Accountability matters when it comes to privacy. As a business, though, you may not always find it clear what accountability really means when it comes to personal information protection.
Accountability is the first fair information principle in the federal Personal Information Protection and Electronic Documents Act (PIPEDA). This reflects its importance—it is the bedrock of the Act. It’s also implicit in Alberta and British Columbia’s respective privacy laws, the Personal Information Protection Act (PIPA). The principle outlines the things organizations need to do to have a compliant and accountable privacy program in place. But what does that mean in practice?
To help businesses “get accountability right”, Alberta, BC and our Office have released new guidelines —Getting Accountability Right with a Privacy Management Program. These new guidelines outline the elements of an effective privacy management program and offer scalable strategies that can be implemented by any size business.
Why should you care?
These new guidelines outline how our offices view effective privacy management. Big or small, an accountable business should be able to demonstrate to Privacy Commissioners that they have an effective, up-to-date privacy management program in place in the event of a complaint investigation or audit.
Compliance, of course, is essential. But we think there are a number of other benefits to having a privacy management program in place:
- An organization that has a strong privacy management program may enjoy an enhanced reputation that gives it a competitive edge.
- A privacy management program helps foster a culture of privacy throughout an organization and offers reassurance to customers and clients
- Proper use of risk assessment tools can help prevent problems. Fixing a privacy problem after the fact can be costly so careful consideration of the purposes for a particular initiative, product or service, and an assessment that minimizes any privacy impacts beforehand is vital.
- With a privacy management program, organizations will be able to demonstrate to customers, employees, partners, shareholders, and privacy commissioners that they have in place a robust privacy program that shows only compliance with privacy laws in Canada, but also that they are taking protection of personal information seriously.