A Privacy Policy is Not Enough, says Privacy Commissioner

Sept., 2009 – Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, says it is not enough for organizations to have a privacy policy in place – they must take steps on an ongoing basis to make sure it is reflected in every aspect of their operations.

A new paper, released September 5 by the Commissioner at a meeting of the Privacy Section of the Canadian Bar Association, provides a 7-step action plan on how to effectively execute an appropriate privacy policy and embed it in the concrete practices of an organization.

Commissioner Cavoukian’s office says the importance of this issue was highlighted recently when Elections Ontario lost two USB keys containing the unencrypted personal information of as many as 2.4 million voters. Commissioner Cavoukian found in her investigation that the agency’s failure to systematically address privacy and security issues was at the root of the problems.

“Privacy policies alone, without a proper strategy for implementation and ongoing compliance procedures, will not protect an organization from privacy risks. The seven recommendations presented in this paper will provide organizations with concrete guidance on how to effectively execute an appropriate privacy policy, and have it reflected in actual practice. This information will be helpful to organizations of any size, and in any sector,” Commissioner Cavoukian said in a statement.

Organizations should develop privacy education and awareness training programs and designate a knowledgeable “go-to” person for privacy-related queries within the organization, the new document states. In addition, processes and procedures are needed to verify compliance with privacy policies – such as comprehensive privacy audits of the organization and informal audits of the mobile devices of employees, to make sure they are protected by passwords and strong encryption.

Commissioner Cavoukian also warns organizations to be prepared to act if a privacy breach does occur. “A disciplined and immediate response is vital in order to address the situation in a manner that protects individuals, meets the expectations of the public, consumers and regulators, and ultimately preserves the reputation of the organization,” she said.

The document, entitled “A Policy is Not Enough: It Must be Reflected in Concrete Practices(PDF), builds on the proactive approach of Privacy by Design (PbD), developed by the Commissioner, and unanimously approved as an international framework for privacy protection in 2010. PbD seeks to embed privacy into the design specifications of information technologies, organizational practices and networked system architectures, to achieve the strongest protection possible.