News Release

Canadian businesses see privacy as important, but many still don’t have certain privacy basics in place, survey finds

GATINEAU, QC, April 28, 2016 – While it is encouraging that businesses are increasingly using more tools to protect personal information, according to a recent survey, there is still room for improvement when it comes to meeting privacy obligations and preparing for soon to be in force mandatory breach requirements.

These were among the findings revealed in the Office of the Privacy Commissioner’s (OPC) biannual telephone survey of 1,016 Canadian businesses. The survey seeks to examine the privacy awareness and practices of Canadian businesses. The findings come ahead of the coming into force of mandatory data breach obligations under federal privacy law.

The survey showed some positive developments in certain areas. For example, 41 per cent are “concerned” about suffering a potential data breach (up from 31 per cent in 2013). The OPC was also encouraged to see that an increasing percentage (83 per cent, up from 78 percent in 2013) said their business uses technological tools, such as passwords, firewalls and encryption to protect customer personal information. 

The survey, however, revealed limited movement in other areas. For example, only 41 percent (up slightly from 37 per cent in 2013) have policies and procedures in place to deal with a breach. In addition, less than half said they have privacy policies to inform customers about the personal information they collect and how it is used.  

“We are pleased to have seen some progress in terms of how businesses handle privacy issues, but there are still some areas for improvement to ensure they are meeting all privacy obligations, such as ensuring they provide clear and easy to understand privacy communications to their customers,” says Privacy Commissioner Daniel Therrien.

“We would encourage businesses to continue working actively to protect privacy and prevent breaches. It is also important that we start to see a greater number of businesses prepare for the new obligations they will soon have to notify customers and my Office of serious breaches.”

Innovation, Science and Economic Development Canada is in the process of developing regulations to bring into force amendments under the Digital Privacy Act for mandatory reporting of data breaches that pose a real risk of significant harm. 

Overall, 82 per cent of respondents reported being highly-to-moderately aware of their privacy responsibilities under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  

Commissioner Therrien noted that small businesses tend to be less familiar with their responsibilities set out under PIPEDA, which has prompted the OPC to expand its outreach efforts to this group.

The survey results underlined that the vast majority of businesses see protecting customer personal information as important, with 88 per cent saying it is “highly-to-moderately” so. Despite this, only 45 per cent reported having developed privacy policies informing customers on how their personal information is gathered and used. PIPEDA includes obligations for organizations to be open and transparent about their privacy practices.

The survey also showed, with statistics very similar to the results of the OPC’s last business poll, that nearly all businesses are collecting personal information. Of businesses surveyed, 93 per cent reported collecting contact information, (such as phone numbers, mailing and email addresses) followed by far smaller percentages for:

  • Customer “evaluations, comments and opinions” (27 per cent);
  • Financial data, such as credit card numbers (25 per cent);
  • Customer purchasing habits (13 per cent); and
  • Medical information (10 per cent).

The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website at

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and PIPEDA, Canada’s federal private sector privacy law.

- 30 -

For more information, please contact:

Valerie Lawton
Office of the Privacy Commissioner of Canada

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.


Date modified: