Public Opinion Surveys

PDF Version

Canadian Businesses and Privacy-Related Issues

Final Report

Submitted to:
Office of the Privacy Commissioner of Canada Communications
Place de Ville 112 Kent Street, Suite 300
Ottawa, Ontario
K1A 1H3

EKOS RESEARCH ASSOCIATES INC.
March 2010

---

EKOS RESEARCH ASSOCIATES

Ottawa Office
359 Kent Street, Suite 300
Ottawa, Ontario
K2P 0R6
Tel: (613) 235 7215
Fax: (613) 235 8498
E-mail: pobox@ekos.com

Toronto Office
480 University Avenue, Suite 1006
Toronto, Ontario
M5G 1V2
Tel: (416) 598 8002
Fax: (416) 598 2543
E-mail: toronto@ekos.com

www.ekos.com

---

Table of Contents

1. Executive Summary
2. 1. Background and Methodology
3. 2. Privacy and Personal Information
4. 3. Privacy Legislation
5. 4. Security Breaches
6. Appendix A: Survey Questionnaire (English and French)

---

Executive Summary

EKOS Research Associates was commissioned by the Office of the Privacy Commissioner of Canada (OPC) to undertake a survey examining the views of Canadian businesses on a number of issues relating to privacy and the implementation of PIPEDA. The survey tracked a number of questions first asked in 2007, and also included a number of new questions about PIPEDA and privacy-related issues.

The methodology for this study involved a telephone survey of 1,005 businesses in Canada. Given that the main focus of the study was on the adoption and impact of privacy laws, the survey was designed to contact senior decision makers with responsibility or knowledge of their company’s privacy and security practices.

Results suggest that Canadian businesses are largely familiar with Canada’s privacy laws, are finding them fairly easy to comply with, and have implemented many privacy policies to help protect the personal information of their customers. In addition, privacy legislation is seen as having had a positive impact on how Canadian businesses handle the personal information of their customers. The key findings from this study are outlined below, and described in more detail in the remainder of this report:

• Survey results reveal that the collection of personal information by Canadian businesses is a common occurrence: almost seven in ten of the companies surveyed (68 per cent) report that they collect information on their customers (and this is up five per cent since 2007).
• Results also reveal that the majority of businesses that collect personal information on customers have implemented provisions to protect customer information.
• Almost half of the businesses surveyed report high awareness of their responsibilities under Canada’s privacy laws, and only 10 per cent rate their awareness in this area as low.
• The plurality of the businesses surveyed feel it has been fairly easy to comply with privacy laws (47 per cent, up five per cent since 2007), and only five per cent feel it has been difficult to comply with these laws (down three per cent since 2007).
• Survey results also suggest PIPEDA has had a positive impact on Canadian businesses’ handling of customers’ personal information. About two in three of the companies surveyed indicate they are more concerned about protecting their customers’ personal information (68 per cent), and have increased their awareness of privacy obligations (63 per cent) as a result of PIPEDA. And more than half (57 per cent) said the introduction of PIPEDA has resulted in improved security associated with personal information held by the company on its customers.
• More than half of the businesses surveyed report awareness of OPC information and tools to help companies comply with their privacy obligations. About a third of the businesses aware of OPC information and tools have accessed this information, and most of the companies that did access this information found the information to be useful.
• The plurality of the companies surveyed are not concerned about security breaches in which the personal information of customers is compromised (42 per cent), possibly because the vast majority (94 per cent) have not experienced a data breach.
• Only about one-third of the companies surveyed indicate they have formal guidelines to deal with a breach where the personal information of their customers is compromised; the majority (63 per cent) do not have any such guidelines in place.
• Finally, results reveal that the vast majority of the companies surveyed (89 per cent) indicate that the poor economic situation over the past year and a half did not result in reduced spending on measures to protect customer information.

Supplier Name: EKOS Research Associates
PWGSC Contract Number: # 2R008-090284/001/CY
Contract Award Date: 16/02/2010
To obtain more information on this study, please e-mail publications@priv.gc.ca.

1. Background and Methodology

1.1 Background

The Privacy Commissioner of Canada is an advocate for the privacy rights of Canadians, with the powers to investigate complaints and conduct audits under two federal laws; publish information about personal information-handling practices in the public and private sector; and conduct research into privacy issues.

The two federal laws are the Privacy Act which governs the public sector and the Personal Information Protection and Electronic Documents Act (PIPEDA) which governs the private sector. More specifically, PIPEDA “sets out ground rules for the management of personal information in the private sector … (and) balances an individual's right to the privacy of personal information with the need of organizations to collect, use or disclose personal information for legitimate business purposes.”

Under PIPEDA, personal information is defined as “any factual information, recorded or not, about an identifiable individual”, employee or otherwise, including their age, name, income, ethnic origin, social status, credit records, loan records, and medical records. If an organization wishes to use an individual’s personal information for reasons other than the purpose for which it was collected, consent must first be obtained from the individual. As well, individuals have “the right to access personal information held by an organization and to challenge its accuracy.”

PIPEDA came into force in 2001, but at the time only applied to federally-regulated private sector companies. The Act was extended to cover personal health information for these organizations and activities in 2002. Two years later, PIPEDA came into full effect in January 2004. Today, the Act covers all organizations engaged in commercial activities, including those that for other purposes (for example, employment) are regulated by the provinces. PIPEDA includes provisions for a mandatory review by Parliament every five years.

Against this backdrop, there is a need to better understand the extent to which businesses are familiar with and are complying with their responsibilities under PIPEDA, as well as understanding any other related issues to the implementation of the Act. Within this context, there was a need to undertake a survey of Canadian businesses to help develop this understanding.

1.2 Methodology

The research findings for this study have been drawn from the results of a 16 minute telephone survey with 1,005 businesses in Canada, conducted from March 4 to March 25, 2010. Given that the main focus of the study was on the adoption and impact of privacy laws, the survey was designed to contact senior decision makers with responsibility or knowledge of their company’s privacy and security practices.

The survey instrument was designed in close consultation with the Office of the Privacy Commissioner (OPC). Once the questionnaire items were approved, the questionnaire was programmed into EKOS’ computer assisted telephone interviewing (CATI) software. In addition to programming the actual text of each question, instructions to the survey interviewer (such as instruction to read or not read available responses), question/response randomization (batteries of questions and some responses to questions are randomized to minimize an order bias) and skip logic were integrated at this stage. In order to gauge the flow and clarity of the survey instrument, the questionnaire was pre-tested through a series of telephone interviews with actual respondents in English and French. The objective of the pre-test was to ascertain the clarity of the questions, the flow of the sequencing, the overall length of the interviews and any factors that may affect the response rate. No significant changes to the questionnaire were required as a result of the pretest. The final version of this survey is appended to this report in Appendix A.

Since medium and large sized businesses together account for less than 15 per cent of all businesses, the sample was stratified by company size (based on number of employees) in order to ensure that there were enough respondents from both of these two size segments. For purposes of the study, the following definitions of size were adopted: small (1-19 employees), medium (20-99 employees), and large (100 or more employees). The results are based on the following samples:

• 555 surveys with small businesses;
• 302 surveys with medium businesses; and
• 148 surveys with large businesses.

The findings were then weighted by size, region and industry code to align the data to a ‘truer’ reflection of Canadian businesses. The weighted findings tend to reflect more closely the responses of small-sized businesses as these businesses account for more than four in five businesses in Canada.

With a sample size of 1,005, results may be considered statistically accurate to within +/- 3.1 percentage points, 19 times out of 20. The margin of error rises when results are examined for a particular sub-sample.

2. Privacy and Personal Information

2.1 Time Spent On Privacy-Related Issues

Businesses were first asked how much time their company spends in a typical month dealing with privacy related issues. Results suggest that most Canadian businesses spend little time dealing with privacy issues: only 11 per cent say they spend a great deal of time on these issues, and the majority (51 per cent) say they spend little time dealing with privacy issues in a typical month. However, tracking reveals a seven per cent decrease since 2007 in the proportion of businesses who spend little time on privacy issues, and a corresponding seven point increase (to 33 per cent) in the proportion of businesses who spend some time dealing with privacy issues.

2.2 Collection of Personal Information

The survey went on to ask Canadian businesses whether or not their company collects personal information on their customers. Survey results reveal that most of the companies surveyed collect personal information on their customers (68 per cent), and this is up five per cent since 2007.

• The collection of personal information from customers does not vary significantly across company size.

		Collects personal information on customers	Does not collect personal information on customers
Q: And would you say your company collects ... (Base: All Businesses; Mar. 2010, n=)
Company Size	Small	69	31
	Medium	67	32
	Large	74	26

2.3 Amount of Personal Information Collected

Results further reveal that half of the businesses that collect personal information on their customers say they collect only small amounts of personal information (51 per cent). About one in five (19 per cent) collect moderate amounts of information, and three in ten (29 per cent) say they collect large amounts of personal information from their customers.

Interestingly, tracking reveals a polarization in terms of the personal information collected by Canadian businesses. The proportion of businesses that report they collect both small and large amounts of personal information is up since 2007, while those companies that indicate they collect “moderate” amounts of information is down 12 per cent since 2007.

• Smaller firms are more likely to indicate they collect only small amounts of personal information.

		Small amounts of information	Moderate amounts of information	Large amounts of information
Q: And would you say your company collects ... (Base: Businesses that collect personal information; Mar. 20107, n=)
Company Size	Small	52	18	30
	Medium	45	25	28
	Large	34	37	29

2.4 Method of Storing Personal Information

Businesses which collect personal information on their clients were also asked if the personal information they collect on their customers was stored on paper, stored electronically or both. The majority (55 per cent) say they collect this information both on paper and electronically. About one in five (19 per cent) say they store this information on paper only, and one in four (25 per cent) maintain this information only in an electronic format.

2.5 Implementation of Policies re. Collection, Usage and Disclosure

Businesses which indicated they collect personal information from their clients were asked a series of questions examining at what stage their company was in terms of putting in place clear privacy policies to deal with this information. Results suggest that the majority of these companies (73 per cent) have fully implemented privacy policies to oversee how the company and its employees collect, use, and disclose personal information, and this is up six per cent since 2007. Only 14 per cent indicate that these policies have yet to be implemented.

• Smaller businesses are more likely than their larger counterparts to indicate they have not yet implemented these policies.

		Fully implemented	In the process of being implemented	Have not been implemented yet	Not applicable
Q: What stage is your company at putting in place clear privacy policies to oversee how the company and its employees collect, use and disclose personal information? (Base: Businesses that collect personal information; Mar. 2010, n=)
Company Size	Small	73	6	14	5
	Medium	77	11	10	2
	Large	87	8	4	0

2.6 Implementation of Safeguards re. Protecting Info from Unauthorized Access

In terms of implementing safeguards to protect personal information from unauthorized use, more than three in four businesses which collect personal information (76 per cent) say they have a fully implemented policy in this area (up two per cent since 2007). Fewer than one in ten (nine per cent) say these safeguards have not yet been put in place.

• Smaller businesses are more likely than their larger counterparts to indicate they have not yet put safeguards to protect personal information in place.

		Fully implemented	In the process of being implemented	Have not been implemented yet	Not applicable
Q: What stage is your company at putting in place safeguards to protect personal information from unauthorized access? (Base: Businesses that collect personal information; Mar. 2010, n=)
Company Size	Small	76	10	9	3
	Medium	83	9	5	2
	Large	92	6	0	1

2.7 Implementation of Accessibility of Personal Information Provisions

A majority of businesses which collect personal information also indicate that they have a fully implemented policy in place to allow customers to request and access any personal information that the company holds on its customers (61 per cent), however, this is down seven per cent since 2007.

• Small and medium-sized businesses are more likely than large companies to indicate they have not yet implemented procedures to allow customers to access their personal information.

		Fully implemented	In the process of being implemented	Have not been implemented yet	Not applicable
Q: What stage is your company at putting in place ways for customers to be able to request and access any personal information that your company holds on them? (Base: Businesses that collect personal information; Mar. 2010, n=)
Company Size	Small	61	6	17	14
	Medium	63	3	25	5
	Large	77	5	9	4

2.8 Implementation of Ways for Customers to Contact Company

A slight majority of these businesses (54 per cent) also report that they have fully implemented procedures that enable customers to make complaints should they feel that their personal information has been handled inappropriately, however, this is down four per cent since 2007. One in four (25 per cent) indicate these procedures have yet to be put in place.

• Smaller businesses are more likely than their larger counterparts to indicate they have not yet put these procedures in place.

		Fully implemented	In the process of being implemented	Have not been implemented yet	Not applicable
Q: What stage is your company at putting in place procedures that enables customers to make complaints should they feel that their personal information has been handled inappropriately? (Base: Businesses that collect personal information; Mar. 2010, n=)
Company Size	Small	54	6	26	12
	Medium	71	7	16	3
	Large	80	5	8	4

2.9 Procedures to Handle Privacy-Related Issues

Survey results further reveal that most of the companies surveyed say they have procedures to handle privacy-related issues raised by both internal staff (59 per cent), and by customers and other external parties (61 per cent).

3. Privacy Legislation

3.1 Awareness of Responsibilities of Privacy Laws

All respondents were provided with a brief description of PIPEDA and asked to rate their awareness of their responsibilities under Canada’s privacy laws. Results reveal that Canadian businesses are largely familiar with Canada’s privacy laws: almost half of the companies surveyed feel they have a high degree of awareness of their responsibilities under Canada’s privacy laws (47 per cent), and only 10 per cent rate their awareness in this area as low. These results have remained largely stable since 2007.

• Awareness of privacy laws is higher among larger Canadian businesses.

3.2 Training on Responsibilities Under Privacy Laws

Businesses were also asked if any of their staff had received training on appropriate information practices and responsibilities under Canada’s privacy laws. Fewer than four in ten (37 per cent) reported they had provided this type of training to their staff (although this is up four per cent since 2007), while about six in ten (59 per cent) said they had not (down a corresponding four points since 2007).

• Large businesses are more likely to have provided training to staff on appropriate information and practices under Canada’s privacy laws.

3.3 Frequency of Reviewing Training

Those companies which indicated that their staff did receive training on appropriate information and practices under Canada’s privacy laws were asked how often they reviewed their training modules and procedures in this area. Results suggest that this is done on a fairly infrequent basis: only 11 per cent indicated they review this information at least once a month, and almost twice as many (21 per cent) say it is reviewed less than once a year. Most say they review this information about once a year (61 per cent).

3.4 Proportion of Companies Which Collect Personal Information and Send to Another Company

Canadian businesses were also asked if their company collects personal information from clients and sends to another company within Canada or outside Canada for processing. Relatively few (18 per cent) say that they send personal information to another company in Canada for processing, and virtually none (one per cent) send this information outside of Canada for processing.

3.5 Awareness of Measures to Protect Personal Information

Those companies that indicated they send personal information to another company for processing were asked if they were aware of any measures they must take to ensure that this personal information is protected. The vast majority of these companies (93 per cent) reported that they were aware of these measures.

However, among those companies that indicated they were aware of these measures, only half (50 per cent) have put in place a contract, or other means, to ensure there is a comparable level of protection while the information is being processed by this other company. The remainder (49 per cent) said they had not established such a contractual arrangement.

3.6 Impact of PIPEDA

All respondents were asked about the impact of PIPEDA on their company. Results suggest PIPEDA has had a positive impact on Canadian businesses’ handling of customers’ personal information (although the extent of the impact varies across the issues examined). About two in three of the companies surveyed indicated they were more concerned about protecting their customers’ personal information (68 per cent), and had increased their awareness of privacy obligations (63 per cent) as a result of PIPEDA. Just over half (57 per cent) said the introduction of PIPEDA has resulted in improved security associated with personal information held by the company on its customers. More than four in ten (43 per cent) felt PIPEDA had helped improve the training given to staff on privacy obligations, and one in three (33 per cent) felt that the introduction of PIPEDA had resulted in fewer breaches involving their customers’ personal information.

3.7 Seeking Clarification on Privacy Laws

Businesses were also asked if their company had ever sought clarification of its responsibilities under Canada’s privacy laws. The majority of businesses report that they have not looked for this type of information (72 per cent), while about one in five (22 per cent) indicate they have. Results are largely stable since 2007.

• Large businesses are particularly likely to indicate that they have sought clarification of their responsibilities under Canada’s privacy laws.

3.8 Source of Clarification

Among those companies that did seek a clarification of their privacy obligations, most indicated that they looked for this information from a lawyer (36 per cent) or from the Privacy Commissioner/ government in general (34 per cent). About one in five (18 per cent) also looked for this information through a general Internet search.

3.9 Difficulties in Adapting to Privacy Laws

Canadian businesses with at least some awareness of Canada’s privacy laws (2 to 7 on the 7-point awareness scale) were asked how difficult it had been for their company to bring its information practices into compliance with these privacy laws. The plurality feel it has been fairly easy to comply with these laws (47 per cent), and this is up five per cent since 2007. Only five per cent feel it has been difficult to comply with privacy laws (down three per cent since 2007).

• Perceived difficulties in adapting to privacy laws does not vary significantly across company size.

3.10 How Businesses Would Find Out More Information on Privacy Laws

All companies were asked how they would go about finding more information about their company’s responsibilities under Canada’s privacy laws. Government websites were mentioned most often (70 per cent – up seven per cent since 2007), followed distantly by a government toll free number (17 per cent – down one per cent since 2007).

3.11 Awareness of OPC Information and Tools

Respondents were further asked if they were aware that the Office of the Privacy Commissioner has information and tools available to companies to help them comply with their privacy obligations. Just over half of the businesses surveyed (55 per cent) indicated they were aware of this information, and about four in ten (45 per cent) said they were not.

• Larger businesses are more likely to express awareness of OPC information and tools.

3.12 Use of OPC Information and Tools

Those businesses that indicated they were aware of OPC information and tools to help companies comply with privacy obligations were asked if they had ever accessed this information. Just over a third of these companies (36 per cent) indicated they had accessed this OPC information, and half (53 per cent) said they had not.

Those who had accessed this information were asked to rate the usefulness of this information in helping their company meet its privacy obligations. Over half of these companies (55 per cent) found the information to be useful, and fewer than one in ten (eight per cent) found this information to be of little use.

3.13 Usefulness of Training

All companies were asked how useful it would be to get training on what companies need to do to comply with Canada’s privacy laws. Despite fairly high levels of satisfaction with the information provided by the OPC among companies that accessed this information (as discussed in the previous question), most Canadian companies do not see the need for training in this area. Only about one in four (23 per cent) feel that training on what companies need to do to comply with Canada’s privacy laws would be useful, and more than four in ten (42 per cent) feel it would be of little use.

3.14 Type of Training

Businesses were also asked what would be the most effective way to offer training to help them comply with Canada’s privacy laws. Online self-help tools are clearly preferred over in-person seminars (79 per cent vs. 14 per cent, respectively), and preference for self-help tools has increased six per cent since 2007.

3.15 Delivery of Training

In terms of who should provide training to help businesses comply with privacy laws, government departments and agencies responsible for overseeing Canada’s privacy laws are preferred over organizations like the Chamber of Commerce (56 per cent vs. 33 per cent, respectively).

4. Security Breaches

4.1 Concern About Security Breaches

The survey also asked a number of questions about security breaches where the personal information of customers is compromised. Results reveal that the plurality of the companies surveyed are not concerned about this type of security breach (42 per cent), although a sizeable minority (35 per cent) does express concern about this issue.

• Concern with information breaches does not vary significantly by company size.

4.2 Experience with Security Breaches

Businesses were also asked if their company had ever experienced a breach where the personal information of customers was compromised. The vast majority of the businesses surveyed (94 per cent) indicated they had not, and only three per cent reported that they had experienced this type of information breach.

Those few who indicated they had experienced a data breach were asked, unprompted, what their company did to address this situation. Most said they notified the individuals who were affected, dealt with the guilty parties directly, or provided training to staff in addressing this situation.

4.3 Actions Taken in Event of Security Breach

Those companies which had not experienced a security breach were asked, unprompted, if they were to experience a breach involving the personal information of their customers, what actions would they take. Most indicate they would notify the individuals affected (34 per cent), notify law enforcement officials (14 per cent), or contact their lawyer/seek legal counsel (12 per cent).

4.4 Guidelines in Event of Security Breach

All Canadian businesses were also asked if their company had any guidelines in place in the event of a security breach. Only about one-third of the companies surveyed (34 per cent) indicate they have formal guidelines to deal with a breach where the personal information of their customers is compromised. The majority (63 per cent) do not have any such guidelines in place.

• Larger businesses are more likely to say they have guidelines in place in the event of a data breach.

4.5 Support for Mandatory Breach Reporting

Businesses were also asked if they supported or opposed the idea of mandatory breach reporting. Results reveal fairly strong support for this idea: the plurality of the businesses surveyed (43 per cent) support the notion of mandatory breach reporting, and only about one in six (16 per cent) oppose such a mandatory requirement (the remainder are neutral or did not provide a response).

4.6 Source of Threat of Security Breach

In terms of the primary perceived threat of data breaches, most Canadian businesses feel that attacks from outside the company are a much greater threat than those from inside the company (64 per cent vs. 26 per cent, respectively). The remainder (10 per cent) are unsure.

4.7 Reduction in Spending on Security Measures

In light of the recent downturn in the economy, businesses were asked if their company had spent less on security measures to protect their customers personal information. The vast majority of the companies surveyed (89 per cent) report that the poor economic situation over the past year and a half did not result in reduced spending on measures to protect customer information. Only six per cent said the economic downturn affected their spending on security measures to protect customer information.

4.8 Cloud Computing Tools

Canadian businesses were also asked if their company used cloud computing tools. Most of the companies surveyed indicated they did not (66 per cent), although three in ten (30 per cent) said their organization did use these tools. Those who indicated they did not currently use cloud computing tools were asked if they plan to do so in the future. The overwhelming majority of these businesses (87 per cent) said they had no plan to use cloud computing tools in the future.

4.9 Privacy Consideration in Development of New Technology

Finally, Canadian businesses were asked if their company were to develop a new technology or product that could potentially have privacy implications, would they take privacy regulations into consideration before the launch of the product/technology. The majority of the businesses surveyed (84 per cent) say that they would take privacy regulations into consideration, and only one in ten indicated they would not take privacy-related issues into account before the launch of a new product or technology.

Appendix A: Survey Questionnaire (English and French)

INTRO

My name is .... and I'm calling from EKOS Research. We're conducting a short survey on behalf of the Privacy Commissioner of Canada to better understand the needs and practices of businesses across the country in relation to Canada's privacy laws.

May I please speak to the person who would be most familiar with what types of personal information is collected on your customers, and how this information is stored and used. This may be your company's Privacy Officer if you have one.

This is an important survey that will help the Government of Canada, and your participation is voluntary. All answers will also be kept strictly confidential.

May I begin?

PRIV

This call may be recorded for quality control or training purposes.

TYP

Which of the following best describes your company?

READ CATEGORIES, ACCEPT ONLY ONE

1. It sells directly to consumers (1)
2. It sells directly to other businesses / organizations (2)
3. It sells directly both to consumers and other businesses/organizations (3)
4. (DO NOT READ) Other, please specify-> ATYP; C160 L2 C80 (77)
5. (DO NOT READ) NOT FOR PROFIT, THANK AND TERMINATE (98)
6. (DO NOT READ) DK/NR, THANK AND TERMINATE (99)
7. PROVIDE SERVICES (VARIOUS) (4)
8. OTHER (97)

LOC1

Which of the following best describes your company?

READ LIST

1. It operates at this location alone (1)
2. There are other locations, but only in Canada (2)
3. There are other locations outside of Canada (3)
4. (DO NOT READ) DK/NR (9)

EMPL

Approximately how many employees, including part-time, full-time and seasonal workers are currently employed in your company?

1. 1 to 4 employees (1)
2. 5 to 9 employees (2)
3. 10 to 19 employees (3)
4. 20 to 49 employees (4)
5. 50 to 99 employees (5)
6. 100 to 149 employees (6)
7. 150 to 199 employees (7)
8. 200 to 249 employees (8)
9. 250 to 299 employees (9)
10. 300 to 499 employees (10)
11. 500 to 999 employees (11)
12. 1,000 to 4,999 employees (12)
13. More than 5,000 employees (13)
14. DK/NR (99)

EMPL2

Approximately how many employees, including part-time, full-time and seasonal workers are currently employed in your company within Canada?

1. 1 to 4 employees (1)
2. 5 to 9 employees (2)
3. 10 to 19 employees (3)
4. 20 to 49 employees (4)
5. 50 to 99 employees (5)
6. 100 to 149 employees (6)
7. 150 to 199 employees (7)
8. 200 to 249 employees (8)
9. 250 to 299 employees (9)
10. 300 to 499 employees (10)
11. 500 to 999 employees (11)
12. 1,000 to 4,999 employees (12)
13. More than 5,000 employees (13)
14. DK/NR (99)

PT

There are different activities that can take up the time of a company and its staff. Please rate how much time your company spends dealing with privacy-related issues, including complying with Canada's privacy laws, in a TYPICAL month on a scale from 1 to 7, where 1 means little or no time, 7 means a great deal of time, and 4 means a moderate amount of time.

1. 1 Little or no time (1)
2. 2 (2)
3. 3 (3)
4. 4 A moderate amount of time (4)
5. 5 (5)
6. 6 (6)
7. 7 A great deal of time (7)
8. DK/NR (9)

PRPI

The next questions are about the types of personal information held by your company on its customers. By personal information, I mean things like a customer's name, age, address, income, what they have purchased, email address, and so on.

C1

Which of the following best describes your company's activities in relation to your customer's personal information? Would you say your company ...

READ LIST

1. collects personal information on its customers (1)
2. does not collect any personal information on its customers (2)
3. (DO NOT READ) DK/NR (9)

C2

And would you say your company collects ...

READ LIST

1. only small amounts of personal information on its customers (1)
2. moderate amounts of personal information on its customers (2)
3. a large amount of personal information on its customers (3)
4. (DO NOT READ) DK/NR (9)

C3 [1,2]

And would you say that the personal information on your customers is stored on paper, stored electronically, or some other type of format?

SELECT ALL THAT APPLY

1. Stored on paper (1)
2. Stored electronically (2)
3. Stored in some other type of format (3)
4. (NOTE TO INTERVIWER: Use this code if they say both instead of selecting both individually above, thank you) (DO NOT READ) Stored both on paper and electronically (8)
5. (DO NOT READ) DK/NR (9)

C4A

Thinking about personal information that is collected and used by your company on its customers, at what stage is your company in relation to the following? Would you say your company has the following fully in place, is in the process of implementing, or have not implemented them yet?

What stage is your company at ...

Putting in place clear guidelines or policies to oversee how the company and its employees collect, use and disclose personal information

1. Fully implemented (1)
2. In the process of being implemented (2)
3. Have not been implemented yet (3)
4. (DO NOT READ) Not applicable (8)
5. (DO NOT READ) DK/NR (9)

C4B

Thinking about personal information that is collected and used by your company on its customers, at what stage is your company in relation to the following? Would you say your company has the following fully in place, is in the process of implementing, or have not implemented them yet?

What stage is your company at ...

Putting in place safeguards to protect personal information from unauthorized access

1. Fully implemented (1)
2. In the process of being implemented (2)
3. Have not been implemented yet (3)
4. (DO NOT READ) Not applicable (8)
5. (DO NOT READ) DK/NR (9)

C4C

Thinking about personal information that is collected and used by your company on its customers, at what stage is your company in relation to the following? Would you say your company has the following fully in place, is in the process of implementing, or have not implemented them yet?

What stage is your company at ...

Putting in place ways for customers to be able to request and access any personal information that your company holds on them

1. Fully implemented (1)
2. In the process of being implemented (2)
3. Have not been implemented yet (3)
4. (DO NOT READ) Not applicable (8)
5. (DO NOT READ) DK/NR (9)

C4D

Thinking about personal information that is collected and used by your company on its customers, at what stage is your company in relation to the following? Would you say your company has the following fully in place, is in the process of implementing, or have not implemented them yet?

What stage is your company at ...

Putting in place procedures that enable customers to make complaints should they feel that their personal information has been handled inappropriately

1. Fully implemented (1)
2. In the process of being implemented (2)
3. Have not been implemented yet (3)
4. (DO NOT READ) Not applicable (8)
5. (DO NOT READ) DK/NR (9)

PIP

The federal government's privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA came into full force on January 1st 2004. The Act establishes privacy laws that govern how businesses should protect personal information.

[Alberta/B.C./Quebec]

The federal government's privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA came into full force on January 1st 2004. The Act establishes privacy laws that govern how businesses should protect personal information. In <Alberta, BC, Quebec >, the private sector is governed by provincial privacy laws which are considered to be deemed similar to the federal law.

DSPRV

Does your company have staff, such as a Privacy Officer, who play a central role in ensuring responsibilities under Canada's privacy laws are met?

1. Yes (1)
2. No (2)
3. DK/NR (9)

IPRV1

Does your company have procedures in place to handle privacy-related issues raised by internal staff?

1. Yes (1)
2. No (2)
3. DK/NR (9)

CEPRV

And does your company have procedures in place to handle privacy-related issues raised by customers and other external parties?

1. Yes (1)
2. No (2)
3. DK/NR (9)

QAWRSP

How would you rate your company's awareness of its responsibilities under Canada's privacy laws on a scale from 1 to 7, where 1 is not at all aware, 7 is extremely aware and 4 is somewhat aware.

1. 1 Not at all aware (1)
2. 2 (2)
3. 3 (3)
4. 4 Somewhat aware (4)
5. 5 (5)
6. 6 (6)
7. 7 Extremely aware (7)
8. DK/NR (9)

TRPRV

Have any of your staff received training on appropriate information practices and responsibilities under Canada's privacy laws?

1. Yes (1)
2. No (2)
3. DK/NR (9)

TRPRV2

How often do you review your training modules/manuals/procedures on appropriate information and practices under Canada's privacy laws?

1. At least once a month (1)
2. At least once a year (2)
3. Less than once a year (3)
4. Never (8)
5. DK/NR (9)

OSPC

Does your company collect personal information from clients and send to another company within Canada for processing?

1. Yes (1)
2. No (2)
3. DK/NR (9)

OSPO

Does your company collect personal information from clients and send to another company outside of Canada for processing?

1. Yes (1)
2. No (2)
3. DK/NR (9)

MEASP

Are you aware of any measures you must take to ensure that this personal information is protected?

1. Yes (1)
2. No (2)
3. DK/NR (9)

MEASC1

Have you put in place a contract, or other means, to ensure there is a comparable level of protection while the information is being processed by this other company?

1. Yes (1)
2. No (2)
3. DK/NR (9)

MEASC2

Have you put in place a contract, or other means, to ensure there is a comparable level of protection while the information is being processed by these other companies?

1. Yes (1)
2. No (2)
3. DK/NR (9)

PIP2A

As a result of the introduction of PIPEDA, would you say your company ...

Has increased its awareness of its privacy obligations?

1. Yes (1)
2. No (2)
3. DK/NR (9)

PIP2B

As a result of the introduction of PIPEDA, would you say your company ...

Has improved the training given to staff on privacy obligations?

1. Yes (1)
2. No (2)
3. DK/NR (9)

PIP2C

As a result of the introduction of PIPEDA, would you say your company ...

Is more concerned about protecting your customers' personal information?

1. Yes (1)
2. No (2)
3. DK/NR (9)

PIP2D

As a result of the introduction of PIPEDA, would you say your company ...

Has improved the security associated with personal information held by your company on its customers?

1. Yes (1)
2. No (2)
3. DK/NR (9)

PIP2E

As a result of the introduction of PIPEDA, would you say your company ...

Has had fewer breaches involving your customers' personal information?

1. Yes (1)
2. No (2)
3. DK/NR (9)

CLPRV

Has your company ever sought clarification of its responsibilities under Canada's privacy laws?

1. Yes (1)
2. No (2)
3. DK/NR (9)

CLPRV2 [1,6]

Where did you go to seek this clarification?

1. Internet (general) (1)
2. Government/Privacy Commissioner(s) (2)
3. Lawyer (3)
4. Other (specify)-> ACLPRV2; C160 L1 C80 (77)
5. DK/NR (99)
6. COMPANY/HEAD OFFICE SPECIALIST, DEPATMENT, HUMAN RESOURCES FOR THE COMPANY (4)
7. INDUSTRY EXPERTS, CONSULTING FIRMS, OR EDUCATION SOURCES (5)
8. INDUSTRY ASSOCIATIONS, ORGANIZATIONS THROUGH WORK THEY ARE AFFILITATED WITH/MEMBERS OF (6)
9. ACCOUNTING, BANK, INSURANCE INDUSTRY (7)
10. OTHER (97)

DFPVR

How difficult has it been for your company to bring its information practices into compliance with Canada's privacy laws, using a scale from 1 to 7, where 1 is extremely easy, 7 is extremely difficult and 4 is neither easy nor difficult.

1. 1 Extremely easy (1)
2. 2 (2)
3. 3 (3)
4. 4 Neither (4)
5. 5 (5)
6. 6 (6)
7. 7 Extremely difficult (7)
8. DK/NR (9)

MTA

If you needed to find more information about your company's responsibilities under Canada's privacy laws, how would you go about it? Would you be most likely to ...

READ LIST

1. Go to a government website (1)
2. Send an email to a government department (2)
3. Call a government toll free number (3)
4. Go to a government office (4)
5. Send a letter to a government department (5)
6. (DO NOT READ) OTHER, SPECIFY-> AMTA; C160 L1 C80 (77)
7. GO THROUGH COMPANIES HR/HEAD OFFICE/PRIVACY DEPARTMENT OR IN HOUSE PRIVACY OFFICER (INCLUDES REVIEWING MANUALS/POLICIES) (6)
8. CONTACT LEGAL COUNCIL/LAWYER (7)
9. CONTACT OTHER INDUSTRY ASSOCIATIONS/EXPERTS, CONSULTING FIRMS, EDUCATIONAL SOURCES (8)
10. ACCOUNTING, BANK, INSURANCE INDUSTRY (10)
11. OTHER (97)

QAWR2

Are you aware that the Office of the Privacy Commissioner has information and tools available to companies to help them comply with their privacy obligations?

1. Yes (1)
2. No (2)
3. DK/NR (9)

QAWR2B

Has your company ever accessed this information?

1. Yes (1)
2. No (2)
3. DK/NR (9)

USE2

On a scale where 1 is not at all useful, 7 is extremely useful, and the mid-point 4 is somewhat useful, how useful was this information in helping your company meet its privacy obligations?

1. 1 Not at all useful (1)
2. 2 (2)
3. 3 (3)
4. 4 Somewhat useful (4)
5. 5 (5)
6. 6 (6)
7. 7 Extremely useful (7)
8. DK/NR (9)

TRGA

Using the same scale, how useful would it be for your company to be able to get training on what companies need to do to comply with Canada's privacy laws?

1. 1 Not at all useful (1)
2. 2 (2)
3. 3 (3)
4. 4 Somewhat useful (4)
5. 5 (5)
6. 6 (6)
7. 7 Extremely useful (7)
8. DK/NR (9)

TRGB

On a scale where 1 is not at all useful, 7 is extremely useful, and the mid-point 4 is somewhat useful, how useful would it be for your company to be able to get training on what companies need to do to comply with Canada's privacy laws?

1. 1 Not at all useful (1)
2. 2 (2)
3. 3 (3)
4. 4 Somewhat useful (4)
5. 5 (5)
6. 6 (6)
7. 7 Extremely useful (7)
8. DK/NR (9)

TRG2

And what do you think would be the most effective way to offer this training?

READ LIST

1. In-person seminars in different cities (1)
2. Providing self-help tools like information packages available online (2)
3. (DO NOT READ) Other, specify-> ATRG2; C160 L1 C80 (77)
4. (DO NOT READ) DK/NR (99)
5. BOTH (3)
6. OTHER (97)

TRG3A

And who do you think would be the most effective at delivering this type of training?

READ LIST

1. Organizations like the local chambers of commerce (1)
2. Government departments/agencies responsible for overseeing Canada's privacy laws (2)
3. (DO NOT READ) Other, specify-> ATRG3A; C160 L1 C80 (77)
4. (DO NOT READ) DK/NR (99)
5. BOTH ORGS LIKE LOCAL CHAMBER OF COMMERCE AND GOVERNMNET DEPARTMENT (3)
6. NON GOVERNMENTAL/INDEPENDENT/NOT FOR PROFIT ORGANIZATIONS (4)
7. INDUSTRY EXPERTS/PROFESSIONALS/ASSOCIATIONS (EDUCATIONAL FACILITIES, POLICE, LAWYERS) (5)
8. IN HOUSE TRAINING/COMPANY DELIVERS IT (6)

CCPC

Sometimes, sensitive personal information that is held by a company about their customers might be compromised, either due to criminal activity or due to a flaw in the company's security system.

On a scale where 1 is not at all concerned, 7 is extremely concerned, and the mid-point 4 is somewhat concerned, how concerned are you about a breach where the personal information of customers is compromised?

1. 1 Not at all concerned (1)
2. 2 (2)
3. 3 (3)
4. 4 Somewhat concerned (4)
5. 5 (5)
6. 6 (6)
7. 7 Extremely concerned (7)
8. DK/NR (9)

BREACH

Has your company ever experienced a breach where the personal information of your customers was compromised?

1. Yes (1)
2. No (2)
3. DK/NR (9)

BREACH2 [1,7]

What did your company do to address this situation?

OPEN. DO NOT READ. PROBE

1. Notify individuals who are affected (1)
2. Notify government agencies who oversee Canada's privacy laws (Office of the Privacy Commissioner) (2)
3. Notify both individuals and government agencies (3)
4. Notify law enforcement (police) (4)
5. Other, specify-> ABREACH2; C160 L1 C80 (77)
6. DK/NR (99)
7. REFERRED/NOTIFIED COMPANY'S HEAD OFFICE/HR OR PRIVACY DEPARTMENT (5)
8. RESOLVED DEALING WITH GUILTY PARTIES DIRECTLY, BREACHED INFORMATION CORRECTED/FIXED (TERMINATION/REPRIMAND EMPLOYEE, RESOLVED VERBALLY, CORRECTED BREACH/FLAW...) (6)
9. ISSUED TRAINING/RE-TRANING FOR STAFF, REVISITED OR MADE SURE POLICY/PRACTICES WERE SUFFICIENT (7)
10. IMPLEMENTED SECURITY SYSTEM/ENHANCED SECURITY (8)
11. OTHER (97)

BREACH3 [1,7]

If your company were to experience a breach involving the personal information of customers, what would your company do?

OPEN. DO NOT READ. PROBE

1. Notify individuals who are affected (1)
2. Notify government agencies who oversee Canada's privacy laws (Office of the Privacy Commissioner) (2)
3. Notify both individuals and government agencies (3)
4. Notify law enforcement (police) (4)
5. Other, specify-> ABREACH3; C160 L1 C80 (77)
6. DK/NR (99)
7. FOLLOW PROPER PROCEDURE, TAKE APPROPRIATE ACTIONS RELATIVE TO SITUATION, COMPLY WITH RULES/CONTACT PROPER AUTHORITIES (GENERAL MENTION) (5)
8. CORRECT IT/RECTIFY IT/FIND SOLUTIONS/FIX THE PROBLEM (GENERAL) (6)
9. INVESTIGATE THE BREACH/CONDUCT REVIEW, ATTEMPT TO DETERMINE THE HOW/WHY/WHAT OF THE BREACH (7)
10. CHANGES/IMPROVEMENTS DONE TO SECURITY SYSTEMS/POLICIES/SECURE SOFTWARE (TIGHTEN LEVEL OF SECURITY), TO ENSURE IT DOES NOT HAPPEN AGAIN (8)
11. NOTIFY HEAD OFFICE/HIGHER MANAGEMENT/PRIVACY OFFICERS/APPROPRIATE DEPT'S THAT DEAL WITH BREACHES (9)
12. CONTACT LAWYER, OBTAIN LEGAL COUNCIL, TAKE LEGAL ACTION, CONTACT LAW SOCIETY (10)
13. DICIPLINARY ACTION WOULD BE TAKEN WITH GUILTY PARTY/EMPLOYEE (DISMISSAL/REPRIMAND, DDEPENDENT ON GREE OF SEVERITY) (11)
14. OBTAIN INFORMATION THROUGH GOVERNMENT WEBSITES/800 NUMBER (12)
15. OTHER (97)

BREACH4

Does your company have any guidelines in place in the event of a breach where the personal information of your customers is compromised?

1. Yes (1)
2. No (2)
3. DK/NR (9)

BREACH5

Do you support or oppose the idea of mandatory breach reporting for Canadian companies? Please respond on a scale where 1 is strongly oppose, 7 is strongly support, and the mid-point 4 is neither oppose nor support.

1. 1 Strongly oppose (1)
2. 2 (2)
3. 3 (3)
4. 4 Neither oppose nor support (4)
5. 5 (5)
6. 6 (6)
7. 7 Strongly support (7)
8. DK/NR (9)

BREACH6

Still thinking about data breaches, which of the following do you think pose a greater threat to your organization?

READ LIST

1. Attacks from inside your company (1)
2. Attacks from outside your company (2)
3. (DO NOT READ) DK/NR (9)

SPNDLS

Has your company spent less on security measures to protect your customers' personal information because of the economic downturn?

1. Yes (1)
2. No (2)
3. DK/NR (9)

CCOMP

Now, turning to another topic.

As you may know, cloud computing typically refers to the provision of web-based services using hardware and software managed by third parties. The services, including online file storage, social networking sites, webmail and online business applications, are generally located on remote computers. They are available over network connections, regardless of the user's own location. Does your organization use cloud computing tools?

1. Yes (1)
2. No (2)
3. DK/NR (9)

CCOMP2

Do you plan to use cloud computing tools in the future?

1. Yes (1)
2. No (2)
3. DK/NR (9)

CCOMP3

If your company were to develop a new technology or product that could potentially have privacy implications, would you take Canadian privacy regulations into consideration before the launch of the product/technology?

1. Yes (1)
2. No (2)
3. DK/NR (9)

DEMO

These last questions are for statistical purposes only, and all answers are confidential.

WS6

Does your company have its own Internet website?

1. Yes (1)
2. No (2)
3. DK/NR (9)

WSO6 [1,2]

Does your company's Internet website offer any of the following?

READ LIST; SELECT ALL THAT APPLY

1. A privacy policy statement (1)
2. A way for customers to contact the company by e-mail (2)
3. (DO NOT READ) None of the above (8)
4. (DO NOT READ) DK/NR (9)

INDUS

What is your organization's PRIMARY industry?

1. Retail trade (1)
2. Wholesale trade (2)
3. Manufacturing (3)
4. Construction (4)
5. Finance, real estate, insurance (5)
6. Transportation (6)
7. Communication (7)
8. Business services (8)
9. Personal services (9)
10. Utilities (electric power, gas, and water utilities) (10)
11. Primary/resource industries (11)
12. Agriculture (12)
13. Health/social services (13)
14. Education (14)
15. Hospitality (15)
16. Tourism (16)
17. Entertainment,recreation, arts, culture (17)
18. Other (specify)-> AINDUS; C160 L1 C80 (77)
19. DK/NR (99)
20. REPAIRS (AUTOMOTIVE, MECHANICAL...) (18)
21. OTHER (97)
22. PROFESSIONAL(LAW,LEGAL,ACCOUNTING,ETC..) (19)
23. PUBLIC SERVICE(GOV'T,ETC...) (20)

POSIT

What is your own position within the organization?

1. Owner, President or CEO (1)
2. General Manager/Other Manager (2)
3. Senior IT Manager (Information Technology) (3)
4. Administration (4)
5. Other level of IT (5)
6. Controller, accounting, book-keeping (6)
7. Sales, marketing (7)
8. Various lower level/service positions within organization,ex.installer,mechanic,etc. (8)
9. Vice president (9)
10. Director (10)
11. Engineering position (11)
12. Other (specify)-> APOSIT; C160 L1 C80 (77)
13. DK/NR (99)
14. PRIVACY ANALYSTS/OFFICERS, COORDINATOR (12)
15. LEGAL COUNCIL/LAWYER (13)
16. HR/OPERATIONS (14)

REV

In which of the following categories would your company's 2009 revenues fall?

READ LIST

1. Less than $100,000 (1)
2. $100,000 to $249,999 (2)
3. $250,000 to $499,999 (3)
4. $500,000 to $999,999 (4)
5. $1,000,000 to $4,999,999 (5)
6. $5,000,000 to $9,999,999 (6)
7. $10,000,000 to $19,999,999 (7)
8. More than $20 million (8)
9. (DO NOT READ) DK/NR (99)

THNK

This concludes the survey. Thank you for your time and feedback, it is much appreciated!

INTRO

Je m'appelle .... et je vous téléphone de la part des Associés de recherche EKOS. Nous faisons un bref sondage pour le compte de la Commissaire à la protection de la vie privée du Canada afin de mieux comprendre les besoins et les pratiques des entreprises canadiennes en ce qui concerne les lois sur la protection des renseignements personnels.

Pourrais-je parler à la personne qui est la plus au courant du genre de renseignements personnels que vous recueillez sur vos clients et de la façon dont ces renseignements sont conservés et utilisés? Il pourrait s'agir de la personne de votre entreprise qui est responsable de la protection de la vie privée, si ce poste existe.

Ce sondage est important et va aider le gouvernement du Canada. Votre participation est volontaire. Toutes les réponses seront traitées de manière absolument confidentielle.

Puis-je commencer?

PRIV

Cet appel peut être enregistré pour contrôle de la qualité ou formation.

TYP

Quelle est, parmi les suivantes, la meilleure description de votre entreprise?

LIRE LES CATÉGORIES, ACCEPTER UNE SEULE RÉPONSE

1. Elle vend directement aux consommateurs (1)
2. Elle vend directement à d'autres entreprises/organisations (2)
3. Elle vend directement aux consommateurs et à d'autres entreprises/organisations (3)
4. (NE PAS LIRE) Autre réponse, veuillez préciser-> ATYP; C160 L2 C80 (77)
5. (NE PAS LIRE) SANS BUT LUCRATIF, REMERCIER ET METTRE FIN (98)
6. (NE PAS LIRE) NSP/PDR, REMERCIER ET METTRE FIN (99)

LOC1

Quel énoncé parmi les suivants décrit le mieux votre entreprise?

LIRE LA LISTE

1. Elle n'a que ce bureau (1)
2. Elle a plusieurs bureaux, mais seulement au Canada (2)
3. Elle a d'autres bureaux à l'extérieur du Canada (3)
4. (NE PAS LIRE) NSP/PDR (9)

EMPL

A peu près combien d'employés, à temps partiel, temps plein et saisonniers, travaillent présentement pour votre entreprise?

1. 1 à 4 employés (1)
2. 5 à 9 employés (2)
3. 10 à 19 employés (3)
4. 20 à 49 employés (4)
5. 50 à 99 employés (5)
6. 100 à 149 employés (6)
7. 150 à 199 employés (7)
8. 200 à 249 employés (8)
9. 250 à 299 employés (9)
10. 300 à 499 employés (10)
11. 500 à 999 employés (11)
12. 1 000 à 4 999 employés (12)
13. Plus de 5 000 employés (13)
14. NSP/PDR (99)

EMPL2

A peu près combien d'employés, à temps partiel, temps plein et saisonniers, travaillent présentement pour votre entreprise au Canada?

1. 1 à 4 employés (1)
2. 5 à 9 employés (2)
3. 10 à 19 employés (3)
4. 20 à 49 employés (4)
5. 50 à 99 employés (5)
6. 100 à 149 employés (6)
7. 150 à 199 employés (7)
8. 200 à 249 employés (8)
9. 250 à 299 employés (9)
10. 300 à 499 employés (10)
11. 500 à 999 employés (11)
12. 1 000 à 4 999 employés (12)
13. Plus de 5 000 employés (13)
14. NSP/PDR (99)

PT

Une entreprise et ses employés consacrent du temps à diverses activités. Dites-moi s'il vous plaît combien de temps votre entreprise consacre aux questions liées à la protection des renseignements personnels, y compris le respect des lois canadiennes sur la protection des renseignements personnels, au cours d'un mois NORMAL. Veuillez répondre selon une échelle de sept points où « 1 » signifie peu ou pas du tout de temps, « 7 », énormément de temps et « 4 », une quantité moyenne de temps.

1. 1 Peu ou pas du tout de temps (1)
2. 2 (2)
3. 3 (3)
4. 4 Une quantité moyenne de temps (4)
5. 5 (5)
6. 6 (6)
7. 7 Énormément de temps (7)
8. NSP/PDR (9)

PRPI

Les prochaines questions portent sur le genre de renseignements personnels que votre entreprise détient sur ses clients. Par « renseignements personnels », je veux parler, par exemple, du nom d'un client, de son âge, de son adresse, de son revenu, des achats qu'il a faits, de son adresse de courriel, et ainsi de suite.

C1

Laquelle des phrases suivantes décrit le mieux les activités de votre entreprise en ce qui concerne les renseignements personnels de vos clients? Diriez-vous que votre entreprise...

LIRE LA LISTE

1. recueille des renseignements personnels sur ses clients (1)
2. ne recueille aucun renseignement personnel sur ses clients (2)
3. (NE PAS LIRE) NSP/PDR (9)

C2

Et diriez-vous que votre entreprise recueille...

LIRE LA LISTE

1. une petite quantité seulement de renseignements personnels sur ses clients (1)
2. une quantité moyenne de renseignements personnels sur ses clients (2)
3. une grande quantité de renseignements personnels sur ses clients (3)
4. (NE PAS LIRE) NSP/PDR (9)

C3 [1,2]

Et diriez-vous que les renseignements personnels sur vos clients sont conservés sur papier, électroniquement ou dans un autre format?

CHOISIR TOUTES LES RÉPONSES PERTINENTES

1. Conservés sur papier (1)
2. Conservés électroniquement (2)
3. Conservés dans un autre format (3)
4. (NOTE À L’ENQUÊTEUR : Recourir à ce code si le/la répondant(e), plutôt que de choisir chaque format individuellement, affirme que les renseignements sont conservés des deux façons, merci) (NE PAS LIRE) Conservés des deux façons  : sur papier et électroniquement (8)
5. (NE PAS LIRE) NSP/PDR (9)

C4A

A propos des renseignements personnels que votre entreprise recueille sur ses clients et qu'elle utilise, à quel stade votre entreprise se trouve-t-elle en ce qui concerne les mesures suivantes? Diriez-vous que votre entreprise a mis parfaitement en oeuvre la mesure suivante, qu'elle est en train de la mettre en oeuvre ou qu'elle n'a pas encore commencé à la mettre en oeuvre?

En particulier, à quel stade se trouve votre entreprise en ce qui concerne cette mesure :

adopter des lignes directrices ou politiques claires afin de surveiller comment l'entreprise et ses employés recueillent, utilisent et communiquent les renseignements personnels?

1. parfaitement mise en oeuvre (1)
2. en voie de mise en oeuvre (2)
3. pas encore commencé la mise en oeuvre (3)
4. (NE PAS LIRE) Sans objet (8)
5. (NE PAS LIRE) NSP/PDR (9)

C4B

A propos des renseignements personnels que votre entreprise recueille sur ses clients et qu'elle utilise, à quel stade votre entreprise se trouve-t-elle en ce qui concerne les mesures suivantes? Diriez-vous que votre entreprise a mis parfaitement en oeuvre la mesure suivante, qu'elle est en train de la mettre en oeuvre ou qu'elle n'a pas encore commencé à la mettre en oeuvre?

En particulier, à quel stade se trouve votre entreprise en ce qui concerne cette mesure :

adopter des moyens de protéger les renseignements personnels contre l'accès non autorisé?

1. parfaitement mise en oeuvre (1)
2. en voie de mise en oeuvre (2)
3. pas encore commencé la mise en oeuvre (3)
4. (NE PAS LIRE) Sans objet (8)
5. (NE PAS LIRE) NSP/PDR (9)

C4C

A propos des renseignements personnels que votre entreprise recueille sur ses clients et qu'elle utilise, à quel stade votre entreprise se trouve-t-elle en ce qui concerne les mesures suivantes? Diriez-vous que votre entreprise a mis parfaitement en oeuvre la mesure suivante, qu'elle est en train de la mettre en oeuvre ou qu'elle n'a pas encore commencé à la mettre en oeuvre?

En particulier, à quel stade se trouve votre entreprise en ce qui concerne cette mesure :

adopter des moyens permettant à vos clients de demander puis d’accéder aux renseignements personnels que votre entreprise détient sur eux?

1. parfaitement mise en oeuvre (1)
2. en voie de mise en oeuvre (2)
3. pas encore commencé la mise en oeuvre (3)
4. (NE PAS LIRE) Sans objet (8)
5. (NE PAS LIRE) NSP/PDR (9)

C4D

A propos des renseignements personnels que votre entreprise recueille sur ses clients et qu'elle utilise, à quel stade votre entreprise se trouve-t-elle en ce qui concerne les mesures suivantes? Diriez-vous que votre entreprise a mis parfaitement en oeuvre la mesure suivante, qu'elle est en train de la mettre en oeuvre ou qu'elle n'a pas encore commencé à la mettre en oeuvre?

En particulier, à quel stade se trouve votre entreprise en ce qui concerne cette mesure :

adopter un processus permettant à vos clients de déposer une plainte s'ils estiment que les renseignements personnels les concernant ont été traités de manière incorrecte?

1. parfaitement mise en oeuvre (1)
2. en voie de mise en oeuvre (2)
3. pas encore commencé la mise en oeuvre (3)
4. (NE PAS LIRE) Sans objet (8)
5. (NE PAS LIRE) NSP/PDR (9)

PIP

La loi fédérale servant à protéger les renseignements personnels, qui s’intitule Loi sur la protection des renseignements personnels et les documents électroniques (LPRPDE) est entrée en vigueur le 1er janvier 2004. La Loi établit des obligations pour les entreprises en matière de protection des renseignements personnels.

[BC]

La loi fédérale servant à protéger les renseignements personnels, intitulée Loi sur la protection des renseignements personnels et les documents électroniques (LPRPDE), est entrée en vigueur le 1er janvier 2004. La Loi établit des obligations pour les entreprises en matière de protection des renseignements personnels. En Colombie-Britannique, le secteur privé est assujetti à des lois provinciales sur la protection des renseignements personnels, qui sont jugées similaires à la loi fédérale.

[Alberta]

La loi fédérale servant à protéger les renseignements personnels, intitulée Loi sur la protection des renseignements personnels et les documents électroniques (LPRPDE), est entrée en vigueur le 1er janvier 2004. La Loi établit des obligations pour les entreprises en matière de protection des renseignements personnels. En Alberta, le secteur privé est assujetti à des lois provinciales sur la protection des renseignements personnels, qui sont jugées similaires à la loi fédérale.

[Québec]

La loi fédérale servant à protéger les renseignements personnels, intitulée Loi sur la protection des renseignements personnels et les documents électroniques (LPRPDE), est entrée en vigueur le 1er janvier 2004. La Loi établit des obligations pour les entreprises en matière de protection des renseignements personnels. Au Québec, le secteur privé est assujetti à des lois provinciales sur la protection des renseignements personnels, qui sont jugées similaires à la loi fédérale.

DSPRV

Votre entreprise a-t-elle du personnel désigné, comme un responsable de la protection de la vie privée, qui joue un rôle crucial afin d'assurer le respect des obligations prévues dans les lois canadiennes touchant la protection des renseignements personnels?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

IPRV1

Est-ce que votre entreprise a établi des processus pour traiter les enjeux liés à la protection des renseignements personnels que soulève le personnel à l’interne?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

CEPRV

Et est-ce que votre entreprise a établi des processus pour traiter les enjeux liés à la protection des renseignements personnels que soulèvent vos clients ou d’autres tiers de l’extérieur?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

QAWRSP

Comment évaluez-vous le degré de sensibilisation de votre entreprise à ses obligations en vertu des lois canadiennes touchant la protection des renseignements personnels, selon une échelle de sept points où « 1 » signifie pas du tout sensible, « 7 », fortement sensible et « 4 », plutôt sensible?

1. 1 Pas du tout sensible (1)
2. 2 (2)
3. 3 (3)
4. 4 Plutôt sensible (4)
5. 5 (5)
6. 6 (6)
7. 7 Fortement sensible (7)
8. NSP/PDR (9)

TRPRV

Parmi les membres de votre personnel, y en a-t-il qui ont reçu de la formation sur les pratiques informationelles appropriées et les obligations en vertu des lois canadiennes sur la protection des renseignements personnels?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

TRPRV2

À quelle fréquence passez-vous en revue vos modules, manuels ou processus de formation sur l’information et les pratiques indiquées en vertu des lois canadiennes sur la protection des renseignements personnels?

1. Tous les mois au moins (1)
2. Chaque année au moins (2)
3. Moins d’une fois par année (3)
4. Jamais (8)
5. NSP/PDR (9)

OSPC

Est-ce que votre entreprise recueille de ses clients des renseignements personnels qui sont transmis pour traitement à une autre entreprise située au Canada?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

OSPO

Est-ce que votre entreprise recueille de ses clients des renseignements personnels qui sont transmis pour traitement à une autre entreprise à l’étranger?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

MEASP

Est-ce que vous êtes au courant de mesures que vous devez prendre pour veiller à ce que ces renseignements personnels soient protégés?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

MEASC1

Est-ce que vous avez établi un contrat ou mis en œuvre d’autres mesures pour veiller à ce qu’un niveau de protection comparable s’applique lorsque cette autre entreprise traite les renseignements transmis?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

MEASC2

Est-ce que vous avez établi un contrat ou mis en œuvre d’autres mesures pour veiller à ce qu’un niveau de protection comparable s’applique lorsque ces autres entreprises traitent les renseignements transmis?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

PIP2A

Dans la foulée de l’adoption de la LPRPDE, diriez-vous que votre entreprise...

s’est sensibilisée davantage à ses obligations en matière de protection des renseignements personnels?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

PIP2B

Dans la foulée de l’adoption de la LPRPDE, diriez-vous que votre entreprise...

a amélioré la formation qu’elle offre au personnel pour ce qui concerne les obligations en matière de protection des renseignements personnels?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

PIP2C

Dans la foulée de l’adoption de la LPRPDE, diriez-vous que votre entreprise...

se préoccupe davantage de la protection des renseignements personnels de vos clients?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

PIP2D

Dans la foulée de l’adoption de la LPRPDE, diriez-vous que votre entreprise...

a amélioré les mesures de protection pour les renseignements personnels qu’elle détient au sujet de ses clients?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

PIP2E

Dans la foulée de l’adoption de la LPRPDE, diriez-vous que votre entreprise...

a moins souvent dérogé à ses obligations pour ce qui concerne les renseignements personnels de vos clients?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

CLPRV

Votre entreprise a-t-elle déjà tenté d'obtenir des éclaircissements sur ses obligations en vertu des lois canadiennes touchant la protection des renseignements personnels?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

CLPRV2 [1,6]

Où vous êtes-vous adressés pour obtenir ces éclaircissements?

1. Internet (en général) (1)
2. gouvernement/Commissaire à la protection de la vie privée (2)
3. Avocat(e) (3)
4. Autre (préciser)-> ACLPRV2; C160 L1 C80 (77)
5. NSP/PDR (99)

DFPVR

Dans quelle mesure a-t-il été difficile pour votre entreprise de se conformer aux pratiques informationnelles en vertu des lois canadiennes sur la protection des renseignements personnels, selon une échelle de sept points où « 1 » signifie extrêmement facile, « 7 », extrêmement difficile et « 4 », ni facile ni difficile.

1. 1 Extrêmement facile (1)
2. 2 (2)
3. 3 (3)
4. 4 Ni facile, ni difficile (4)
5. 5 (5)
6. 6 (6)
7. 7 Extrêmement difficile (7)
8. NSP/PDR (9)

MTA

Si vous aviez besoin de vous renseigner davantage sur les responsabilités de votre entreprise en vertu des lois canadiennes sur la protection des renseignements personnels, comment procéderiez-vous? Seriez-vous surtout susceptible ...

LIRE LA LISTE

1. de consulter un site Web du gouvernement (1)
2. d’adresser un courriel à un ministère (2)
3. de composer le numéro d'une ligne sans frais du gouvernement (3)
4. d’aller dans un bureau du gouvernement (4)
5. d’adresser une lettre à un ministère (5)
6. (NE PAS LIRE) AUTRE, PRÉCISER-> AMTA; C160 L1 C80 (77)

QAWR2

Est-ce que vous savez que le Commissariat à la protection de la vie privée offre aux entreprises de l’information et des outils pour les aider à respecter leurs obligations en matière de protection des renseignements personnels?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

QAWR2B

Est-ce que votre entreprise a déjà consulté cette information?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

USE2

Selon une échelle de sept points où « 1 » signifie pas du tout utile, « 7 », extrêmement utile et le point milieu, « 4 », assez utile, dans quelle mesure est-ce que cette information s’est révélée utile pour aider votre entreprise à honorer ses obligations en matière de protection des renseignements personnels?

1. 1 Pas du tout utile (1)
2. 2 (2)
3. 3 (3)
4. 4 Assez utile (4)
5. 5 (5)
6. 6 (6)
7. 7 Extrêmement utile (7)
8. NSP/PDR (9)

TRGA

Selon la même échelle, dans quelle mesure serait-il utile pour votre entreprise d’être en mesure de recevoir de la formation au sujet de ce que les entreprises doivent faire pour se conformer aux lois canadiennes sur la protection des renseignements personnels?

1. 1 Pas du tout utile (1)
2. 2 (2)
3. 3 (3)
4. 4 Assez utile (4)
5. 5 (5)
6. 6 (6)
7. 7 Extrêmement utile (7)
8. NSP/PDR (9)

TRGB

Selon une échelle de sept points où « 1 » signifie pas du tout utile, « 7 », extrêmement utile et le point milieu, « 4 », assez utile, dans quelle mesure serait-il utile pour votre entreprise d’être en mesure de recevoir de la formation au sujet de ce que les entreprises doivent faire pour se conformer aux lois canadiennes sur la protection des renseignements personnels?

1. 1 Pas du tout utile (1)
2. 2 (2)
3. 3 (3)
4. 4 Assez utile (4)
5. 5 (5)
6. 6 (6)
7. 7 Extrêmement utile (7)
8. NSP/PDR (9)

TRG2

Et quelle serait, selon vous, la façon la plus efficace d'offrir cette formation?

LIRE LA LISTE

1. Séminaires donnés en personne dans différentes villes (1)
2. Trousses d'information à consulter soi-même en ligne (2)
3. (NE PAS LIRE) Autre réponse, préciser-> ATRG2; C160 L1 C80 (77)
4. (NE PAS LIRE) NSP/PDR (99)

TRG3A

Et qui serait, selon vous, le plus efficace dans la prestation de ce genre de formation?

LIRE LA LISTE

1. Des organisations comme une chambre de commerce locale (1)
2. Des ministères ou agences du gouvernement chargés de surveiller la mise en application des lois canadiennes touchant la protection des renseignements personnels (2)
3. (NE PAS LIRE) Autre réponse, préciser-> ATRG3A; C160 L1 C80 (77)
4. (NE PAS LIRE) NSP/PDR (99)

CCPC

Il peut parfois arriver que les renseignements personnels sensibles que détient une entreprise au sujet de ses clients soient compromis à cause d’activités criminelles ou à cause d’une brèche dans le système de sécurité de l’entreprise.

Selon une échelle de sept points où « 1 » signifie pas du tout préoccupés, « 7 », extrêmement préoccupés et le point milieu, « 4 », assez préoccupés, dans quelle mesure vous préoccupez-vous des manquements qui peuvent compromettre les renseignements personnels des clients?

1. 1 Pas du tout préoccupés (1)
2. 2 (2)
3. 3 (3)
4. 4 Assez préoccupés (4)
5. 5 (5)
6. 6 (6)
7. Extrêmement préoccupés (7)
8. NSP/PDR (9)

BREACH

Est-ce qu’il est déjà arrivé, dans votre entreprise, qu’un manquement du genre compromette les renseignements personnels de vos clients?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

BREACH2 [1,7]

Qu’est-ce que votre entreprise a fait pour faire face à la situation?

QUESTION OUVERTE. NE PAS LIRE. CHERCHER À OBTENIR DES PRÉCISIONS.

1. Avertir les personnes touchées (1)
2. Avertir les organismes gouvernementaux qui supervisent l’application des lois canadiennes en matière de protection des renseignements personnels (le Commissariat à la protection de la vie privée) (2)
3. Avertir les personnes touchées et les organismes gouvernementaux (3)
4. Avertir les organismes d’application de la loi (services policiers) (4)
5. Autre, préciser-> ABREACH2; C160 L1 C80 (77)
6. NSP/PDR (99)

BREACH3 [1,7]

S’il arrivait, dans votre entreprise, qu’un manquement du genre compromette les renseignements personnels de vos clients, que ferait votre entreprise?

QUESTION OUVERTE. NE PAS LIRE. CHERCHER À OBTENIR DES PRÉCISIONS.

1. Avertir les personnes touchées (1)
2. Avertir les organismes gouvernementaux qui supervisent l’application des lois canadiennes en matière de protection des renseignements personnels (le Commissariat à la protection de la vie privée) (2)
3. Avertir les personnes touchées et les organismes gouvernementaux (3)
4. Avertir les organismes d’application de la loi (services policiers) (4)
5. Autre, préciser-> ABREACH3; C160 L1 C80 (77)
6. NSP/PDR (99)

BREACH4

Est-ce que votre entreprise a adopté des lignes directrices à mettre en application si un manquement du genre compromet les renseignements personnels de vos clients?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

BREACH5

Êtes-vous pour ou contre l’idée voulant que les entreprises canadiennes soient obligées de déclarer les cas d’atteinte à la vie privée? Veuillez répondre selon une échelle de sept points où « 1 » signifie fermement contre, « 7 », fermement pour et le point milieu, « 4 », ni pour, ni contre.

1. 1 Fermement contre (1)
2. 2 (2)
3. 3 (3)
4. 4 Ni pour, ni contre (4)
5. 5 (5)
6. 6 (6)
7. 7 Fermement pour (7)
8. NSP/PDR (9)

BREACH6

Toujours pour ce qui concerne l’atteinte à la protection des données, parmi les éléments suivants, qu’est-ce qui constitue selon vous la menace la plus importante dans votre organisation?

LIRE LA LISTE

1. Des attaques de l’intérieur de votre entreprise (1)
2. Des attaques de l’extérieur de votre entreprise (2)
3. (NE PAS LIRE) NSP/PDR (9)

SPNDLS

Est-ce que votre entreprise a consacré moins d’argent aux mesures de sécurité ayant pour objet de protéger les renseignements personnels de vos clients à cause du ralentissement économique?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

CCOMP

Nous allons maintenant aborder un autre sujet.

Comme vous le savez peut-être, « l’informatique en nuage » désigne habituellement la prestation de services en ligne au moyen de matériel informatique et de logiciels que gèrent des tiers. Les services, qui comptent notamment la conservation de fichiers en ligne, les sites de réseautage social, le courriel Web et les applications opérationnelles en ligne, proviennent habituellement d’ordinateurs à distance. Les services sont offerts au moyen de connexions réseau, quel que soit le lieu où se trouve l’utilisateur. Est-ce que votre organisation se sert d’outils de l’informatique en nuage?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

CCOMP2

Est-ce que vous prévoyez utiliser des outils de l’informatique en nuage dans l’avenir?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

CCOMP3

Si votre entreprise mettait au point une nouvelle technologie ou un nouveau produit susceptible d’avoir des répercussions sur le plan de la protection des renseignements personnels, est-ce que vous tiendriez compte des règlements canadiens en la matière avant de lancer le produit ou la technologie?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

DEMO

Les dernières questions ont pour seul objet la compilation de statistiques. Toutes vos réponses seront confidentielles.

WS6

Est-ce que votre entreprise a son propre site Web sur Internet?

1. Oui (1)
2. Non (2)
3. NSP/PDR (9)

WSO6 [1,2]

Le site Web de votre entreprise sur Internet offre-t-il l'une ou l'autre des caractéristiques suivantes?

LIRE LA LISTE; CHOISIR TOUTES LES RÉPONSES PERTINENTES

1. Un énoncé de principe touchant la protection des renseignements personnels (1)
2. Un moyen pour les clients de communiquer par courriel avec l'entreprise (2)
3. (NE PAS LIRE) Aucune de ces réponses (8)
4. (NE PAS LIRE) NSP/PDR (9)

INDUS

Quelle est la PRINCIPALE industrie de votre organisation?

1. Commerce de détail (1)
2. Commerce de gros (2)
3. Fabrication (3)
4. Construction (4)
5. Finance, immobilier, assurance (5)
6. Transports (6)
7. Communications (7)
8. Services commerciaux (8)
9. Services personnels (9)
10. Services publics (eau, gaz, électricité) (10)
11. Industries de base/ressources naturelles (11)
12. Agriculture (12)
13. Services de santé/services sociaux (13)
14. Éducation (14)
15. Hospitalité (15)
16. Tourisme (16)
17. Divertissement, loisirs, arts, culture (17)
18. Autre (préciser)-> AINDUS; C160 L1 C80 (77)
19. NSP/PDR (99)

POSIT

Quel est le poste que vous occupez au sein de l’organisation?

1. Propriétaire, président(e) ou PDG (1)
2. Directeur/directrice général(e) ou autre poste de gestion (2)
3. Responsable principal(e) de la TI (technologie de l’information) (3)
4. Administration (4)
5. Autre niveau de la TI (5)
6. Contrôleur/contrôleuse, comptabilité, tenue de comptes (6)
7. Ventes, marketing (7)
8. Divers postes de niveau inférieur ou postes de service au sein de l’organisation, p. ex., monteur/monteuse, mécanicien(ne) (8)
9. Vice-président(e) (9)
10. Directeur/directrice (10)
11. Poste d’ingénierie (11)
12. Autre (préciser)-> APOSIT; C160 L1 C80 (77)
13. NSP/PDR (99)

REV

Dans quelle catégorie, parmi les suivantes, se situe le revenu de votre compagnie en 2009?

LIRE LA LISTE

1. Moins de 100 000 $ (1)
2. 100 000 $ à 249 999 $ (2)
3. 250 000 $ à 499 999 $ (3)
4. 500 000 $ à 999 999 $ (4)
5. 1 000 000 $ à 4 999 999 $ (5)
6. 5 000 000 $ à 9 999 999 $ (6)
7. 10 000 000 $ à 19 999 999 $ (7)
8. Plus de 20 millions de dollars (8)
9. (NE PAS LIRE) NSP/PDR (99)

THNK

Voilà qui met fin au sondage. Merci beaucoup d’avoir pris le temps de répondre à ce sondage et d’avoir mis à profit vos commentaires.

Fin de l'entrevue