Commissioner Cavoukian’s office says the importance of this issue was highlighted recently when Elections Ontario lost two USB keys containing the unencrypted personal information of as many as 2.4 million voters. Commissioner Cavoukian found in her investigation that the agency’s failure to systematically address privacy and security issues was at the root of the problems.
Organizations should develop privacy education and awareness training programs and designate a knowledgeable “go-to” person for privacy-related queries within the organization, the new document states. In addition, processes and procedures are needed to verify compliance with privacy policies – such as comprehensive privacy audits of the organization and informal audits of the mobile devices of employees, to make sure they are protected by passwords and strong encryption.
Commissioner Cavoukian also warns organizations to be prepared to act if a privacy breach does occur. “A disciplined and immediate response is vital in order to address the situation in a manner that protects individuals, meets the expectations of the public, consumers and regulators, and ultimately preserves the reputation of the organization,” she said.
The document, entitled “A Policy is Not Enough: It Must be Reflected in Concrete Practices” (PDF), builds on the proactive approach of Privacy by Design (PbD), developed by the Commissioner, and unanimously approved as an international framework for privacy protection in 2010. PbD seeks to embed privacy into the design specifications of information technologies, organizational practices and networked system architectures, to achieve the strongest protection possible.