Over the last year, high-profile data breaches affecting thousands of Canadians have raised concerns over businesses’ privacy practices. Questions surrounding companies’ handling of personal information are becoming more prominent in the minds of consumers. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the privacy practices of many businesses in Canada, sets out personal information handling requirements built on pillars of accountability and consent.
In particular, PIPEDA requires compliance with the ten key privacy principles of the Model Code for the Protection of Personal Information developed by the Canadian Standards Association. One of the fundamental principles is openness and requires organizations to provide information to the public about policies and practices relating to the management of personal information. The openness principal requires businesses to include information on who is accountable for the organization’s policies and practices and to whom complaints can be forwarded. Details on gaining access to personal information, a description of the type of personal information held by the organization, and disclosure of personal information made available to related organizations, must also be provided.
(1) emphasizing key elements about the collection, use, and disclosure of personal information;
(2) allowing individuals to control the level of detail regarding information practices by presenting information in a layered format;
(3) providing consumers with a clear option to say “yes” or “no”;
(4) being innovative (i.e. no one-size-fits all approach);
(5) considering the consumer’s perspective by making the information user-friendly;
(6) ensuring the effectiveness of consent processes, and
(7) making consent an ongoing process.
The development of these guidelines stem from recognition that establishing privacy policies and obtaining meaningful consent from consumers is becoming increasingly challenging in this digital age.
When accountability and openness related to privacy practices are not built into the fabric of an organization, the risk of a privacy breach and related erosion of consumer confidence, is high. Privacy breaches and the ineffective response to a privacy breach can destroy consumer confidence and cause serious damage to a brand. Take, for instance, the recent example of the Uber 2016 data hack involving the personal information of millions of users across the globe, which was only disclosed in late 2017 after an initial cover-up by the company. Uber’s failure to disclose the data breach has led to government investigations, lawsuits, and the erosion of consumer trust.
Growing concerns over the handling of Canadians’ information have led to OPC recommendations to strengthen enforcement mechanisms, including disclosure of breaches and fines for non-compliance. While such measures, if introduced, may persuade more businesses to ensure they are compliant with privacy laws, the biggest incentive for business should be their long-term viability which depends, in large part, on consumer trust. Businesses depend on consumer confidence to forge ongoing loyalty to a brand. One poorly handled data breach can destroy a brand.