Business Op-ed

January 28, 2015

The following is an op-ed on privacy and small businesses that was shared with the business editors of several daily newspapers across Canada, except in provinces with substantially similar private sector privacy laws.

Strong privacy practices give companies a competitive advantage, says federal privacy commissioner

Daniel Therrien, Privacy Commissioner of Canada

Imagine finding out that a stranger has received highly sensitive information about you because a company has sent your mail to the wrong person. Or asking to look at your own personal information for the sake of fixing a suspected error, only to be denied access to it by the company that collected it.

As Privacy Commissioner of Canada, it’s these kinds of things that I want to draw attention to this Data Privacy Day.

About a third of private sector privacy complaints to my office under the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law,involve smaller businesses that employ fewer than 100 people.

I realize smaller companies face a multitude of compliance pressures, on top of day-to-day operational demands, and that they have a limited staff to address them. But I also know that Canadians are increasingly concerned about their privacy and are choosing to do business with organizations that are sensitive to those concerns.

According to our latest public opinion poll released today, 81 per cent of Canadians say they would choose to do business with a company specifically because it has good privacy practices. And more than half would choose to do business with a company specifically because it does not collect personal information.

But only 16 per cent of Canadians believe businesses take their responsibility to protect personal information very seriously. Nearly a third say they have suffered negative consequences due to an organization misusing, sharing or losing their personal information.

Another 29 per cent of respondents say they’ve asked a company how it planned to use or protect their personal information and of them, 43 per cent decided not to do business with that company due to concerns over privacy.

These figures should raise alarm bells for all businesses, especially smaller ones that, in my office’s experience, sometimes appear to be less aware of their privacy obligations under federal law, and as a result, may be less likely to recognize and embrace privacy measures as a competitive advantage.

Smaller businesses should be asking themselves what proactive measures they are taking to safeguard the privacy of their customers and to mitigate data breaches.

Companies should limit the amount of personal information they collect to what is necessary for the purposes of delivering a product or service, and they should make it clear to customers why they need such information, ideally through a privacy policy.

To avoid losing personal information or sending it to the wrong person, companies need to know what they collect, where they store it and who has access to it. To that end, training staff on privacy protection is crucial.

Companies also need to think twice about collecting sensitive information, such as driver’s licenses, and if a company uses video surveillance, it needs to make sure customers are aware they’re being recorded.

If a business is going to store personal information on laptops, USB keys or hard drives, it should make sure those devices are encrypted and password protected.

Furthermore, businesses cannot simply ignore customer requests for access to their personal information and must designate a point person to respond to customer questions about privacy.

The most common complaints to my office relate to the use and disclosure of personal information – when companies use information for purposes other than those specified at the time they asked for it, or when it’s discovered that an employee has looked at somebody’s file without authorization.

My office also receives many complaints related to the collection of personal information. This, for example, could involve the acquisition of an unlisted telephone number by a collection agency, or an equipment rental company that insists on photographing customers as a precaution against theft.

Under federal private sector privacy law, companies are generally required to provide access to the personal information they have about a client or customer when that person requests it. That, however, doesn’t always happen and denials of access to personal information account for another large number of complaints to my office.

We also receive complaints from people who say they never consented to the use of their personal information in the first place, while others complain about businesses that failed to use proper safeguards, such as encryption or password protection, to ensure the security of their personal information.

Landlords, hotels, real estate agencies, collection agencies, travel agencies, retailers and financial planners are among the most common targets of privacy complaints to my office.

Although many complaints to my office are resolved quickly, it’s unfortunate that they arrive at all, as many are entirely preventable.

Unfortunately, a telephone survey we conducted last year of more than 1,000 companies across Canada found that more than half (55%) did not have a privacy policy. Half didn’t have procedures in place for dealing with privacy complaints and two-thirds (67%) did not have policies or procedures in place for assessing the privacy risks of new products, services and technologies. These are among the privacy basics for organizations.

Meanwhile, 59 per cent of business expressed little to no concern about the prospect of a data breach and 58 per cent indicated they had no guidelines for dealing with a breach involving the personal information of customers.

There is clearly a need for greater awareness about privacy protection. As we mark Data Privacy Day this January 28th, I am urging all businesses to use this opportunity to take stock of, and strengthen where necessary, their privacy practices.

Strong privacy practices are not just good for customers; they’re good for the bottom line.

Date modified: