News

News Release

Canadian businesses missing important steps to protect personal information stored digitally, poll finds

Privacy Commissioner of Canada reminds businesses that when using technology to safeguard personal information, sometimes small steps can prevent a big loss.

Ottawa, May 4, 2012 – Canadian businesses are storing more and more personal information digitally, but many are not using the technological tools or implementing the recommended practices to protect this information, a new survey has found.

In a telephone survey of 1,006 companies across Canada, commissioned by the Office of the Privacy Commissioner of Canada (OPC) and published today, companies are storing personal information on a variety of digital devices, such as desktop computers (55%), servers (47%) and portable devices (23%). Most (73%) are using some type of technological tool, such as passwords, encryption or firewalls, to prevent unauthorized access to the personal information stored on these devices.

However, the survey also suggested that many businesses may not be adequately using technology when it comes to protecting the personal information they store digitally.

For example, passwords are the most popular technological tool used by businesses to protect personal information (96%). However, of those using passwords, 39% do not have controls in place to ensure that those passwords are difficult to guess, and 27% never require employees to change passwords.

“Using passwords is like locking your front door. They can be a very simple and effective way to protect valuable personal information,” says Commissioner Stoddart. “But simply setting a password is not enough to thwart today’s savvy online criminals—passwords must to be complex and dynamic.”

The poll, conducted in late November and early December 2011 by Phoenix Strategic Perspectives, also found that nearly one quarter of businesses are storing personal information on portable devices, such as laptops, USB sticks or tablets, which are more vulnerable to theft and loss. Nevertheless, almost half of those who do (48%) indicated that they did not use encryption to protect the information on these devices. Encryption refers to the use of a secret code as a key to scramble information to make it unreadable. Once the information is scrambled, only the same key can be used to unscramble the information and make it readable again.

“Encryption is one step better than locking your doors— it is like putting information into a safe—and it can really help limit the risks if a laptop is stolen or a USB key is misplaced,” says Commissioner Stoddart. “Businesses that lose their customers’ data, lose their customers’ trust, so they need to take every precaution to ensure they safeguard personal information they hold.”

The survey did find that many Canadian companies attribute considerable importance to protecting privacy (77%).

“I am encouraged to see that companies are beginning to realize the importance of building privacy into their business processes,” said Commissioner Stoddart. “Smart businesses know that taking the time to build privacy in from the beginning is much easier than cleaning up a privacy breach down the road.”

In fact, survey responses seem to suggest that companies are becoming more sensitive to the potential for data breaches. Only 40%, however, indicated that they were concerned about data breaches that might compromise the personal information of their customers and 31% indicated that they have guidelines in place for responding in the event of a breach.

Other highlights of the poll include:

  • One third (32%) of businesses have staff that has had training on appropriate information practices and responsibilities under Canada’s privacy laws.
  • Almost half (48%) of businesses have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly.
  • Just over three in five businesses have a privacy policy.
  • The majority of companies that have a privacy policy update it at least once a year (57%) and of those that do, 35% have notified their customers about the changes.
  • Many companies (39%) view protecting privacy as a competitive advantage, with 24% seeing it as a significant advantage and 15% a moderate advantage.

The OPC commissioned the survey in order to better understand the extent to which businesses are familiar with privacy issues and requirements, and the types of privacy policies and practices they have in place. Similar surveys were conducted in 2010 and 2007.

The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website at www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

- 30 -

For more information, please contact:

Heather Ormerod
Office of the Privacy Commissioner of Canada
E-mail: heather.ormerod@priv.gc.ca

NOTE: Journalists are asked to please send requests for interviews or further information via e-mail.