hard-to-guess passwords. Also, most require their employees to change their passwords: 21% require this monthly, 17% quarterly, 10% every six months, 10% yearly, and 6% less than this (27% do not require employees to change their passwords).

Business representatives were asked whether they had in place a series of mechanisms related to privacy practices. Four of the six privacy-related practices are used by half or more of surveyed businesses. This includes having a designated privacy officer (58%), having internal policies for staff that address privacy obligations (51%), having procedures for dealing with customer complaints (51%), and having procedures for responding to customer requests related to their personal information (50%). Fewer than half (45%) have a privacy policy that explains to customers how they collect/use customer personal information, while one-third regularly provide privacy training and education to staff.

Privacy as Corporate Objective

Most executives said their company attributes significant importance to privacy protection. More than half (59%) offered the highest score available (on a 7-point scale), indicating their belief that protecting their customers’ personal information is an extremely important corporate objective. In total, 82% offered positive scores on the scale, indicating that this is an important objective. At the other end of the spectrum, only 7% indicated clearly that protecting customers’ personal information was not an important objective for their firm.

Widespread confidence was expressed by business representatives in their firm’s ability to fully protect the personal information they collect about their customers. More than two-thirds (69%) said they were very confident, while almost all of the rest (28%) expressed moderate confidence in this.

Awareness and Impact of Privacy Laws

Business executives were asked to rate their company’s awareness of its responsibilities under Canada’s privacy laws, using a 7-point scale (1 = not at all aware, 7 = extremely aware). Almost half (45%) think their firm is extremely aware of its responsibilities. In total, almost two-thirds (66%) offered positive scores above the mid-point on the scale, indicating a relatively high level of familiarity with their privacy responsibilities. At the other end of the spectrum, 20% offered scores below the mid-point of the scale, suggesting a relatively low level of awareness. Over time, companies’ awareness of their responsibilities under Canada’s privacy laws has been fairly stable since 2007 when tracking began.

Executives were also asked to rate their level of awareness of the Personal Information Protection and Electronics Document Act (PIPEDA), the federal private-sector privacy law, using the same 7-point scale. In this case, just over one-third (35%) were extremely aware of the legislation. In total, over half (57%) offered positive scores above the mid-point on the scale, once again indicating a relatively high level of familiarity with their responsibilities. However, 28% offered scores below the mid-point of the scale, suggesting that a significant portion of businesses still have a relatively low level of awareness of PIPEDA.

Compliance

Business executives were asked how difficult it has been for their company to bring their personal information handling practices into compliance with Canada’s privacy laws (using a 7-point scale: 1 = extremely easy, 7 = extremely difficult). The largest proportion (41%) were neutral, viewing this as neither easy nor difficult. Most of the rest (38%) rated compliance with Canada’s privacy laws as easy, while 13% felt that this was difficult for their company. Over time, the perceived difficulty of bringing personal information handling practices into compliance with Canada’s privacy laws has increased modestly, while the perception that it is very easy has decreased somewhat.

A lack of understanding of privacy legislation was identified most often (17%) as the most significant barrier or challenge in terms of complying with Canada’s privacy laws. Eight percent or less cited a number of other barriers: staff/personnel time needed (8%), cost of compliance (other than staff) (7%), making sure employees comply (6%), the need to keep their knowledge up to date (5%), and keeping the information secure (4%). Fully 39% did not offer a response.

Breaches

Surveyed executives were asked to rate their level of concern about a data breach, where the personal information of their customers is compromised (using a 7-point scale: 1 = not at all concerned; 7 = extremely concerned). Exactly half said they were not at all concerned about a data breach, while 24% said they were extremely concerned. In total, one-third offered scores above the mid-point of the scale, suggesting moderate concern about a data breach. Over time, Canadian businesses have become modestly less concerned about a data breach.

Executives were asked to identify what they think represents the greatest threat of a data breach occurring at their company. Heading the list were hacking (24%) and theft (19%). In addition, 11% identified employee error. A number of other potential threats were identified in small numbers (3% or less). Five percent of executives said they could think of no threats, while 25% did not provide a response.

Fifty eight percent of surveyed companies do not have guidelines in place in the event of a breach where the personal information of their customers is compromised and 5% were unsure. Conversely, 37% do have guidelines in place. The vast majority (95%) of businesses say they have never experienced a breach where the personal information of their customers was compromised. The proportion of companies who have guidelines in place to respond to a breach has increased modestly since 2011 (31%) and 2010 (34%)^{Footnote 1}. The number of companies (4%) who say they have actually experienced a data breach has remained virtually unchanged since 2011 and 2010 (3% each).

Representatives of companies that have experienced a breach were asked what steps their company took to address the situation. The most common response was notifying individuals who were affected (40%), followed by resolving the issue with the individual responsible for the breach (29%) and enhancing their security system (28%). As well, some companies issued training to their staff (18%), reviewed their privacy policy (18%), notified law enforcement (17%), notified the relevant government agencies (6%), took legal action (2%), obtained information from the government (1%), or notified relevant departments within the company (1%). Eight percent of companies pursued other means of addressing with the breach.

Corporate Innovation

When asked whether their companies have policies in place to assess privacy risks related to their business, two-thirds (67%) said they do not, while 5% were uncertain.

Only 13% of surveyed businesses send customer’s personal data to a third party for processing, storage or other services. Of this 13%, two-thirds (68%) claimed to be aware that when a company transfers personal information to a third party for processing, storage or other services, which can include the use of cloud computing, it remains accountable for that information. Conversely, 31% were not aware of this accountability.

In 2013, a larger proportion (13%) of companies used third parties for handling their customers’ personal information than in 2011 (9%), however the proportion is still less than in 2010 (18%).^{Footnote 2} The number of companies with contracts in place to ensure their customers’ information is protected by the third party has increased over time (59% vs. 54% in 2011 and 50% in 2010).

Business representatives were asked about their company’s policy on allowing employees to use their personal electronic devices, such as smartphones, tablets or laptops, for work purposes. Approximately one in five (21%) companies allow employees to use their own devices for work. Of this 21%, two in three (64%) have not developed formal, internal policies to manage security issues related to employees using their own devices.

At this time, the vast majority of companies (96%) do not collect customers’ personal information using apps on mobile devices, with only 3% of business representatives stating that their company does collect such data.

Disclosures to Law Enforcement

Only a small number of companies (4%) say they have received requests from law enforcement representatives without a warrant for personal information in the last 2-3 years. Of those who have received such requests, 3% received a request between one and five times, and 1% received six requests or more. Approximately half (48%) of the companies who received the requests provided the information each time it was requested, while 40% never provided the information, and 13% provided the personal information “some of the time.”

Seeking Clarification About Responsibilities Under the Law

Most business representatives (86%) said their company has never sought clarification of its responsibilities under privacy laws in Canada. Approximately one in 10 companies have sought clarification.

For companies that have sought clarification, the Internet (43%) was the main information source. Following this, 19% have gone to government agencies (federal, provincial, or general), 14% have sought the advice of a lawyer, 12% consulted industry experts, consulting firms or education source, 9% asked an industry association, 9% contacted the privacy commissioner, and 4% used their company’s internal resources.

The proportion of companies (11%) that sought clarification on their responsibilities under Canada’s privacy laws in 2013 is lower than in 2011 (13%), 2007 (22%) and 2010 (22%). Where executives go for clarification on privacy laws has changed substantially since tracking began in 2010. More executives (43%) now turn to the Internet for clarification than in 2011 (28%) and 2010 (18%); more also turn to industry experts, consulting firms and education sources (12% vs. 2% in 2010, but 16% in 2011).

Office of the Privacy Commissioner of Canada

Forty-one percent of surveyed executives said they were aware that the Office of the Privacy Commissioner of Canada has information and tools available to companies to help them comply with their privacy obligations.

Of executives who were aware of OPC resources, the majority (78%) report that they have never used them. Fewer than one in five (17%) report that they have used OPC resources, although 5% were uncertain. Among companies that have used OPC resources to comply with their privacy obligations, the OPC website (56%) was the main source of reference. As well, 23% used OPC policy guidance, 11% OPC publications, 4% an OPC exhibit or presentation, and 2% called the OPC Information Centre.

Executives were asked to rate the usefulness of privacy-related resources they received from the OPC (using a seven-point scale: 7 = extremely useful, 1 = not at all useful). Seventy-five percent rated their usefulness above the midpoint of the scale, with 35% stating that they were extremely useful. However, 21% reported their usefulness as neutral or lower. Five respondents offered low assessments of the usefulness of OPC resources (scores of 1-3) were asked why they found the resources or information not very useful. Reasons included that they already knew the information or that the information was not appropriate for their business size.

The perceived usefulness of OPC resources has increased since tracking began in 2010. Now, 75% feel OPC resources are useful (5 -7 on a 7-point scale), versus 72% in 2011 and 55% in 2010.

Privacy-Related Subgroup Differences

Firm size is the most apparent predictor of a company’s attitudes toward privacy and the number of mechanisms they currently have in place to protect privacy. Larger companies (with at least 100 employees) are more likely to practice a variety of methods of protecting customers’ information, to require employees to change their passwords routinely, to have designated representatives for privacy-related issues, and to have developed internal policies to address their privacy obligations. Larger companies are also more likely to place a higher amount of importance on protecting privacy, to have sought clarification of their responsibilities under privacy laws, and to have a higher awareness of PIPEDA. Companies with more employees are also more likely to seek clarification of their responsibilities under privacy laws.

When looking at the data by region, companies that are based in Quebec often provided responses that differed somewhat from businesses in the rest of Canada. For example, Quebec businesses are generally less likely to have procedures and mechanisms to protect personal information. Quebec-based businesses are also less likely to have appointed someone responsible for privacy issues and to have internal policies that address their privacy obligations. However, Quebec-based businesses are also least likely to collect customer information for providing services.

Introduction

Phoenix Strategic Perspectives Inc. (Phoenix) was commissioned by the Office of the Privacy Commissioner of Canada (OPC) to conduct quantitative research with Canadian businesses on privacy-related issues.

Background and Objectives

The OPC is an advocate for the privacy rights of Canadians with the powers to investigate complaints and conduct audits under two federal laws, publish information about personal information-handling practices in the public and private sectors, and conduct research into privacy issues. As part of this mandate, the OPC is responsible for overseeing compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally-regulated private sector and to personal information in interprovincial and international transactions.

Given the OPC’s mandate to protect and promote privacy rights, and ultimately to provide guidance to individuals and organizations on privacy issues, it needs to understand:

• The extent to which Canadian businesses are familiar with privacy issues and requirements.
• The type of privacy policies and practices these businesses have in place.
• Businesses’ understanding of Canada’s privacy laws and their privacy responsibilities.
• Businesses’ awareness of and responses to emerging privacy issues and practices.

The OPC seeks to understand these issues in the context of trends over time, through the tracking of key benchmarking questions. This research addresses these objectives and will be used to guide the OPC’s approach to fulfilling its mandate with respect to Canadian businesses.

Research Design

To meet the research objectives, a telephone survey was administered to 1,006 businesses across Canada.

The following specifications applied to the survey:

• The target respondent was a senior decision maker with responsibility and knowledge of their company’s privacy and security practices.
• A stratified random sampling approach was used for the data collection. The sampling frame was purchased from Dun & Bradstreet (D&B). A random sample frame was generated based on a sample-to-completion ratio of 10:1 for each of the three target business size quotas: small (1-19 employees); medium (20-99 employees; and large (100+ employees). The sample frame was generated in proportion to business population by region within each of the three business size groups.
• A detailed interviewer briefing note was prepared by Phoenix (and approved by the OPC) to brief interviewers and guide the data collection process.
• A telephone pre-test was conducted in English and French, with 10 interviews in each official language. Interviews were digitally recorded for review afterwards.
• Upon completion of the pre-test, Phoenix listened to the interviews and reviewed the resulting data. The data collected during the pre-test was not included in the final survey dataset because changes were made to the questionnaire as a result.
• Interviews averaged 15 minutes and were conducted in the respondent’s official language of choice.
• Calling was conducted at different times of the day and the week to maximize the opportunity to establish contact.
• Up to 10 call-backs were attempted to reach potential respondents before a sample record was retired.
• The sample was carefully monitored throughout the data collection period to ensure effective sample management to keep the study on target and maximize response rates.
• The survey was registered with Marketing Research and Intelligence Association’s (MRIA) national survey registration system.
• Sponsorship of the study was revealed (i.e. OPC).
• Data collection was conducted November 7-27, 2013.
• The following list presents information about the final call dispositions for this survey, as well as the associated response rate (using the MRIA formula)^{Footnote 3}:

Call Disposition

• Total Numbers Attempted: 10,709
• Out-of-scope - Invalid: 1,124
• Unresolved (U): 4,466
  • No answer/Answering machine: 4,466
• In-scope - Non-responding (IS): 1,623
  • Language barrier: 63
  • Incapable of completing (ill/deceased): 11
  • Callback (Respondent not available): 1,549
• Total Asked: 3,496
  • Refusal: 2,293
  • Termination: 50
• In-scope - Responding units (R): 1,153
  • Completed Interview: 1,006
  • NQ - Quota Full - Company Size: 114
  • NQ - Q1 (NOT FOR PROFIT/DK/REF): 33
• Response Rate: 15.9

All work performed adhered to or surpassed industry standards as determined by the MRIA, the industry association for survey research, as well as applicable federal legislation (PIPEDA). In addition, all work was performed in accordance with the Standards for the Conduct of Government of Canada Public Opinion Research – Telephone Surveys.

Analysis

Weights were applied to the final data to adjust for the sample design. Data was weighted to the national proportion of businesses to ensure representation by size, region and industry. Canadian statistics for the number of businesses by size, region and industry were obtained through the Business Register produced by Statistics Canada.

The weighting scheme was based on three variables: business size, region and industry. The Statistics Canada “Indeterminate” category of businesses was excluded from the business size distributions used to weight the survey data.

Three sets of weights were created for each of: 1) the overall results, 2) the regional results, and 3) the results by business size. The details are as follows:

• For the overall weight, results were first weighted by business size in each region. Three size breaks (1-9 employees, 20-99 employees and 100+ employees) and seven regions (British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, and the Atlantic provinces) were used. They were then weighted by industry on a national level using the North American Classification System (NAICS).
• For the regional results, a second weight was developed based on region (Newfoundland and Labrador, New Brunswick, Nova Scotia and Prince Edward Island, Quebec, Ontario, Manitoba, Saskatchewan, Alberta and British Columbia) and industry (again using the NAICS). As with the overall weight, the regional results were weighted at the national level only by industry.
• For the results by business size, a third weight was developed based on business size (1-9 employees, 20-99 employees and 100+ employees). As with the overall and regional weights, the results by business size were weighted at the national level only by industry using the NAICS.

Notes to Readers

• Reference is made to findings from similar surveys conducted for the OPC with Canadian businesses in 2007, 2010 and 2011. Since weighting procedures and, in some cases, question wording differs among the surveys, comparisons over time should be interpreted with caution.
• All results in the report are expressed as a percentage, unless otherwise noted.
• Throughout the report, percentages may not always add to 100 due to rounding.
• Demographic and other subgroup differences are identified in the report. The text describing these differences throughout the report is put in a box and titled as: "Subgroup Variations" for easy identification. Only subgroup differences that are statistically significant at the 95% confidence level or are part of pattern or trend are reported. The table on the next page details how characteristics have been grouped for the analysis.
• Appended to the report are copies of the questionnaire in English and French.

Table 1: Subgroup Categories

Demographic Categories

Core Industries^{Footnote 4}:

• Accommodation and Food Services
• Administrative & Support, Waste Management and Remediation Services
• Arts, Entertainment and Recreation
• Educational Services
• Finance and Insurance*
• Health Care and Social Assistance
• Information and Cultural Industries
• Professional, Scientific, Technical Services
• Public Administration
• Real Estate and Rental and Leasing
• Retail Trade
• Transportation and Warehousing
• Utilities

Non-Core Industries:

• Agriculture, Forestry, Fishing and Hunting
• Construction
• Management of Companies, Enterprises
• Manufacturing
• Mining and Oil and Gas Extraction
• Other Services (except Public Admin.)
• Wholesale Trade
• Other

Revenues

• Less than $1,000,000
• $1,000,000 to just under $10,000,000
• $10,000,000 to just under $20,000,000
• More than $20 million

Region:

• Quebec
• Atlantic Canada
• Alberta
• British Columbia (and the Yukon)
• Greater Toronto Area (GTA)
• Ontario (including GTA)
• The Prairies (SK,MB) and NT, NU

Company Business Model

• Sells directly to consumers
• Sells directly to other businesses/organizations
• Sells directly to both consumers and other businesses/organizations

Company Location:

• Operates at this location only
• Other locations, but only in province
• Locations in other provinces, but only in Canada
• Other locations, including outside Canada

Business size:

• Self-employed (1 employee)
• 2-19 employees
• 20-99
• 100 or more employees

Attitudinal Categories

Perceived Importance of Protecting Privacy

• Unimportant (1-3)
• Neither (4)
• Important (5-7)

Awareness of Privacy Obligations

• Unaware (1-3)
• Neither (4)
• Aware (5-7)

Perceived Difficulty of Compliance:

• Easy (1-3)
• Neither (4)
• Difficult (5-7)

Concern Over Data Breach

• Unconcerned (1-3)
• Neither (4)
• Concerned (5-7)

Collection and Storage of Personal Information

This section identifies privacy-related practices adopted by businesses to protect customers’ personal information. This includes the type of customers a business has, the type of information collected, how it is used, and the procedures and policies in place to protect this information.

Different Company Types in Terms of Customers Served

Surveyed business representatives work for a mix of different companies in terms of the type of customers served. In total, 36% of these companies sell directly to consumers (i.e., members of the general public or some subset of it). Almost as many (35%) sell both to the general public and to other businesses/organizations. Approximately one-quarter (26%) sell only to other businesses/organizations, while 2% provide services that do not fall into any of these categories.

Text version

Figure 1: Company Type

Q: Which of the following best describes your company?

Type of Company	%
Sells directly to consumers	36%
Sells directly both to consumers and other businesses/organizations	35%
Sells directly to other businesses/organizations	26%
Other	2%

Base: n = 1006; All respondents
Don’t know/No Response= <1%

Contact, Location Information—Types of Information Widely Collected

In terms of the types of information collected about customers, virtually all of the surveyed companies (97%) collect contact information, such as names, phone numbers, and addresses. The large majority (83%) collect location information, such as postal codes. Other types of information mentioned with some frequency include opinions, evaluations, and comments (27%), financial information, such as invoices, credit cards, or banking records (25%), purchasing habits (18%), and medical information (13%). Two percent said they collect customer email addresses (undoubtedly others do also, but that is included in the ‘contact information’ category).

Information included in the ‘other’ category are birthdays, credit information, a Social Insurance Number, and a Driver’s License number. In total, 1% said they do not collect any of these types of customer information.

Text version

Figure 2: Types of Information Collected

Q: Which of the following types of information does your company collect about your customers?

Types of Information Collected	%
Contact information, such as names, phone numbers, and addresses	97%
Location information, such as postal codes	83%
Opinions, evaluations, and comments	27%
Financial	25%
Purchasing habits	18%
Medical information	13%
Email address	2%
Birthday	1%
Credit Information	1%
Social Insurance Number	1%
Driver's License	0%
Other information	4%
None of the above	1%

Base: n = 1006; All respondents

Multiple responses accepted; Don’t know/No Response= <1%

In terms of diversity of information collected, most companies (65%) collect either two (39%) or three (26%) different categories of information mentioned above. Nearly a quarter (24%) collect more than that, while 11% collect less.

Providing Service—Most Common Use of Customer Information

Approximately two-thirds (68%) of Canadian businesses use customers’ personal information to help provide service to those customers. Slightly less than one-third (31%) use it to build customer profiles. Other uses mentioned with some frequency are marketing (17%) and use for financial matters, such as accounting, billing and invoicing (14%). Only 3% identified using customer information for communications or contact purposes.

Text version

Figure 3: Company Use of Customer Information

Q: What does your business do with the personal information that it collects about your customers?

Company Use	%
Providing service	68%
Building customer profiles to personalize service	31%
Marketing	17%
For accounting/ billing/ invoicing purposes	14%
For communication/contact purposes	3%
Some other purpose	5%

Base: n = 1006; All respondents

Multiple responses accepted; Don’t know/No Response= 8%

Variety of Methods Used to Store Personal Information

Three methods are commonly used by Canadian businesses to store personal information about their customers, each identified by a clear majority of business representatives. These include paper records stored on site (62%), the use of on-site servers (58%), and the use of desktop computers (55%). No other methods came close.

Nearly one quarter (24%) use portable devices, such as laptops, USB sticks, or tablets, while smaller numbers use cloud computing (7%) and a third party (excluding cloud computing) (7%).

Just over two-thirds (68%) of Canadian businesses use more than one method of storing the personal information they collect on their customers. Equal proportions (32%) of businesses use either one or two methods of storing customers’ information. Slightly more than one-third (36%) use three methods or more.

Text version

Figure 4: Methods of Storing Personal Information

Q: In which of the following ways does your company store personal information on your customers?

Methods of Storing	%
Stored on-site on paper	62%
Stored on-site on servers	58%
Stored on desktop computers	55%
Stored on portable devices, such as laptops, USB sticks, or tablets	24%
Stored through a third party, not including cloud computing	7%
Stored electronically through cloud computing	7%
Stored by video and audio recordings	1%
Stored in some other way	1%

Base: n = 1006; All respondents

Don’t know/No Response= 3%

Personal Information Protection Practices

Minority Use Encryption on Portable Devices

Business executives whose firms use portable devices, such as laptops, USB sticks, or tablets, to store their customers’ personal information were asked whether or not their company uses encryption to protect information stored in this way. In response, 36% said that they did, whereas 58% said they did not. Six percent were uncertain.

Text version

Figure 5: Use of Encryption on Portable Devices

Q: Does your company use encryption to protect the personal information you store on portable devices, such as laptops, USB sticks, or tablets?

Use of Encryption	%
Yes	36%
No	58%
Not sure	6%

Base: n = 224; those who use portable devices

Due to rounding, numbers may not sum to 100%

Compared to 2011, the number of businesses that store personal information on portable devices is virtually unchanged but the reported use of encryption on portable devices has decreased slightly: 36% vs. 44% in 2011.

Technological Tools, Physical Measures—Main Ways of Protecting Customer Information

Canadian businesses use a number of methods to protect the personal information of their customers. More that three-quarters use technological tools, such as passwords, encryption, or firewalls (78%), or physical measures, such as locked filing cabinets, restricting access, or security alarms (78%). Almost two-thirds (65%) use organizational controls, such as policies and procedures.

Seven percent said they take no measures.

Looked at somewhat differently, 77% of Canadian businesses use more than one method to protect the personal information of their customers. Conversely, 23% use only one.

Text version

Figure 6: Methods Used to Protect Customer Information

Q: What steps do you take to protect the personal information on your customers?

Methods	%
Technological tools, such as passwords, encryption, or firewalls.	78%
Physical measures, such as locked filing cabinets, restricting access, or security alarms.	78%
Organizational controls, such as policies and procedures.	65%
No measures taken	7%

Base: n = 1006; All respondents

Multiple responses accepted; Don’t know/No Response= 1%

Passwords, Firewalls—Most Common Tools Used to Protect Information

Of those that reported using technological tools to protect customer information, almost everyone (98%) uses passwords. As well, 82% use firewalls, while 48% use encryption.

Text version

Figure 7: Technological Tools Used

Q: What technological tools do you use?

Technological Tools	%
Passwords	98%
Firewalls	82%
Encryption	48%
Other	2%

Base: n = 852; those who use technological tools

Multiple responses accepted; Don’t know/No Response= 1%

Compared to 2011, use of these tools has increased slightly: passwords (98% vs. 96% in 2011), firewalls ( 82% vs. 79% in 2011), and encryption (48% vs. 43% in 2011).

Of businesses that use passwords, 55% have controls in place to ensure that employees use hard-to-guess passwords (6% were uncertain). Also, most require their employees to change their passwords: 21% require this monthly, 17% quarterly, 10% every six months, 10% yearly, and 6% less frequently than yearly. Just over one-quarter (27%) do not require their employees to change their passwords. These findings are virtually unchanged since the 2011 survey.

Text version

Figure 8: Controls to Ensure Hard-to-Guess Passwords

Q: Do you have any controls in place to ensure that employees use hard-to-guess passwords?

Controls	%
Yes	55%
No	39%
Don’t know	6%

Base: n = 837; those who use passwords

Text version

Figure 9: Frequency of Mandatory Password Updating

Q: How often do you require employees to change their passwords?

Frequency	%
Monthly	21%
Quarterly	17%
Every six months	10%
Once a year	10%
Less than this	6%
Do not require employees to change passwords	27%

Base: n = 837; those who use passwords

Don’t know/No Response= 8%

Mixed Experience in Terms of Privacy Practices in Place

Business representatives were asked whether they had in place a series of mechanisms related to privacy practices. These mechanisms included:

• Having designated someone in their company to be responsible for privacy issues and personal information that the company holds
• Having documented internal policies for staff that address their privacy obligations under the law
• Having staff regularly receive privacy training and education
• Having procedures in place for responding to customer requests for access to their personal information
• Having procedures in place for dealing with complaints from customers who feel that their information has been handled improperly
• Having a privacy policy that explains to customers how they will collect and use customer personal information.

Four of these privacy-related practices are used by half or more of surveyed businesses. This includes having a designated privacy officer (58%), having internal policies for staff that address privacy obligations (51%), having procedures for dealing with customer complaints (51%), and having procedures for responding to customer requests related to their personal information (50%).

Fewer than half (45%) have a privacy policy that explains to customers how they will collect and use customer personal information, while one-third (34%) regularly provide privacy training and education to staff.

Text version

Figure 10: Company Privacy Practices

Question on privacy practices	% saying yes
Have designated privacy officer	58%
Developed staff policies re: privacy	51%
Have procedures for dealing with privacy complaints	51%
Have procedures for customer requests for personal information	50%
Have privacy policy	45%
Provide staff training re: privacy	33%

Base: n = 1006; All respondents

Approximately two in three (70%) firms have adopted more than one of these mechanisms. Two in five (40%) have adopted four mechanisms or more, 14% of firms employ only one mechanism, and 16% have not adopted any.

Number of mechanisms adopted	Percentage of firms	Percentage of firms with at least this many mechanisms adopted
None	16%	n/a
1	14%	84%
2	14%	70%
3	15%	55%
4	14%	40%
5	11%	26%
6	15%	15%

Privacy as Corporate Objective

This section explores perceptions of privacy as a corporate objective, and confidence in their firm’s ability to protect customers’ personal information.

Most Attribute Significant Importance to Protecting Privacy

Most business executives said their company attributes significant importance to privacy protection. More than half (59%) offered the highest score available (on a 7-point scale), indicating their belief that protecting their customers’ personal information is an extremely important corporate objective. In total, 82% offered positive scores on the scale, indicating that this is an important objective. At the other end of the spectrum, 7% indicated clearly that protecting customers’ personal information was not an important objective at all for their company.

Text version

Figure 11: Perceived Importance of Protecting Privacy

Q: What importance does your company attribute to protecting privacy?

Importance	%
Extremely important (7)	59%
6	11%
5	12%
4	5%
3	3%
2	2%
Not important at all (1)	7%

Base: n = 1006; All respondents

Don’t know/No Response= 1%

Widespread Confidence in Firm’s Ability to Protect Information

There was widespread confidence expressed by business representatives in their firms’ ability to fully protect the personal information they collect about customers. More than two-thirds (69%) said they were very confident, while almost all of the rest (28%) expressed moderate confidence in this.

Text version

Figure 12: Confidence in Firm’s Ability to Protect Information

Q: How confident are you that your company knows how to fully protect the personal information you collect?

Confidence	%
very confident	69%
moderately confident	28%
not very confident	1%
not confident at all	1%

Base: n = 1006; All respondents

Don’t know/No Response= 1%

Awareness and Impact of Privacy Laws

This section explores executives’ awareness of privacy laws in Canada. Questions in this section were prefaced with the following description of Canada’s privacy laws:

The federal government’s privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA, sets out rules that govern how businesses engaged in commercial activities should protect personal information. In Alberta, BC and Quebec, the private sector is governed by provincial laws, which are considered to be similar to the federal law.

Increasing Awareness of Company’s Responsibilities Under Canada’s Privacy Laws

Business executives were asked to rate their company’s awareness of its responsibilities under Canada’s privacy laws, using a 7-point scale (1 = not at all aware, 7 = extremely aware). Almost half (45%) think their firm is extremely aware of its responsibilities, while an additional 22% claimed some level of awareness (score of 5). In total, two-thirds (67%) offered positive scores above the mid-point on the scale, indicating a relatively high level of familiarity with their privacy responsibilities.

Text version

Figure 13: Awareness of Responsibilities Under Privacy Laws

Q: How would you rate your company’s awareness of its responsibilities under Canada’s privacy laws?

Awareness	%
Extremely aware (6 or 7)	45%
5	22%
4	12%
3	8%
Not at all aware (1 or 2)	12%

Base: n = 1006; All respondents

Don’t know/No Response= 1%

At the other end of the spectrum, 20% offered scores below the mid-point of the scale, suggesting a relatively low level of awareness.

Over time, companies’ awareness of their responsibilities under Canada’s privacy laws has been fairly stable. The proportion of companies with a high awareness of their privacy responsibilities has decreased only slightly, from 49% in 2007 to 45% in 2013. The percentage of companies with moderate awareness has remained unchanged at 42%, with just a single increase to 47% in 2011. In total, 12% express a low awareness of Canada’s privacy laws, down from 19% in 2011, and up from 8% in 2007 when tracking began.

Text version

Figure 14: Awareness of Responsibilities Under Privacy Laws (Over Time)

Q: How would you rate your company’s awareness of its responsibilities under Canada’s privacy laws?

Awareness	2007	2010	2011	2013
High awareness (6-7)	49%	47%	41%	45%
Moderate awareness (3-5)	42%	42%	47%	42%
Low awareness (1-2)	8%	10%	19%	12%

Base: All respondents

More Limited Awareness of PIPEDA

Executives were also asked to rate their level of awareness of PIPEDA using the same 7-point scale. In this case, just over one-third (35%) were extremely aware of the legislation, while 22% expressed some awareness (score of 5). In total, therefore, over half (57%) offered positive scores above the mid-point on the scale, once again indicating a relatively high level of familiarity with their responsibilities.

Text version

Figure 15: Awareness of PIPEDA

Q: And thinking specifically about PIPEDA, the federal government’s privacy law, how would you rate your company’s awareness of this legislation?

Awareness	%
Extremely aware (6 or 7)	35%
5	22%
4	13%
3	9%
Not at all aware (1 or 2)	19%

Base: n = 1006; All respondents

Don’t know/No Response= 2%

However, 28% offered scores below the mid-point of the scale, suggesting a relatively low level of awareness. Awareness of PIPEDA specifically is therefore slightly lower than awareness of responsibilities under Canada’s privacy laws more generally.

Businesses’ awareness of PIPEDA increased modestly, from 27% in 2011 to 35% in 2013. Accordingly, the number of executives reporting that their company is unaware of this legislation decreased slightly (from 24% in 2011 to 19% in 2013).

Text version

Figure 16: Awareness of PIPEDA (Over Time)

Q: And thinking specifically about PIPEDA, the federal government’s privacy law, how would you rate your company’s awareness of this legislation?

Awareness	2011	2013
Aware	27%	35%
Neither aware nor unaware	46%	44%
Unaware	24%	19%

Base: All respondents

Compliance

This section explores perceptions related to the difficulty of complying with Canada’s privacy laws, including barriers to compliance.

Privacy Compliance Seen as Neither Easy nor Difficult

Business executives were asked how difficult it has been for their company to bring their personal information handling practices into compliance with Canada’s privacy laws (using a 7-point scale: 1 = extremely easy, 7 = extremely difficult). The largest proportion (41%) were neutral, viewing this as neither easy nor difficult. Most of the rest (38%) rated compliance with Canada’s privacy laws as easy, while 13% felt that this was difficult for their company.

Text version

Figure 17: Perceived Difficulty of Compliance

Q: How difficult has it been for your company to bring your personal information handling practices into compliance with Canada’s privacy laws?

Perceived Difficulty	%
Extremely easy (1 or 2)	31%
3	7%
Neither easy nor difficult (4)	41%
5	8%
Extremely difficult (6 or 7)	6%

Base: n = 1006; All respondents

Don’t know/No Response= 7%

Over time, the perceived difficulty of bringing personal information handling practices into compliance with Canada’s privacy laws has increased modestly, while the perception that it is very easy has decreased. In total, 38% of business representatives currently think it is easy to comply with privacy laws—down from a high of 47% in 2010, but up slightly from 34% in 2011.

Text version

Figure 18: Perceived Difficulty of Compliance (Over Time)

Q: How difficult has it been for your company to bring your personal information handling practices into compliance with Canada’s privacy laws?

Perceived Difficulty	2007	2010	2011	2013
Easy (1-3)	42%	47%	34%	38%
Neither (4)	45%	42%	49%	41%
Difficult (5-7)	8%	5%	10%	14%

Base: All respondents

Lack of Understanding of Legislation—Top Barrier to Compliance

A lack of understanding of privacy legislation was identified most often (17%) as the most significant barrier or challenge in terms of complying with Canada’s privacy laws. Eight percent or less cited a number of other barriers: staff/personnel time needed (8%), cost of compliance (other than staff) (7%), making sure employees comply (6%), the need to keep their knowledge up to date (5%), and keeping the information secure (4%).

Text version

Figure 19: Barriers to Compliance

Q: In your view, what is the biggest barrier or challenge in terms of complying with Canada’s privacy laws?

Barriers	%
Don't have a clear understanding of the legislation	17%
Staff/personnel time needed	8%
Cost of compliance (non-staff costs)	7%
Making sure/ enforcing employees to comply	6%
Knowledge/keeping up to date	5%
Keeping the information secure	4%
Awareness/information provided (general)	3%
Storing the information (general)	1%
Other	3%
Nothing/no barrier	15%

Base: n = 1006; All respondents

Don’t know/No Response= 39%

Examples included in the ‘other’ category, each cited by 2% or less were: keeping up to date with the law; too much paperwork/bureaucracy; barriers to accessing information; difficulties with consistently implementing policy; customer awareness; and the volume of information to protect. Fully 39% did not offer a response to this question.

Breaches

This section explores issues related to data breaches.

Polarized Levels of Concern Over Data Breaches

Surveyed executives were asked to rate their level of concern about a data breach, where the personal information of their customers is compromised. They were asked to use a 7-point scale (1 = not at all concerned; 7 = extremely concerned). Exactly half (50%) said they were not at all concerned about a data breach, while 24% said they were extremely concerned. In total, exactly one-third offered scores above the mid-point of the scale, suggesting moderate concern about a data breach.

Text version

Figure 20: Concern About a Data Breaches

Q: How concerned are you about a data breach, where the personal information of your customers is compromised?

Concern	%
Not at all concerned (1 or 2)	50 %
3	8 %
4	7 %
5	8 %
Extremely concerned (6 or 7)	24 %

Base: n = 1006; All respondents

Don’t know/No Response= 2%

Before being asked this question, executives were provided with the following information:

Sometimes, sensitive personal information that is held by a company about their customers is compromised. This can be due to a range of things, such as criminal activity, theft, hacking, or employee error, such as misplacing a laptop or other device.

Over time, Canadian businesses have become somewhat less concerned about a data breach. Compared with 2011, the 2013 survey indicates a decrease in the proportion of businesses that are very concerned over such a breach (33% vs. 40%), as well as those who are moderately concerned (7% vs. 9%). As a result, those with little or no concerns have increased to 59% from 49% in 2011 and 42% in 2010.

Text version

Figure 21: Concern About a Data Breach (Over Time)

Q: How concerned are you about a data breach, where the personal information of your customers is compromised?

Concern	2010	2011	2013
Very concerned (5-7)	35%	40%	33%
Somewhat Concerned (4)	21%	9%	7%
Less or Not Concerned (1-3)	42%	49%	59%

Base: All respondents

Top Threats Leading to Breach: Hacking, Theft and Employee Error

Surveyed executives were asked to think about the possibility of a data breach occurring at their company, where personal information is potentially compromised, and to identify what they think represents the greatest threat of this happening. Heading the list were hacking (24%) and theft (19%). In addition, 11% identified employee error. A number of other potential threats were identified by small numbers (3% or less).

Text version

Figure 22: Perceived Sources of Data Breaches

Q: When you think about the possibility of a data breach occurring at your company, where personal information is potentially compromised, what do you think represents the greatest threat of this happening?

Perceived Sources	%
Hacking	24%
Theft	19%
Employee error	11%
Internal breach (e.g. disgruntled employee)	3%
Loss	2%
Break-ins/physical vandalism	2%
Human error/negligence	2%
External breach (e.g. third party)	2%
Use of mobile devices	1%
Server breach (unspecified)	1%
Firewall failure/computer virus	1%
Other	1%
Nothing/no threat	5%

Base: n = 1006; All respondents; Multiple responses accepted

Don’t know/No Response= 25%

Five percent of surveyed executives indicated that they could think of no threats, while 25% did not provide a response.

More Than Half Do Not Have Guidelines for Responding to Breach

Fifty eight percent of surveyed companies do not have guidelines in place in the event of a breach where the personal information of their customers is compromised and 5% were unsure. Conversely, 37% do have guidelines in place.

Text version

Figure 23: Guidelines for Responding to a Breach

Q: Does your company have any protocols or procedures in place that would be followed in the event of a breach where the personal information of customers is compromised?

Protocols or procedures	%
Yes	37%
No	58%
Don’t know/No Response	5%

Base: n = 1006; All respondents

Relatively Few Say They Have Ever Experienced a Breach

The vast majority (95%) of businesses say they have never experienced a breach where the personal information of their customers was compromised. Conversely, only 4% have (1% were unsure).

Text version

Figure 24: Breach Experience

Q: Has your company ever experienced a breach where the personal information was compromised?

Breach Experience	%
Yes	4%
No	95%
Don’t know/No Response	1%

Base: n = 1006; All respondents

The proportion of companies who have guidelines in place to respond to a breach has increased modestly since 2011 (31%) and 2010 (34%)^{Footnote 6}. The number of companies (4%) who have actually experienced a data breach has remained virtually unchanged since 2011 and 2010 (3% each).

Text version

Figure 25: Guidelines for Responding to Breach and Breach Experience (Over Time)

Q: Does your company have any guidelines in place in the event of a breach where the personal information of your customers is compromised?

Year	%
2010	34%
2011	31%
2013	37%

Base: All respondents

Q: Has your company ever experienced a breach where the personal information was compromised?

Year	%
2010	3%
2011	3%
2013	4%

Base: All respondents

In total, fifty-two respondents said their company had experienced a breach. The most common steps taken by these companies to address the situation was notifying individuals who were affected, followed by resolving the issue with the individual responsible for the breach and enhancing their security system. Others said they provided training to their staff, reviewed their privacy policy, notified law enforcement, notified the relevant government agencies, took legal action, obtained information from the government, or notified relevant departments within the company. Eight percent of companies pursued other means of addressing the breach.

Corporate Innovation

This section addresses companies’ use of third parties for processing, storage, and other services with relation to customers’ personal information.

Policies in Place to Assess Privacy Risks

When asked whether their companies have policies in place to assess privacy risks related to their business, approximately two-thirds (67%) said that they do not, while 5% were uncertain.

Text version

Figure 26: Policies in Place to Assess Privacy Risks

Q: Does your company have any policies or procedures in place to assess privacy risks related to your business? This includes assessing privacy risks associated with the development or use of new products, services, or technologies.

Policies or procedures	%
Yes	28%
No	67%
Don’t know/No Response	5%

Base: n = 1006; All respondents

Use of Third Parties to Manage Personal Information

Only 13% of surveyed businesses send customer’s personal data to a third party for processing, storage or other services. Of this 13%, 59% claimed to be aware that when a company transfers personal information to a third party for processing, storage or other services, which can include the use of cloud computing, that a company remains accountable for that information. Conversely, 36% were not aware of this accountability.

Text version

Figure 27: Use of Third Party for Handling of Personal Information

Q: Does your company collect personal information from customers and send it to another company for processing, storage or other services, which can include the use of cloud computing?

Use of Third Party	%
Yes	13%
No	86%
Don’t know/No Response	1%

Base: n = 1006; All respondents

Q: Have you put in place a contract, or other means, to ensure there is appropriate protection for your company’s personal customer information that is processed or stored by another company, including through cloud computing?

Appropriate protection	%
Yes	59%
No	36%
Don’t know/No Response	5%

Base: n = 1006; All respondents Base: n = 152; Those who use third parties

In 2013, a larger proportion (13%) of companies used third parties than in 2011 (9%). However, this is still down from 2010 when 18% of respondents said a third party is responsible for handling personal information.^{Footnote 8}

Text version

Figure 28: Use of Third Party for Handling of Personal Information (Over Time)

2010: Does your company collect personal information from clients and send it to another company within Canada for processing?

In 2010, 1% said they sent personal information to another company outside Canada for processing.

2011 & 2013: Does your company collect personal information from customers and send it to another company for processing, storage or other services?

Year	%
2010	18%
2011	9%
2013	13%

Base: All respondents

The number of companies with contracts in place to ensure customers’ information is protected by the third party has steadily increased since 2010.

Text version

Figure 29: Use of Third Party Contract (Over Time)

2010: Have you put in pace a contract, or other means, to ensure there is a comparable level of protection while the information is being processed by this other company?

2011 & 2013: Have you put in place a contract, or other means, to ensure there is appropriate protection for your company’s personal customer information that is processed or stored by another company, including through cloud computing?

Year	%
2010	50%
2011	54%
2013	59%

Base: Those who use third parties

Use of Non-Company-Issued Electronic Devices

Business representatives were asked about their company’s policy on allowing employees to use their personal electronic devices, such as smartphones, tablets or laptops, for work purposes. Approximately one in five (21%) companies allow this. Of the 21% (or 251 respondents), two in three (64%) have not developed formal, internal policies to manage security issues related to employees using their own devices for work. Two percent of respondents were unsure of their company’s policy.

Text version

Figure 30: Use of Non-Company-Issued Electronic Devices

Q: Does your company allow employees to use non-company-issued electronic devices such as smartphones, tablets, PCs, or other electronic devices, for work purposes?

Use of Non‐Company‐Issued Electronic Devices	%
Yes	21%
No	78%
Don’t know/No Response	1%

Base: n = 1006; All respondents

Q: Has your company developed a formal, internal policy to manage security issues related to this practice?

Formal, internal policy	%
Yes	35%
No	64%
Don’t know/No Response	2%

Base: n = 251; Those allowing non-company devices

Larger companies were more likely to have developed a formal, internal policy to manage security issues related to this practice (62% with at least 100 employees vs. 42% or fewer of smaller companies).

Collection of Customer information on Mobile Devices

The vast majority of companies (96%) do not collect customers’ personal information using apps on mobile devices, with only 3% of business representatives stating that their company does collect such data.

Text version

Figure 31: Collection of Personal Information on Mobile Devices

Q: Does your company collect personal information from customers using any type of ’apps’ for a mobile device?

Collection of Personal Information	%
Yes	3%
No	97%
Don’t know/No Response	1%

Base: n = 1006; All respondents

Among the thirty-four firms that collect information on mobile devices, the majority collect contact information, such as names, phone numbers, and addresses. Smaller numbers collect location information, record customers’ opinions, evaluations, and comments, as well as collect financial information, data on customers’ purchasing habits, or some other form of personal information.

The two most common ways that these companies inform customers that their data will be collected are through the company’s general privacy policy and a privacy policy that is specific to the ‘app’. Approximately two in five representatives of companies that record customer data do not know how their company informs customers.

Disclosures to Law Enforcement

This section addresses issues relating to the extent of companies’ cooperation with law enforcement in accordance with privacy laws.

Warrant-less Requests for Personal Information

Very few companies (4%) say they have received requests from law enforcement representatives without a warrant for personal information in the last 2–3 years.

Text version

Figure 32: Information Requests from Law Enforcement

Q: In the last 2-3 years, how often have law enforcement authorities sought personal information from your company without a warrant?

Information Requests	%
Never	94%
One time or more	4%

Base: n = 1006; All respondents

Don’t know/No Response= 2%

Among the sixty-two companies^{Footnote 10} that received such requests, approximately half (48%) provided the information each time it was requested. Relatively few (13%) did so some of the time. Conversely, exactly four in ten said they never provided the requested information.

Seeking Clarification About Responsibilities Under the Law

This section presents participant feedback on the sources and channels their companies use to gather information relating to privacy issues.

Internet—Top Potential Source of Information on Privacy Laws

A majority of business representatives surveyed (86%) indicated that their company has never sought clarification of its responsibilities under privacy laws in Canada. Approximately one in ten companies have sought clarification (11%), and four percent of employees surveyed were uncertain.

The proportion of companies (11%) that sought clarification on their responsibilities under Canada’s privacy laws in 2013 is lower than in 2011 (13%), 2007 (22%), and 2010 (22%).

Text version

Figure 33: Seeking Clarification of Privacy Responsibilities (Over Time)

Q: Has your company ever sought clarification of its responsibilities under Canada’s privacy laws?

Year	%
2007	22%
2010	22%
2011	13%
2013	11%

Base: All respondents

In total, 141 companies have sought clarification of their privacy responsibilities. The Internet, mentioned by 43% of these firms, was the main information source. Following this, 19% have gone to government agencies (federal, provincial, or general), 14% have sought the advice of a lawyer, 12% consulted industry experts, consulting firms or education sources, 9% asked an industry association, 9% contacted the privacy commissioner, and 4% used their company’s internal resources.

Text version

Figure 34: Seeking Clarification of Privacy Responsibilities

Q: Where did you go to seek this clarification?

Seeking Clarification	%
Other	10%
Internal resources	4%
Privacy Commisioner	9%
Industry association	9%
Industry experts, consulting firms, education sources	12%
Lawyer	14%
Government	19%
Internet	43%

Base: Those who have sought clarification on their privacy responsibilities

One in ten (10%) business representatives sought clarification from some other source, and 7% were unsure of where they went for clarification.

Where executives go for clarification on privacy laws has changed substantially since tracking began in 2010.

Text version

Figure 35: Seeking Clarification of Privacy Responsibilities (Over Time)

Q: Where did you go to seek this clarification?

Seeking Clarification	2010	2011	2013
Government/Privacy Commissioner	34%	12%	28%
Lawyer	36%	12%	14%
Industry association	4%	13%	9%
Internal resources	6%	15%	4%
Industry experts, consulting firms, education sources	2%	16%	12%
Internet (general)	18%	28%	43%

Base: Those who have sought clarification on their privacy responsibilities

Office of the Privacy Commissioner of Canada

This section explores levels of awareness of resources available through the Office of the Privacy Commissioner (OPC), as well as use of such resources and assessments of them.

Strong Minority Aware of OPC Resources, Most Have Not Used Resources

Forty-one percent of surveyed executives said they were aware that the OPC has information and tools available to companies to help them comply with their privacy obligations.

However, among executives who are aware of OPC resources, the majority (78%) have never used them. Close to one in five (17%) have used OPC resources and five percent of respondents were uncertain as to whether their company has used them.

Text version

Figure 36: Awareness and Use of OPC Resources

Q: Are you aware that the Office of the Privacy Commissioner of Canada has information and tools available to companies to help them comply with their privacy obligation?

Awareness	%
Yes	41%
No	59%
Don’t know/No Response	1%

Base: n = 1006; All respondents

Q: Has your company ever used any of these resources?

Used any of these resources	%
Yes	17%
No	78%
Don’t know/No Response	5%

Base: n = 427; Those aware of OPC resources

Subgroup Variations

The likelihood of being aware that OPC has resources available was highest amongst^{Footnote 11}:

• Companies located in the Prairies (63%) and Alberta (56%)
• Companies that sell to both consumers and businesses (48)
• Companies with at least 100 employees (53%)
• Those who perceived protecting privacy as being important (44%)
• Those who reported being aware of their privacy obligations (48%).

Larger companies and those who reported their company is aware of privacy obligations were more likely to have used OPC resources.

Awareness and use of OPC resources is virtually unchanged since 2011.

Text version

Figure 37: Awareness and Use of OPC Resources (Over Time)

Q: Are you aware that the Office of the Privacy Commissioner of Canada has information and tools available to companies to help them comply with their privacy obligation?

Year	%
2010	55%
2011	40%
2013	41%

Base: All respondents

Q: Has your company ever used any of these resources?

 

Year	%
2010	36%
2011	19%
2013	17%

Base: Those aware of OPC resources

Among the 121 companies that have used OPC resources to comply with their privacy obligations, the OPC website (56%) was the main source of reference. The survey found that 23% used OPC policy guidance, 11% OPC publications, 4% an OPC exhibit or presentation, and only 2% called the OPC information centre. Eight percent of companies used some other source of information from the OPC. Fifteen percent of business representatives were uncertain of which OPC resource their company used.

Text version

Figure 38: OPC Resources Used

Q: What resources of the Office of the Privacy Commissioner of Canada has your company used?

Resources	%
OPC website	56%
OPC policy guidance/advice	23%
OPC publications	11%
An OPC exhibit or presentation	4%
Called OPC Information Centre (for enquiries)	2%
Other	8%

Base: n = 121; Those who have used OPC resources; Multiple responses accepted

Don’t know/No Response= 15%

Executives were asked to rate the usefulness of privacy-related resources they received from the OPC on a seven-point scale (7 = extremely useful, 1 = not at all useful). Exactly three-quarters of executives rated their usefulness above the midpoint of the seven-point scale, with 35% stating that they were extremely useful.

Text version

Figure 39: Perceived Usefulness of OPC Resources

Q: How useful were the resources or information you received from the Office of the Privacy Commissioner of Canada in terms of helping your company meet its privacy obligations?

Perceived Usefulness	%
Neutral or less (≤4)	21%
5	20%
6	20%
7 - extremely useful	35%

Base: n = 121; Those who have used OPC resources

Don’t know/No Response= 4%

The five respondents who offered low assessments of the usefulness of OPC resources (scores of 1-3) were asked why they found the resources or information not very useful. Reasons included that they already knew the information or that the information was not appropriate for their business size.

The perceived usefulness of OPC resources among business representatives has increased since tracking began in 2010.

Text version

Figure 40: Perceived Usefulness of OPC Resources (Over Time)

Q: How useful were the resources or information you received from the Office of the Privacy Commissioner of Canada in terms of helping your company meet its privacy obligations?

Perceived Usefulness	2010	2011	2013
Useful (5-7)	55%	72%	75%
Somewhat Useful (4)	36%	12%	16%
Less or Not Useful (1-3)	8%	8%	5%

Base: Those who have used OPC resources

Corporate Profile

The following tables presents the characteristics of survey respondents (using weighted data).

Region	Percent
Atlantic Canada	7%
Quebec	20%
Manitoba and Saskatchewan	7%
Alberta	14%
British Columbia	16%
Ontario (excluding the Greater Toronto Area)	21%
Greater Toronto Area	14%
Don’t know / no response	1%
Total	100%

Business Size	Percent
Self-employed (1 employee)	14%
Small (2-19 employees)	74%
Medium (20-99 employees)	10%
Large (100+ employees)	2%
Total	100%

Language of interview	Percent
English	80%
French	20%
Total	100%

Revenues in 2012	Percent
Less than $100,000	16%
$100,000 to just under $250,000	13%
$250,000 to just under $500,000	10%
$500,000 to just under $1,000,000	13%
$1,000,000 to just under $5,000,000	19%
$5,000,000 to just under $10,000,000	4%
$10,000,000 to just under $20,000,000	2%
More than $20 million	2%
Don’t know / no response	22%
Total	100%Footnote 12

Appendix

Telephone Questionnaire

Hello, my name is [Interviewer's name]. I’m calling on behalf of Phoenix, a public opinion research company. We’re conducting a survey for the Privacy Commissioner of Canada to better understand the needs and practices of businesses across the country in relation to Canada’s privacy laws.

May I speak to the person in your company who is the most familiar with the types of personal information collected about your customers, and how this information is stored and used. This may be your company’s Privacy Officer if you have one.

• IF PERSON IS AVAILABLE, CONTINUE. REPEAT INTRODUCTION IF NEEDED.
• IF NOT AVAILABLE, SCHEDULE CALL-BACK.

The survey takes about 15 minutes and is voluntary and completely confidential. Your answers will remain anonymous. May I continue?

• Yes, now (CONTINUE)
• No, call later. Specify date/time: Date: Time:
• Refused (THANK & DISCONTINUE)

1. Which of the following best describes your company? (READ LIST, ACCEPT ONE RESPONSE) T2011

     It sells directly to consumers                              1
     It sells directly to other businesses/organizations         2
     It sells directly both to consumers and 
          other businesses/organizations                         3
     Other, please specify:                     
	 
(DO NOT READ: 	NOT FOR PROFIT, THANK AND TERMINATE; 
		DK/NR, THANK AND TERMINATE)

2. Approximately how many employees work for your company in Canada? Please include part-time employees as full-time equivalents. (DO NOT READ LIST) T2011

	
     One (i.e. self employed)    1
     2-4                         2
     5-9                         3
     10-19                       4
     20-49                       5
     50-99                       6
     100-149                     7
     150-199                     8
     200-249                     9
     250-299                     10
     300-499                     11
     500-999                     12
     1,000-4,999                 13
     More than 5,000             14

Section 1: Privacy Practices

I’d like to begin by asking you about the types of personal information held by your company about your customers. T2011 MODIFIED

3. Which of the following types of personal information does your company collect about your customers? (READ LIST. ACCEPT ALL THAT APPLY) T2011

	
     Contact information, such as names,  
          phone numbers, and addresses                 1
     Opinions, evaluations, and comments               2
     Purchasing habits                                 3
     Financial                                         4
     Medical information                               5
     Location information, such as postal codes        6
     Other information. If so, please specify:                         
     None of the above (DO NOT READ)                   7

4. What does your business do with the personal information that it collects about your customers? Do you use it for...? (READ LIST. ACCEPT ALL THAT APPLY)

1. Marketing
2. Providing service
3. Building customer profiles to personalize service
4. Or for some other purpose. If so, please specify:

5. Deleted

6. Deleted

7. In which of the following ways does your company store personal information on your customers? Is the information…? (READ LIST. ACCEPT ALL THAT APPLY) T2011

     Stored on-site on paper                                                1
     Stored on-site on servers                                              2
     Stored on desktop computers                                            3
     Stored on portable devices, such as laptops, USB sticks, or tablets    4
     Stored electronically through cloud computing*                         5
     Stored through a third party, not including cloud computing**          6
     Stored by video and audio recordings                                   7
     Stored in some other way: If so, please specify                        8

*INTERVIEWER NOTE: IF RESPONDENT IS NOT CLEAR WHAT CLOUD COMPUTING IS, SAY THAT CLOUD COMPUTING REFERS TO THE DELIVERY OF COMPUTING RESOURCES OVER THE INTERNET. INSTEAD OF KEEPING DATA ON YOUR OWN HARD DRIVE OR UPDATING APPLICATIONS FOR YOUR NEEDS, YOU USE A THIRD PARTY’S SERVICE OVER THE INTERNET, AT ANOTHER LOCATION, TO STORE YOUR INFORMATION OR USE ITS APPLICATIONS.

**INTERVIEWER NOTE: FOR THIS QUESTION, CLOUD COMPUTING SHOULD BE RECORDED SEPARATELY FROM STORAGE BY A THIRD PARTY.

IF INFORMATION 'STORED ON PORTABLE DEVICES', ASK:

8. Does your company use encryption to protect the personal information you store on portable devices, such as laptops, USB sticks, or tablets? T2011

     Yes     1
     No      2	

ASK EVERYONE:

9. What steps do you take to protect the personal information on your customers? (READ LIST. ACCEPT ALL THAT APPLY) T2011

     Physical measures, such as locked filing cabinets, 
          restricting access, or security alarms.                        1
     Technological tools, such as passwords, encryption, or firewalls.   2
     Organizational controls, such as policies and procedures.           3
     Some other measure. If so, please specify:                          4
     No measures taken 	                                                 5

IF 'TECHNOLOGICAL TOOLS' USED, ASK:

10. What technological tools do you use? (READ LIST. ACCEPT ALL THAT APPLY) T2011 MODIFIED

     Passwords                              1
     Encryption                             2
     Firewalls                              3
     Other.  Please specify:                 

IF 'PASSWORDS' USED, ASK NEXT TWO QUESTIONS:

11. How often do you require employees to change their passwords? (DO NOT READ LIST. ACCEPT ONE RESPONSE) T2011

     Monthly                              1
     Quarterly                            2
     Every six months                     3
     Once a year                          4
     Less than this                       5
     VOLUNTEERED: Do not require 
        employees to change passwords     6

12. Do you have any controls in place to ensure that employees use hard-to-guess passwords? T2011

     Yes     1
     No      2	

ASK EVERYONE:

13. Have you designated someone in your company to be responsible for privacy issues and personal information that your company holds? T2011

     Yes     1
     No      2	

14. Has your business developed and documented internal policies for staff that address your privacy obligations under the law?

     Yes     1
     No      2	

15. Does your organization regularly provide staff with privacy training and education?

     Yes     1
     No      2	

16. Does your company have procedures in place for responding to customer requests for access to their personal information? T2011

     Yes     1
     No      2	

17. Does your company have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly? T2011

     Yes     1
     No      2	

18. Does your company have a privacy policy that explains to customers how you will collect and use their personal information? T2011 MODIFIED

     Yes     1
     No      2	

Section 2: Privacy as Corporate Objective

19. What importance does your company attribute to protecting your customers' personal information? Please use a scale from 1 to 7, where 1 means that this is not an important corporate objective at all, and 7 means it is an extremely important objective. T2011 MODIFIED

20. Deleted

21. How confident are you that your company knows how to fully protect the personal information you collect? Would you say very confident, moderately, not very or not confident at all?

Section 3: Awareness and Impact of Privacy Laws

The federal government’s privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA (PRONOUNCED PIP-EE-DAH) sets out rules that govern how businesses engaged in commercial activities should protect personal information. In Alberta, BC and Quebec, the private sector is governed by provincial laws, which are considered to be similar to the federal law. T2011

22. How would you rate your company’s awareness of its responsibilities under Canada’s privacy laws? Please use a scale from 1 to 7, where 1 is not at all aware, and 7 is extremely aware. T2011

23. And thinking specifically about PIPEDA (PRONOUNCED PIP-EE-DAH), the federal government’s privacy law, how would you rate your company’s awareness of this legislation? Please use a scale from 1 to 7, where 1 is not at all aware, and 7 is extremely aware. T2011

Section 4: Compliance

24. How difficult has it been for your company to bring your personal information handling practices into compliance with Canada’s privacy laws? Please use a scale from 1 to 7, where 1 is extremely easy, 7 extremely difficult and 4 is neither easy nor difficult. T2011

25. In your view, what is the most significant barrier or challenge in terms of complying with Canada's privacy laws? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES) T2011 MODIFIED

     Don’t have a clear understanding of the legislation      1
     Staff/personnel time needed                              2
     Cost of compliance (non-staff costs)                     3	
     Other: Specify                             

26. Deleted

Section 5: Breaches

Sometimes, sensitive personal information that is held by a company about their customers is compromised. This can be due to a range of things, such as criminal activity, theft, hacking, or employee error such as misplacing a laptop or other device. T2011 MODIFIED

27. How concerned are you about a data breach, where the personal information of your customers is compromised? Please use a scale of 1 to 7, where 1 is not at all concerned, and 7 is extremely concerned. T2011

28. When you think about the possibility of a data breach occurring at your company, where personal information is potentially compromised, what do you think represents the greatest threat of this happening? (DO NOT READ LIST. ACCEPT ONE RESPONSE)

     Hacking                    1
     Theft                      2
     Loss                       3
     Use of mobile devices
         by employees           4
     Employee error             5
     Other: Specify              

29. Does your company have any protocols or procedures in place that would be followed in the event of a breach where the personal information of customers is compromised? T2011 MODIFIED

     Yes     1
     No      2	

30. Has your company ever experienced a breach where personal information was compromised? T2011 MODIFIED

     Yes     1
     No      2 SKIP NEXT QUESTION

ASK THOSE WHO HAVE EXPERIENCED A BREACH:

31. What did your company do to address this situation? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES) T2011

     Notified individuals who are affected                              1
     Notified government agencies who oversee Canada`s privacy laws     2
     Notified law enforcement                                           3
     Followed proper procedure (general)                                4
     Notified company`s head office, HR, or privacy department          5
     Obtained legal counsel/took legal action                           6
     Resolved issue with individuals responsible 
         for the breach (e.g. termination/reprimand of employee)        7
     Obtained information from government (websites, 1-800 number)      8
     Issued training or re-training for staff                           9
     Reviewed privacy policy or practices                              10
     Implemented security system or enhanced security                  11
     Other (specify):                                                  12

32. Deleted

Section 6: Corporate Innovation

33. Does your company have any policies or procedures in place to assess privacy risks related to your business? This includes assessing privacy risks associated with the development or use of new products, services, or technologies. T2011

     Yes     1
     No      2	

34. Does your company collect personal information from customers and send it to another company for processing, storage or other services, which can include the use of cloud computing? T2011 [NOTE INCONSISTENCIES WITH Q7 AND PROBE FOR THE CORRECT ANSWER TO BOTH QUESTIONS].

     Yes     1
     No      2	

ASK ONLY THOSE WHO USE THIRD PARTY (Q34):

35. Have you put in place a contract, or other means, to ensure there is appropriate protection for your company's personal customer information that is processed or stored by another company, including through cloud computing*? T2011

     Yes     1
     No      2	

*ONLY INCLUDE "INCLUDING THROUGH CLOUD COMPUTING" FOR THOSE WHO CURRENTLY USE CLOUD COMPUTING.

36. Does your company allow employees to use non-company-issued electronic devices, such as smartphones, tablets, PCs, or other electronic devices, for work purposes?

     Yes     1
     No      2	

IF 'YES', ASK:

37. Has your company developed a formal, internal policy to manage security issues related to this practice?

     Yes     1
     No      2	

38. Does your company collect personal information from customers using any type of “apps” for a mobile device?

     Yes     1
     No      2	

IF 'YES', ASK NEXT TWO QUESTIONS:

39. Which of the following types of information does your company collect through your “apps”? (READ LIST. ACCEPT ALL THAT APPLY)

	
     Contact information, such as names, 
        phone numbers, and addresses                      1
     Opinions, evaluations, and comments                  2
     Purchasing habits                                    3
     Financial information, including 
        credit card numbers                               4
     Location information                                 5
     Other information. If so, please specify:               
     None of the above (DO NOT READ)                      6

40. How does your company communicate to users the purposes for which information collected via the app will be used?

     In your company’s general privacy policy                  1
     In a privacy policy specific to the app                   2
     In the app distribution “store”                           3
     Using in-app notifications                                4
     Other.  Please specify:                                   5

Section 7: Cooperation with Law Enforcement and Government

Under Canada’s privacy laws, if law enforcement agencies have a warrant from the court, they can require a company to disclose the personal information it holds about its customers. When they do not have a warrant, a company can provide or refuse to provide the information.

41. In the last 2-3 years, how often have law enforcement authorities sought personal information from your company without a warrant? (READ LIST. ACCEPT ONE RESPONSE)

     Never 
     1-5 times		
     6-10 times		
     More than 10 times 	

IF INFO REQUESTED (PREVIOUS QUESTION), ASK:

42. Did your company comply and provide the requested information...? (READ LIST. ACCEPT ONE RESPONSE)

     Each time it was requested
     Some of the time
     None of the times 

Section 8: Communications

43. Deleted

44. Deleted

45. Has your company ever sought clarification of its responsibilities under Canada’s privacy laws? T2011

     Yes     1
     No      2 SKIP NEXT QUESTION

IF YES, ASK:

46. Where did you go to seek this clarification? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES) T2011

    Internet (general)                                              1
    Government                                                      2* 
       [PROBE WHETHER FEDERAL (2A) OR PROVINCIAL (2B)]
    Privacy Commissioner                                            3* 
       [PROBE WHETHER FEDERAL (3A) OR PROVINCIAL (3B)]		
    Lawyer                                                          4
    Company/head office expert/internal resource for company        5
    Industry experts, consulting firms, or education sources        6
    Industry association                                            7
    Other. Specify:                                 

Section 9: Office of the Privacy Commissioner of Canada

47. Are you aware that the Office of the Privacy Commissioner of Canada has information and tools available to companies to help them comply with their privacy obligations? T2011 MODIFIED

     Yes     1
     No      2 GO TO NEXT SECTION

IF YES, ASK:

48. Has your company ever used any of these resources? T2011

     Yes     1
     No      2 GO TO NEXT SECTION

IF YES, ASK:

49. What resources of the Office of the Privacy Commissioner of Canada has your company used? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES) T2011 MODIFIED

     OPC website                                        1
     OPC publications                                   2
     OPC policy guidance/advice                         3
     An OPC exhibit or presentation                     4
     Called OPC Information Centre (for enquiries)      5
     Other (specify):                          

50. How useful were the resources or information you received from the Office of the Privacy Commissioner of Canada in terms of helping your company meet its privacy obligations? Please use a scale of 1 to 7, where 1 is not at all useful, and 7 is extremely useful. T2011

IF SCORES OF 1-3, ASK:

51. Why were the resources or information not very useful? (DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES) T2011

     Not enough detail                         1
     Too difficult to understand               2
     Nothing new/already knew it               3
     Not in preferred format                   4
     Not appropriate for business size         5
     Not appropriate for business sector       6
     Other (specify):                          

Section 10: Corporate Profile

These last questions are for statistical purposes only, and all answers are confidential.

52. In what industry or sector do you operate? If your company is active in more than one sector, please identify the main sector. (DO NOT READ LIST. ACCEPT ONE RESPONSE) T2011

     Accommodation and Food Services                         1
     Administrative & Support, Waste Management 
        and Remediation Services                             2
     Agriculture, Forestry, Fishing and Hunting              3
     Arts, Entertainment and Recreation                      4
     Construction                                            5
     Educational Services                                    6
     Finance and Insurance                                   7
     Health Care and Social Assistance                       8
     Information and Cultural Industries                     9
     Management of Companies and Enterprises                 10
     Manufacturing                                           11
     Mining and Oil and Gas Extraction                       12
     Other Services (except Public Administration)           13
     Professional, Scientific and Technical Services         14
     Public Administration                                   15
     Real Estate and Rental and Leasing                      16
     Retail Trade                                            17
     Transportation and Warehousing                          18
     Utilities                                               19
     Wholesale Trade                                         20
     Other. Please specify:                                  21

53. What is your own position within the organization? (DO NOT READ LIST. ACCEPT ONE RESPONSE) T2011

     Owner, President or CEO                         1
     General Manager/Other Manager                   2
     IT Manager                                      3
     Administration                                  4
     Vice President                                  5
     Privacy analyst/officer/coordinator             6
     Legal counsel/lawyer                            7
     HR/Operations                                   8
     Other: Specify                                  9

54. In which of the following categories would your company’s 2012 revenues fall? (READ LIST. ACCEPT ONE RESPONSE) T2011

     Less than $100,000                              1
     $100,000 to just under $250,000                 2
     $250,000 to just under $500,000                 3
     $500,000 to just under $1,000,000               4
     $1,000,000 to just under $5,000,000             5
     $5,000,000 to just under $10,000,000            6
     $10,000,000 to just under $20,000,000           7
     More than $20 million                           8

This concludes the survey.
Thank you for your time and feedback, it is much appreciated.