Deloitte & Touche LLP   Deloitte & Touche LLP
Global > Canada > Services > Enterprise Risk    
Protecting privacy
Why having a privacy policy is not enough
By Suzanne Thibodeau

When it comes to complying with privacy legislation, many managers wrongly believe that they have done all that needs to be done: their companies have published a policy on personal privacy and offered employees an awareness session on the topic. They tell themselves that the case is closed and that they can now move on to other things.

But is this privacy policy supported by a governance framework, procedures, and an ongoing plan to monitor its effectiveness? If not, the policy quickly becomes obsolete, a distant memory in employees’ minds. And that’s when problems arise.

In a recent case involving a Canadian financial institution, the Office of the Privacy Commissioner of Canada reminded companies of the extent of their obligations: “It is not merely a matter of publishing a privacy policy in a brochure or on a web site. The entire organization must be aware of the policy and must ensure that its employees are adhering to it, bringing problems to the attention of the right people, and acting on it. It is not just a good idea — it is the law.” The Office of the Privacy Commissioner issued the statement in a press release dated April 18, 2005, following its investigation.

The ISO model: A proactive approach
The approach recommended by ISO standards on information security management systems can be very useful when establishing an ongoing privacy program.

Based on the Plan-Do-Check-Act model, the ISO 17799 standard and its counterpart, ISO 27001, give management the means to adopt a continuous, proactive approach through which they can regularly evaluate the effectiveness of their program. This model proposes a strategy based on four recurring actions:

  1. Plan: What needs to be done? How should it be done?
  2. Do: Carry out the plan.
  3. Check: Was everything done according to the plan? Are there any weaknesses?
  4. Act: Implement the required corrective measures.

Many organizations are still stopping at the second step, once their policy has been completed and issued. If a breach of confidentiality occurs, or if legal action is taken, it could be difficult to prove that such organizations exercised reasonable diligence with respect to their privacy policy.

The CICA/AICPA Privacy Framework
The CICA/AICPA Policy Framework proposes compliance-control procedures and mechanisms that should be integrated into privacy protection programs, notably:

  • A procedure that addresses privacy-related complaints and other problems
  • A dispute resolution procedure
  • A procedure to periodically review compliance
  • A procedure to report and document instances of non-compliance, as well as the corrective measures that were taken

It is therefore important to develop a continuous privacy protection program and to periodically review your company’s situation so that weaknesses can be detected and quickly rectified.
Contact us for more information about this topic.
 
Source: Deloitte & Touche LLP - Canada (English)

Print this page    Email To A Colleague
  Security | Legal | Privacy    

© 2008 Deloitte & Touche LLP and affiliated entities.

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 7,700 people in 57 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu.

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

Bookmark