Research

Public Opinion Surveys

Canadian Businesses and Privacy-Related Issues

Submitted to:
The Office of the Privacy Commissioner of Canada
March 2007

EKOS Research Associates

EKOS Research Associates Logo


Top of PageTable of ContentsExecutive Summary

The Office of the Privacy Commissioner of Canada (OPCC) is in the process of reviewing the Personal Information Protection and Electronic Documents Act (PIPEDA) to better respond to the privacy needs of consumers and businesses. It was within this context that EKOS Research Associates was commissioned to undertake a survey of Canadian businesses on a number of issues relating to privacy and the implementation of PIPEDA. These results will help to establish a number of benchmark measures to help in the review of PIPEDA and looking forward.

The results to the study were from an 11 minute telephone survey with 1,033 businesses in Canada from March 12th to March 29th 2007. Given that the main focus of the study was on the adoption of privacy laws, the survey was designed to contact senior decision makers with responsibility for knowledge of their company's privacy and security practices. Since medium and large sized businesses together account for less than 15 per cent of all businesses, the sample was stratified by company size (based on number of employees) and regions in order to ensure that there were enough respondents from both of these two size segments from across the country.

The key findings from this baseline study include the following:

  • As might be expected, many businesses have had to spend time and resources in ensuring that they meet their responsibilities under PIPEDA or the provincial laws in certain provinces. While it is clear that many businesses are spending time dealing with privacy related activities on a regular basis, such efforts are relatively less time consuming than many other ongoing day-to-day issues such as computer and IT issues, payroll and tax issues, and human resource related issues.
  • Given that Canadians' concerns with privacy and the privacy of their personal information are widespread and rising on a number of fronts, it is not surprising that many businesses recognize taking privacy seriously today is just good business. Likewise, it is not surprising that many businesses believe their customers are more concerned today about privacy related issues than in the past.
  • The collection of some sort of personal information in business interactions is a common occurrence — only about a third of companies report that they do not collect information on their customers.
  • While the majority of businesses are collecting personal information on their customers, there is a great deal of variation on the amount of information they do collect, ranging from small to large amounts.
  • Although information technology has had a dramatic impact on the day-to-day operations of all types of businesses, it is noteworthy that the amount of information that is stored on paper is almost equal to the amount of information stored electronically.
  • With the implementation of PIPEDA (and comparable provincial legislation in a few provinces), businesses across the country have certain responsibilities in terms of how they collect, use and disclose any personal information from customers. The survey probed in a number of areas to assess what provisions businesses have put in place to meet these responsibilities. Generally speaking, the results point to the fact that while the majority of businesses that collect personal information on its customers have fully implemented these provisions, there are small but not insignificant numbers that are only in the process of implementing, and others that are not in the process of doing so.
  • Many businesses tend to rate their company's awareness of its responsibilities under Canada's privacy laws favourably, with almost 1 in 2 businesses reporting a high awareness of their responsibilities. That said, the findings suggest there is a clear need to raise awareness of a company's responsibilities under Canada's privacy laws as similar numbers report either low or moderate awareness.
  • Only a third of all businesses report having staff that has been trained about the practices and responsibilities under Canada's privacy laws, although it is much more pronounced among larger businesses. At the same time, less than 1 in 5 has sought clarification of their role, although this is also much higher among larger businesses.
  • When it comes to the difficulty of complying with privacy laws, most businesses do not point to particular difficulties. While a small minority — less than 1 in 10 businesses — do in fact report having had difficulties doing so, the overwhelming majority indicate that it was either an easy process or that it was neither easy nor difficult.
  • It is clear that the Internet and government websites will be an important source of information on getting businesses to fully understand their responsibilities under Canada's privacy laws, with the majority of businesses pointing to that as the way they would want to obtain information (although a small but significant minority would see themselves contacting governments through a toll free number).
  • A significant proportion of businesses believe training could be somewhat useful, and for the most part, businesses are far more likely to see value in self-help tools such as information packages available online. Generally speaking, businesses are also notably more likely to lean towards wanting to get information from the relevant government departments/agencies who oversee Canada's privacy laws.

Top of PageTable of Contents1. Introduction

1.1 Background

While the federal government has been subject to privacy legislation since the implementation of the Privacy act in 1983, legislation covering the private sector is much newer. In fact, the Personal Information Protection and Electronic Documents Act (PIPEDA) only came into force in 2001, but at the time only applied to federally-regulated private sector companies. The Act was extended to cover personal health information in 2002. As of 2004, PIPEDA covers all organizations engaged in commercial activities, including those that for other purposes are regulated by the provinces.

PIPEDA is overseen by the Office of the Privacy Commissioner of Canada (OPCC), an advocate for the privacy rights of Canadians with the powers to investigate complaints and conduct audits under two federal laws; publish information about personal information handling practices in the public and private sector; and conduct research into privacy issues. Currently being reviewed by Parliament, it is essential to better understand the broader landscape and the extent to which businesses are familiar with and complying with their responsibilities under PIPEDA.

It was within this context that EKOS Research Associates was commissioned to undertake a survey of Canadian businesses on a number of issues relating to privacy and the implementation of PIPEDA. This is the first time that the OPCC has surveyed businesses on these issues and the results will help to establish a number of benchmark measures to help in the review of PIPEDA and looking forward. In broad terms, the objectives of the study included examining a number of indicators, including the following:

  • Familiarity with PIPEDA
    • How familiar are businesses with PIPEDA?
    • To what extent are companies aware of their responsibilities under the Act?
  • Compliance with PIPEDA Regulations
    • To what extent do companies understand their responsibilities?
    • What measures have they taken to ensure their companies and their employees comply with PIPEDA?
    • How easy or difficult has it been for businesses to comply with PIPEDA regulations?
  • Use of Personal Information
    • Do organizations collect the personal information of customers?
    • How much information is collected?
    • How is this information stored?
  • Practices and Policies
    • What percentage of businesses have a privacy policy in place?
    • Does the company have someone responsible for overseeing privacy issues?
    • How are complaints and access to information request dealt with?
    • How could the Privacy Commissioner of Canada work with the organizations to help them fulfill their requirements under the Act?

Top of PageTable of Contents1.2 Research Methodology

The research findings for this study have been drawn from the results of an 11 minute telephone survey with 1,033 businesses in Canada from March 12th to March 29th 2007. Given that the main focus of the study was on the adoption of privacy laws, the survey was designed to contact senior decision makers with responsibility for knowledge of their company's privacy and security practices.

The survey instrument was designed in close consultation with the Office of the Privacy Commissioner of Canada to examine issues described in the previous section. Once the questionnaire items were approved, the questionnaire was programmed into EKOS' computer assisted telephone interviewing (CATI) software. In addition to programming the actual text of each question, instructions to the survey interviewer (such as instruction to read or not read available responses), question/response randomization (batteries of questions and some responses to questions are randomized to minimize an order bias) and skip logic were integrated at this stage. In order to gauge the flow and clarity of the survey instrument, the questionnaire was pre-tested through a series of telephone interviews with actual respondents in English and French. The objective of the pre-test was to ascertain the clarity of the questions, the flow of the sequencing, the overall length of the interviews and any factors that may affect the response rate. A small number of revisions were made to the survey instrument in order to clarify certain questions and to adjust the focus of others before the final survey was fielded. The final version of this survey is appended to this report in Appendix A.

Since medium and large sized businesses together account for less than 15 per cent of all businesses, the sample was stratified by company size (based on number of employees) and region in order to ensure that there were enough respondents from both of these two size segments from across the country. For purposes of the study, the following definitions of size were adopted: small (1-19 employees), medium (20-99 employees), and large (100 or more employees). The results are based on the following samples:

  • 423 surveys with small businesses;
  • 282 surveys with medium businesses; and
  • 299 survey with large businesses.

The findings were then weighted by size, region and industry code to align the data to a 'truer' reflection of Canadian businesses. The weighted findings tend to reflect more closely the responses of small-sized businesses as these businesses account for more than four in five businesses in Canada.

With a sample size of 1,033, results may be considered statistically accurate to within +/- 3.1 percentage points, 19 times out of 20. The margin of error rises when results are examined for a particular sub-sample.

Top of PageTable of Contents2. Overall Findings

This survey of the Canadian businesses was designed to give policy makers and practitioners in the area of privacy a better understanding of the broader privacy landscape, and how businesses have adapted to the implementation of PIPEDA and similar provincial legislation in certain provinces. Within this context, the survey pointed to a number of key findings.

The Broad Privacy Landscape

  • With the implementation of PIPEDA, businesses have had to spend time and resources in ensuring that they meet their responsibilities under PIPEDA or the provincial laws in certain provinces. While it is clear that many businesses are spending time dealing with privacy related activities on a regular basis, such efforts are relatively less time consuming than many other ongoing day-to-day issues such as computer and IT issues, payroll and tax issues, and human resource related issues. While about one in ten businesses spend a large amount of time dealing with privacy issues, almost six in ten spend a little amount of time. In comparison, businesses are spending far less time on privacy related issues compared to these other issues.
  • Canadians' concerns with their personal privacy and the privacy of their personal information are widespread and rising on a number of fronts, particularly in relation to identity theft. While Canadians may not be well versed in the laws that are in place to protect their privacy, businesses in contrast now have certain responsibilities under these laws. At the same, businesses do recognize that not only do they have responsibilities, but that taking privacy seriously today is just good business. Today, the overwhelming majority – almost nine in ten businesses – agree with this view.
  • Against a backdrop where there have been a series of notable privacy-related breaches, it is not surprising that more than half of all businesses believe their customers are more concerned today about privacy related issues than in the past. Moreover, the overwhelming majority – almost eight in ten businesses – are close to their customers and know them on a first-name basis.
  • Few Canadians believe that identity theft is not a serious issue today. While the survey did not ask businesses about their perceptions about the seriousness of identity theft in general, the study did nonetheless point to the fact that many businesses do not feel that it is something that they need to worry about. That said, businesses are far less likely to hold this view the more personal information they collect from their customers.

Businesses and Personal Information

  • The collection of some sort of personal information in business interactions is a common occurrence — only about a third of companies report that they do not collect information on their customers.
  • While the majority of businesses are collecting personal information on their customers, there is a great deal of variation on the amount of information they do collect. The plurality of businesses — a little over four in ten — report that they collect only small amounts. About a third report collecting moderate amounts, and the remaining one in five reporting that they collect large amounts.
  • Although information technology has had a dramatic impact on the day-to-day operations of all types of businesses, it is noteworthy that the amount of information that is stored on paper is almost equal to the amount of information stored electronically. About eight in ten of all businesses that collect personal information on their customers store this information in either format, with a small portion also pointing to other formats.
  • With the implementation of PIPEDA (and comparable provincial legislation in a few provinces), businesses across the country have certain responsibilities in terms of how they collect, use and disclose any personal information from customers. The survey probed in a number of areas: putting in place clear privacy policies to oversee how the company and its employees collect, use and disclose personal information; putting in place safeguards to protect personal information from unauthorized access; putting in place ways for customers to be able to request and access any personal information that your company holds on them; and putting in place procedures that enable customers to make complaints should they feel that their personal information has been handled inappropriately; and whether the business has a privacy statement on its website.
  • Generally speaking, the results point to the fact that while the majority of businesses that collect personal information on its customers have fully implemented these provisions, there are small but not insignificant numbers that are only in the process of implementing, and others that have not implemented them (and are not in the process of doing so).

Privacy Legislation

  • Many businesses tend to rate their company's awareness of its responsibilities under Canada's privacy laws favourably. Overall, almost 1 in 2 businesses report a high awareness of their responsibilities.
  • That said, the findings suggest there is a clear need to raise awareness of a company's responsibilities under Canada's privacy laws as similar numbers report either low awareness or only moderate awareness. There is, however, a notable improvement among businesses that collect personal information, with much higher levels of awareness being reported by those businesses which collect the most information from their customers.
  • Only a third of all businesses report having staff that has been trained about the practices and responsibilities under Canada's privacy laws, although it is much more pronounced among larger businesses. At the same time, less than 1 in 5 has sought clarification of their role while the majority of businesses although this is also much higher among larger businesses.
  • When it comes to the difficulty of complying with privacy laws, most businesses do not point to particular difficulties. While a small minority — less than 1 in 10 businesses — do in fact report having had difficulties doing so, the overwhelming majority indicate that it was either an easy process or that it was neither easy nor difficult.
  • It is clear that the Internet and government websites will be an important source of information on getting businesses to fully understand their responsibilities under Canada's privacy laws. With businesses increasingly having access to the Internet, it is not surprising that a significant proportion would look for information regarding privacy laws on a government website. That said, a small but significant minority would see themselves contacting governments through a toll free number.
  • Likewise, a significant proportion of businesses believe training could be somewhat useful and the government could make more resources available to provide instruction. For the most part, businesses are far more likely to see value in self-help tools such as information packages available online, although about one in five do point to in-person seminars. Generally speaking, businesses are also notably more likely to lean towards wanting to get any information from the relevant government departments/agencies who oversee Canada's privacy laws, although about one in three still points to an organization like the local chambers of commerce.

Top of PageTable of Contents3. The Broad Privacy Landscape

  • With the implementation of PIPEDA, businesses have had to spend time and resources in ensuring that they meet their responsibilities under PIPEDA or the provincial laws in certain provinces. While it is clear that many businesses are spending time dealing with privacy related activities on a regular basis, such efforts are relatively less time consuming than many other ongoing day-to-day issues such as computer and IT issues, payroll and tax issues, and human resource related issues. While about one in ten businesses spend a large amount of time dealing with privacy issues, almost six in ten spend a little amount of time. In comparison, businesses are spending far less time on privacy related issues compared to these other issues.
  • Canadians' concerns with their personal privacy and the privacy of their personal information are widespread and rising on a number of fronts, particularly in relation to identity theft. While Canadians may not be well versed in the laws that are in place to protect their privacy, businesses in contrast now have certain responsibilities under these laws. At the same, businesses do recognize that not only do they have responsibilities, but that taking privacy seriously today is just good business. Today, the overwhelming majority – almost nine in ten businesses – agree with this view.
  • Against a backdrop where there have been a series of notable privacy-related breaches, it is not surprising that more than half of all businesses believe their customers are more concerned today about privacy related issues than in the past. Moreover, the overwhelming majority – almost eight in ten businesses – are close to their customers and know them on a first-name basis.
  • Few Canadians believe that identity theft is not a serious issue today. While the survey did not ask businesses about their perceptions about the seriousness of identity theft in general, the study did nonetheless point to the fact that many businesses do not feel that it is something that they need to worry about. That said, businesses are far less likely to hold this view the more personal information they collect from their customers.

Canadians' concerns with their personal privacy and the privacy of their personal information are widespread and rising on a number of fronts, particularly in relation to identity theft. While Canadians may not be well versed in the laws that are in place to protect their privacy, businesses in contrast now have certain responsibilities under these laws. At the same, businesses do recognize that not only do they have responsibilities, but that taking privacy seriously today is just good business.

While many businesses are spending time dealing with privacy related activities on a regular basis, such efforts are relatively less time consuming than many other ongoing day-to-day issues such as computer and IT issues, payroll and tax issues, and human resource related issues.

Time on privacy related issues vis-à-vis other issues

While about 1 in 10 businesses spend a large amount of time dealing with privacy issues, almost 6 in 10 spend a little amount of time. In comparison, businesses are spending less time on privacy issues than most other issues.

Fraud related activities -- Little amount of time (1-2): 88; Some time (3-5): 8; Large amount of time (6-7): 2. Privacy issues -- Little amount of time (1-2): 58; Some time (3-5): 26; Large amount of time (6-7): 11. Human resource related issues -- Little amount of time (1-2): 53; Some time (3-5): 34; Large amount of time (6-7): 10. Government payroll and tax issues -- Little amount of time (1-2): 44; Some time (3-5): 43; Large amount of time (6-7): 9. Computer and IT issues -- Little amount of time (1-2): 47; Some time (3-5): 38; Large amount of time (6-7): 13.
Q: How much time does your company spend on dealing with ... in a TYPICAL month on a scale from 1 to 7, where 1 means little or no time, 7 means a great deal of time, and 4 means a moderate amount of time?
(Base: All Businesses; Mar. 2007, n=1033)

Companies have taken notice of Canadians becoming more concerned about privacy-related issues than in the past. Although the majority of all businesses agree that being seen as taking a serious line with privacy issues is beneficial to company operations, less than half of all companies believe that identity theft is something their company has to worry about.

Taking privacy seriously and good business

As consumers concerns over privacy related matters has increased, businesses overwhelmingly agree that it is in their best interest to be known as a business that takes privacy related matters seriously.

Disagree: 3; Neither: 10; Agree: 86
Q: Today, it is good business to be known as a company who takes privacy-related manners seriously.
(Base: All Businesses; Mar. 2007, n=1033)

Customers' privacy concerns

Against a backdrop where there have been a series of notable privacy-related breaches, it is not surprising that more than half of all businesses believe their customers are more concerned today about privacy related issues than in the past. This view is most pronounced in large companies where it is held by 7 in 10.

Disagree: 20; Neither: 22; Agree: 55
Per cent agreeing
Small: 55; Medium: 57; Large: 64
Q:
My company's customers are more concerned today about privacy-related issues than in the past.
(Base: All Businesses; Mar. 2007, n=1033)

Knowing customers on a first name basis

The overwhelming majority of all businesses know their customers well enough to work on a first name basis, although it is slightly less common among larger businesses.

Disagree: 14; Neither: 9; Agree: 76
Per cent agreeing
 Small: 76; Medium: 75; Large: 56
Q: We know most of our company's customers on a first name basis.
(Base: All Businesses; Mar. 2007, n=1033)

Worrying about identity theft

Although businesses overwhelming agree that privacy related issues matter, the proportion that believes they have to worry about an issue such as identity theft is lower than the proportion that thinks it is something their company does not have to worry about. That said, businesses are far less likely to hold this view the more personal information they collect.

Disagree: 39; Neither: 14; Agree: 44
Per cent agreeing
Do not collect personal information on customers: 58; Collect little amount: 42; Collect moderate amount: 36; Collect large amount: 30
Q: Even though it may be a serious issue, identity theft is not something my company has to worry much about.
(Base: All Businesses; Mar. 2007, n=1033) * Collection of personal information discussed later in report.

Top of PageTable of Contents4. Business and Personal Information

  • The collection of some sort of personal information in business interactions is a common occurrence — only about a third of companies report that they do not collect information on their customers.
  • While the majority of businesses are collecting personal information on their customers, there is a great deal of variation on the amount of information they do collect. The plurality of businesses — a little over four in ten — report that they collect only small amounts. About a third report collecting moderate amounts, and the remaining one in five reporting that they collect large amounts.
  • Although information technology has had a dramatic impact on the day-to-day operations of all types of businesses, it is noteworthy that the amount of information that is stored on paper is almost equal to the amount of information stored electronically. About eight in ten of all businesses that collect personal information on their customers store this information in either format, with a small portion also pointing to other formats.
  • With the implementation of PIPEDA (and comparable provincial legislation in a few provinces), businesses across the country have certain responsibilities in terms of how they collect, use and disclose any personal information from customers. The survey probed in a number of areas: putting in place clear privacy policies to oversee how the company and its employees collect, use and disclose personal information; putting in place safeguards to protect personal information from unauthorized access; putting in place ways for customers to be able to request and access any personal information that your company holds on them; and putting in place procedures that enable customers to make complaints should they feel that their personal information has been handled inappropriately; and whether the business has a privacy statement on its website.
  • Generally speaking, the results point to the fact that while the majority of businesses that collect personal information on its customers have fully implemented these provisions, there are small but not insignificant numbers that are only in the process of implementing, and others that have not implemented them (and are not in the process of doing so).

Today, the majority of businesses — almost 2 in 3 — collect personal information from their customers. Of these companies, businesses that operate in the business-to-business (B2B) marketplace and the B2B/business-to-consumers (B2C) marketplace, and those selling services are the most likely to collect personal information.

Collection of personal information

The collection of some sort of personal information in business interactions is a common occurrence — only a little over a third of companies report that they do not collect information on their customers. While the proportion that does not collect personal information varies very little along company size lines it is more pronounced in business to business company types and businesses that deal in selling goods.

Collects personal information on customers: 63; Does not collect personal information on customers: 36; DK/NR: 1
 
Q: And would you say your company collects ...
(Base: Businesses that collect personal information; Mar. 2007, n=605)
    Collects personal information on customers Does not collect personal information on customers DK/NR
Company Size Small 66 33 1
Medium 61 37 2
Large 55 37 8
Company Type B2C 67 33 0
B2B 36 63 1
Both 71 27 2
Product Type Goods 47 50 2
Services 71 28 1
Both 63 36 1

While the amount of personal information that businesses collect varies, it is worth noting that only slightly more than 1 in 5 companies report collecting a large amount of information. These tend to be business to consumer types of companies and businesses that offer services.

How much personal information is collected

There is a great deal of variation in the amount of personal information collected by businesses, ranging from small amounts to large amounts.

Only small amounts of personal information: 47; Moderate amounts of personal information: 31; Large amounts of personal information: 22
Q: And would you say your company collects ...
(Base: Businesses that collect personal information; Mar. 2007, n=605)
    Small amounts of information Moderate amounts of information Large amounts of information
Company Size Small 45 28 26
Medium 38 45 17
Large 34 43 22
Company Type B2C 47 29 23
B2B 68 28 3
Both 46 33 20
Product Type Goods 57 35 8
Services 38 29 32
Both 54 32 13

With companies collecting various amounts of personal information from their customers, it is interesting to note that this information is being stored almost as frequently on paper as it is being stored electronically. A small proportion report storing personal information in other formats.

How personal information is stored

Although information technology has had a dramatic impact in business operations, the amount of information that is stored on paper is equal to the amount of information stored electronically.

Stored on paper: 74; Stored electronically: 79; Stored in an other format: 5
Q: And would you say that the personal information on your customers is ... ?
(Base: Businesses that collect personal information; Mar. 2007, n=605)
    Stored on paper Stored electronically Stored in other format
Company Size Small 77 80 5
Medium 71 90 3
Large 65 94 8
Company Type B2C 77 71 7
B2B 66 76 3
Both 71 86 4
Product Type Goods 61 78 0
Services 80 85 6
Both 72 72 6

Surprisingly, with a considerable amount of consumers needing reassurances from the companies they do business with, implementation of many of the rules and regulations established in PIPEDA have not been reached by a considerable amount of businesses. Perhaps most alarming is the rate at which businesses have put in place procedures in which consumers can complain of a violation to their privacy. Overall, 1 in 4 have yet to begin implementation while a significant proportion believe this regulation is not applicable to them.

Implementation of policies re collection, usage and disclosure

Although PIPEDA has been in effect since 2004, there still remains a sizeable proportion of businesses that are either in the process of implementing or have yet to implement a policy to oversee how the company and its employees collect, use and disclose personal information.

Fully implemented: 67; In the process of being implemented: 16; Have not been implemented yet: 15; Not applicable: 2
Q: What stage is your company at putting in place clear privacy policies to oversee how the company and its employees collect, use and disclose personal information?
(Base: Businesses that collect personal information; Mar. 2007, n=605)
    Fully implemented In the process of being implemented Have not been implemented yet Not applicable
Company Size Small 68 14 15 2
Medium 69 22 8 1
Large 72 21 4 2
Company Type B2C 73 12 11 3
B2B 60 25 12 1
Both 63 18 17 1
Product Type Goods 47 23 29 0
Services 73 15 9 2
Both 66 14 17 3

Implementation of safeguards re protecting info from unauthorized access

Approximately 3 in 4 businesses report having fully implemented safeguards in place to protect personal information from unauthorized sources, while another 16 per cent are in the process of implementation.

Fully implemented: 74; In the process of being implemented: 15; Have not been implemented yet: 8; Not applicable: 3
Q: What stage is your company at putting in place safeguards to protect personal information from unauthorized access?
(Base: Businesses that collect personal information; Mar. 2007, n=605)
    Fully implemented In the process of being implemented Have not been implemented yet Not applicable
Company Size Small 75 13 9 3
Medium 82 13 2 2
Large 79 15 2 3
Company Type B2C 71 16 8 5
B2B 86 10 1 1
Both 75 15 8 1
Product Type Goods 55 28 14 2
Services 82 10 6 2
Both 71 15 9 4

Implementation of accessibility of personal information provisions

The Individual Access Principle in PIPEDA states that businesses must be able to provide to customers their personal information upon request. Today, almost 1 in 5 companies have not implemented any method in which consumers could attain this information.

Fully implemented: 68; In the process of being implemented: 5; Have not been implemented yet: 20; Not applicable: 6
Q: What stage is your company at putting in place ways for customers to be able to request and access any personal information that your company holds on them?
(Base: Businesses that collect personal information; Mar. 2007, n=605)
    Fully implemented In the process of being implemented Have not been implemented yet Not applicable
Company Size Small 70 3 21 5
Medium 68 10 14 7
Large 69 10 11 6
Company Type B2C 78 3 10 8
B2B 62 9 22 6
Both 66 6 23 5
Product Type Goods 49 5 36 9
Services 72 4 19 4
Both 72 7 14 6

Implementation of ways for customers to contact company

Only half of all businesses that collect personal information have procedures fully in place that allows consumers to make complaints about the handling of personal information. Surprisingly, a significant proportion of businesses that collect personal information believe this regulation is not applicable to them.

Fully implemented: 58; In the process of being implemented: 9; Have not been implemented yet: 24; Not applicable: 8
Q: What stage is your company at putting in place procedures that enables customers to make complaints should they feel that their personal information has been handled inappropriately?
(Base: Businesses that collect personal information; Mar. 2007, n=605)
    Fully implemented In the process of being implemented Have not been implemented yet Not applicable
Company Size Small 54 8 28 10
Medium 68 11 16 3
Large 71 12 9 6
Company Type B2C 67 8 12 12
B2B 59 17 17 5
Both 57 8 29 6
Product Type Goods 43 15 37 3
Services 55 8 27 9
Both 69 8 14 7

Company websites – privacy statements and contacting the company

With the Internet increasingly being used by both businesses and consumers in their day to day interactions, it is not surprising that an overwhelming majority of businesses with a website offer email contact. In contrast, only 1 in 4 have a policy statement available online.

Privacy policy statement: 30; Can contact company by email: 90; Do not have either: 5; DK/NR: 4
Q: Does your company's Internet website offer any of the following?
(Base: Businesses with websites; Mar. 2007, n=733)
    Privacy policy statement Can contact company
by email
Neither DK/NR
Company Size Small 28 88 7 4
Medium 45 92 2 2
Large 50 93 2 2
Company Type B2C 25 90 5 3
B2B 33 95 3 2
Both 29 86 8 6
Product Type Goods 22 92 4 4
Services 34 86 8 5
Both 29 93 3 2

Top of PageTable of Contents5. Privacy Legislation

  • Many businesses tend to rate their company's awareness of its responsibilities under Canada's privacy laws favourably. Overall, almost 1 in 2 businesses report a high awareness of their responsibilities.
  • That said, the findings suggest there is a clear need to raise awareness of a company's responsibilities under Canada's privacy laws as similar numbers report either low awareness or only moderate awareness. There is, however, a notable improvement among businesses that collect personal information, with much higher levels of awareness being reported by those businesses which collect the most information from their customers.
  • Only a third of all businesses report having staff that has been trained about the practices and responsibilities under Canada's privacy laws, although it is much more pronounced among larger businesses. At the same time, less than 1 in 5 have sought clarification of their role while the majority of businesses although this is also much higher among larger businesses.
  • When it comes to the difficulty of complying with privacy laws, most businesses do not point to particular difficulties. While a small minority — less than 1 in 10 businesses — do in fact report having had difficulties doing so, the overwhelming majority indicate that it was either an easy process or that it was neither easy nor difficult.
  • It is clear that the Internet and government websites will be an important source of information on getting businesses to fully understand their responsibilities under Canada's privacy laws. With businesses increasingly having access to the Internet, it is not surprising that a significant proportion would look for information regarding privacy laws on a government website. That said, a small but significant minority would see themselves contacting governments through a toll free number.
  • Likewise, a significant proportion of businesses believe training could be somewhat useful and the government could make more resources available to provide instruction. For the most part, businesses are far more likely to see value in self-help tools such as information packages available online, although about one in five do point to in-person seminars. Generally speaking, businesses are also notably more likely to lean towards want to get any information from the relevant government departments/agencies who oversee Canada's privacy laws, although about one in three still points to an organization like the local chambers of commerce.

Many businesses tend to rate their company's awareness of its responsibilities under Canada's privacy laws favourably. Overall, almost 1 in 2 businesses report a high awareness of their responsibilities. That said, the findings suggest there is a clear need to raise awareness of a company's responsibilities under Canada's privacy laws as similar numbers report either low awareness or only moderate awareness.

Awareness of responsibilities of privacy laws

Considering the variety of stages many companies are at in implementing aspects of PIPEDA, awareness levels suggest there is a clear need to raise awareness of company responsibilities under Canada's privacy laws. That said, there is a notable improvement among businesses that collect personal information, with much higher levels of awareness being reported by those businesses which collect the most information from their customers.

Low awareness (1-2): 8; Moderate awareness (3-5): 42; High awareness (6-7): 49
Per cent reporting high awareness
Do not collect personal information on customers: 37; Collect little amount: 54; Collect moderate amount: 47; Collect large amount: 76
Q: How would you rate your company's awareness of its responsibilities under Canada's privacy laws on a scale from 1 to 7, where 1 is not at all aware, 7 is extremely aware and 4 is somewhat aware?
(Base: All Businesses; Mar. 2007, n=1033)

Only a third of all businesses report having staff that has been trained about the practices and responsibilities under Canada's privacy laws, although it is much more pronounced among larger businesses. At the same time, less than 1 in 5 have sought clarification of their role, although this is also much higher among larger businesses. While a small minority — less than 1 in 10 businesses — report having difficulty complying with privacy laws, the overwhelming majority indicate that it was either easy or neither easy nor difficult.

Training on responsibilities under privacy laws

Almost a third of all businesses report they have staff that have had training on appropriate information practices and responsibilities.

Received any training on privacy laws
Yes: 33; No: 63
Per cent that have received training on privacy laws
Small: 32; Medium: 35; Large: 63
Q: Have any of your staff received training on appropriate information practices and responsibilities under Canada's privacy laws?
(Base: All Businesses; Mar. 2007, n=1033)

Seeking clarification on privacy laws

Although businesses report low awareness levels regarding privacy laws, only 1 in 5 companies have sough clarification of their responsibilities under law.

Sought clarification on privacy laws
Yes: 22; No: 73
Per cent that have sought clarification on privacy laws
Small: 19; Medium: 30; Large: 43
Q: Has your company ever sought clarification of its responsibilities under Canada's privacy laws?
(Base: All Businesses; Mar. 2007, n=561)

Difficulties in adapting to privacy laws

Comfort with privacy law implementation is further illustrated by how seamlessly businesses have made the transition into compliance.

Extremely easy (1): 27; (2-3): 15; Neither (4): 45; (5-6): 6; Extremely difficult: 2
Q: How difficult has it been for your company to bring its information practices into compliance with Canada's privacy laws, using a scale from 1 to 7, where 1 is extremely easy, 7 is extremely difficult and 4 is neither easy nor difficult?
(Base: All Businesses; Mar. 2007, n=996)

How businesses would find out more information on privacy laws

With businesses increasingly having access to the Internet, it is not surprising that a significant proportion would look for information regarding privacy laws on a government website. That said, a small but significant minority would see themselves contacting governments through a toll free number.

Go to a government website: 63; Send an email to a government department: 3; Call a government toll free number: 18; Go to a government office: 2; Send a letter to a government department: 4; Other: 8
Q: If you needed to find more information about your company's responsibilities under Canada's privacy laws, how would you go about it?
(Base: All Businesses; Mar. 2007, n=1033)

A significant proportion of businesses believe training could be somewhat useful and the government could make more resources available to provide instruction.

Usefulness of training

Companies are increasingly knowledgeable of their role in upholding privacy laws. In fact, the proportion that do not see training as a useful method of learning compliance outnumber those that do at almost 2 to 1.

Not at all useful (1): 26; (2-3): 13; Somewhat useful (4): 34; (5-6): 14; Extremely useful (7): 12
Q: On a scale where 1 is not at all useful, 7 is extremely useful, and the mid-point 4 is somewhat useful, how useful would it be for your company to be able to get training on what companies need to do to comply with Canada's privacy laws?
(Base: All Businesses; Mar. 2007, n=1033)

Type of training/Delivery of training

With companies preferring the convenient and east to use methods of self-help tools made available online, it is not surprising that the government is the preferred deliverer of this training.

In-person seminars in different cities: 22; Self-help tools like information packages available online: 73; Other: 1; DK/NR: 4
Organizations like the local chambers of commerce: 33; Government departments/agencies responsible for overseeing Canada's privacy laws: 58; Other: 1; DK/NR: 7
Q: And what do you think would be the most effective way to offer this training/And who do you think would be the most effective at delivering this type of training?
(Base: All businesses/businesses that believe training would be beneficial; Mar. 2007, n=1033/1001)

Top of PageTable of ContentsAppendix A: Survey Questionnaire

INTRO

Hello, may I speak to .

My name is . and I'm calling from EKOS Research. We're conducting a short survey on behalf of the Privacy Commissioner of Canada to better understand the needs and practices of businesses across the country in relation to Canada's privacy laws.

May I please speak to the person who would be most familiar with what types of personal information is collected on your customers, and how this information is stored and used. This may be your company's Privacy Officer if you have one.

This is an important survey that will help the Government of Canada, and your participation is voluntary. All answers will also be kept strictly confidential. May I begin?

  1. Continue (1)

TYP

READ CATEGORIES, ACCEPT ONLY ONE

Which of the following best describes your company?

  1. It sells directly to consumers (01)
  2. It sells directly to other businesses / organizations (02)
  3. It sells directly both to consumers and other businesses/organizations (03)
  4. (DO NOT READ) Other, please specify (77)
  5. (DO NOT READ) NOT FOR PROFIT, THANK AND TERMINATE (05)
  6. (DO NOT READ) DK/NR, THANK AND TERMINATE (99)

LOC1

READ LIST

Which of the following best describes your company?

  1. It operates at this location alone (1)
  2. There are other locations, but only in Canada (2)
  3. There are other locations outside of Canada (3)
  4. (DO NOT READ) DK/NR (9)

EMPL

Approximately how many employees, including part-time, full-time and seasonal workers are currently employed in your company? / Approximately how many employees, including part-time, full-time and seasonal workers are currently employed in your company within Canada?

  1. 1 to 4 employees (01)
  2. 5 to 9 employees (02)
  3. 10 to 19 employees (03)
  4. 20 to 49 employees (04)
  5. 50 to 99 employees (05)
  6. 100 to 149 employees (06)
  7. 150 to 199 employees (07)
  8. 200 to 249 employees (08)
  9. 250 to 299 employees (09)
  10. 300 to 499 employees (10)
  11. 500 to 999 employees (11)
  12. 1,000 to 4,999 employees (12)
  13. More than 5,000 employees (13)
  14. DK/NR (99)

P_T

There are different activities that can take up the time of a company and its staff. Please rate how much time your company spends dealing with the following activities in a TYPICAL month on a scale from 1 to 7, where 1 means little or no time, 7 means a great deal of time, and 4 means a moderate amount of time.

T1

How much time does your company spend on ... in a TYPICAL month?
dealing with computers and information technology issues such as viruses, spam, updating software

  1. 1 Little or no time (1)
  2. 2 (2)
  3. 3 (3)
  4. 4 A moderate amount of time (4)
  5. 5 (5)
  6. 6 (6)
  7. 7 A great deal of time (7)
  8. DK/NR (9)

T2

How much time does your company spend on ... in a TYPICAL month?
dealing with human-resource related issues

T3

How much time does your company spend on ... in a TYPICAL month?
dealing with government payroll and income tax-related issues

T4

How much time does your company spend on ... in a TYPICAL month?
dealing with privacy-related issues, including complying with Canada's privacy laws?

T5

How much time does your company spend on ... in a TYPICAL month?
dealing with fraud related activities, such as credit-card fraud, counterfeit money, etc.

AGR1

Please rate the degree to which you agree or disagree with the following statements using a 7 point scale where 1 means you strongly disagree, 7 means you strongly agree and the mid-point 4 means you neither agree nor disagree.

CMC

Agreement with...
My company's customers are more concerned today about privacy-related issues than in the past.

  1. 1 Strongly disagree (1)
  2. 2 (2)
  3. 3 (3)
  4. 4 Neither agree nor disagree (4)
  5. 5 (5)
  6. 6 (6)
  7. 7 Strongly agree (7)
  8. DK/NR (9)

GBS

Agreement with...
Today, it is good business to be known as a company who takes privacy-related matters seriously.

IDTH

Agreement with...
Even though it may be a serious issue, identity theft is not something my company has to worry much about.

CUST

Agreement with...
We know most of our company's customers on a first name basis.

PR_PI

The next questions are about the types of personal information held by your company on its customers. By personal information, I mean things like a customer's name, age, address, income, what they have purchased, email address, and so on.

C1

READ LIST

Which of the following best describes your company's activities in relation to your customer's personal information? Would you say your company...

  1. collects personal information on its customers (1)
  2. does not collect any personal information on its customers (2)
  3. (DO NOT READ) DK/NR (9)

C2

READ LIST

And would you say your company collects...

  1. only small amounts of personal information on its customers (1)
  2. moderate amounts of personal information on its customers (2)
  3. a large amount of personal information on its customers (3)
  4. (DO NOT READ) DK/NR (9)

C3

SELECT ALL THAT APPLY

And would you say that the personal information on your customers is stored on paper, stored electronically, or some other type of format?

  1. Stored on paper (1)
  2. Stored electronically (2)
  3. Stored in some other type of format (3)
  4. DK/NR (9X)

C4

Thinking about personal information that is collected and used by your company on its customers, at what stage is your company in relation to the following? Would you say your company has the following fully in place, is in the process of implementing, or have not implemented them yet?

C4A

What stage is your company at...
putting in place clear guidelines or policies to oversee how the company and its employees collect, use and disclose personal information?

  1. fully implemented (1)
  2. in the process of being implemented (2)
  3. have not been implemented yet (3)
  4. (DO NOT READ) Not applicable (4)
  5. (DO NOT READ) DK/NR (9)

C4B

What stage is your company at...
putting in place safeguards to protect personal information from unauthorized access?

  1. fully implemented (1)
  2. in the process of being implemented (2)
  3. have not been implemented yet (3)
  4. (DO NOT READ) Not applicable (4)
  5. (DO NOT READ) DK/NR (9)

C4C

What stage is your company at...
putting in place ways for customers to be able to request and access any personal information that your company holds on them?

  1. fully implemented (1)
  2. in the process of being implemented (2)
  3. have not been implemented yet (3)
  4. (DO NOT READ) Not applicable (4)
  5. (DO NOT READ) DK/NR (9)

C4D

What stage is your company at...
putting in place procedures that enables customers to make complaints should they feel that their personal information has been handled inappropriately?

  1. fully implemented (1)
  2. in the process of being implemented (2)
  3. have not been implemented yet (3)
  4. (DO NOT READ) Not applicable (4)
  5. (DO NOT READ) DK/NR (9)

PIP

The federal government's new privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA came into full force on January 1st 2004. The Act establishes new privacy laws that govern how businesses should protect personal information.

[Alberta/B.C./Quebec]
The federal government's new privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA came into full force on January 1st 2004. The Act establishes new privacy laws that govern how  businesses should protect personal information. In , the private sector is governed by provincial privacy laws which are considered to be deemed similar to the federal law.

  1. Continue (1)

DSPRV

Does your company have staff, such as a Privacy Officer, who play a central role in ensuring responsibilities under Canada's privacy laws are met?

  1. Yes (1)
  2. No (2)
  3. DK/NR (9)

AWRSP

How would you rate your company's awareness of its responsibilities under Canada's privacy laws on a scale from 1 to 7, where 1 is not at all aware, 7 is extremely aware and 4 is somewhat aware.

  1. 1 Not at all aware (1)
  2. 2 (2)
  3. 3 (3)
  4. 4 Somewhat aware (4)
  5. 5 (5)
  6. 6 (6)
  7. 7 Extremely aware (7)
  8. DK/NR (9)

TRPRV

Have any of your staff received training on appropriate information practices and responsibilities under Canada's privacy laws?

  1. Yes (1)
  2. No (2)
  3. DK/NR (9)

CLPRV

Has your company ever sought clarification of its responsibilities under Canada's privacy laws?

  1. Yes (1)
  2. No (2)
  3. DK/NR (9)

DFPVR

How difficult has it been for your company to bring its information practices into compliance with Canada's privacy laws, using a scale from 1 to 7, where 1 is extremely easy, 7 is extremely difficult and 4 is neither easy nor difficult.

  1. Extremely easy (1)
  2. 2 (2)
  3. 3 (3)
  4. 4 Neither (4)
  5. 5 (5)
  6. 6 (6)
  7. 7 Extremely difficult (7)
  8. DK/NR (9)

MTA

READ LIST

If you needed to find more information about your company's responsibilities under Canada's privacy laws, how would you go about it? Would you be most likely to...

  1. Go to a government website (01)
  2. Send an email to a government department (02)
  3. Call a government toll free number (03)
  4. Go to a government office (04)
  5. Send a letter to a government department (05)
  6. (DO NOT READ) Other, specify (77)
  7. (DO NOT READ) DK/NR (99)

TRG

On a scale where 1 is not at all useful, 7 is extremely useful, and the mid-point 4 is somewhat useful, how useful would it be for your company to be able to get training on what companies need to do to comply with Canada's privacy laws?

  1. Not at all useful (1)
  2. 2 (2)
  3. 3 (3)
  4. 4 Somewhat useful (4)
  5. 5 (5)
  6. 6 (6)
  7. 7 Extremely useful (7)
  8. DK/NR (9)

TRG2

READ LIST

And what do you think would be the most effective way to offer this training?

  1. In-person seminars in different cities (01)
  2. Providing self-help tools like information packages available online (02)
  3. (DO NOT READ) Other, specify (77)
  4. (DO NOT READ) DK/NR (99)

TRG3A

READ LIST

And who do you think would be the most effective at delivering this type of training?

  1. Organizations like the local chambers of commerce (01)
  2. Government departments/agencies responsible for overseeing Canada's privacy laws (02)
  3. (DO NOT READ) Other, specify (77)
  4. (DO NOT READ) DK/NR (99)

DEMO

These last questions are for statistical purposes only, and all answers are confidential.

TI6

READ LIST; SELECT ALL THAT APPLY

Which of the following technologies does your company use?

  1. Electronic Mail or E-mail (01)
  2. The Internet (02)
  3. Company computer networks, a Local Area Network (LAN) or a Wide Area Network (WAN) (03)
  4. (DO NOT READ) None of the above (98)
  5. (DO NOT READ) DK/NR (99)

WS6

Does your company have its own Internet website?

  1. Yes (1)
  2. No (2)
  3. DK/NR (9)

WSO6

READ LIST; SELECT ALL THAT APPLY

Does your company's Internet website offer any of the following?

  1. A privacy policy statement (1)
  2. A way for customers to contact the company by e-mail (2)
  3. (DO NOT READ) None of the above (8)
  4. (DO NOT READ) DK/NR (9)

INDUS

What is your organization's PRIMARY industry?

TYP2

Would you say your company is primarily involved in selling GOODS, selling SERVICES or both?

  1. Sells GOODS (1)
  2. Sells SERVICES (2)
  3. Sells GOODS AND SERVICES (3)
  4. (DO NOT READ) Other (4)
  5. (DO NOT READ) DK/NR (9)

POSIT

What is your own position within the organization?

REV

READ LIST

In which of the following categories would your company's 2006 revenues fall?

  1. Less than $100,000 (1)
  2. $100,000 to $249,999 (2)
  3. $250,000 to $499,999 (3)
  4. $500,000 to $999,999 (4)
  5. $1,000,000 to $4,999,999 (5)
  6. $5,000,000 to $9,999,999 (6)
  7. $10,000,000 to $19,999,999 (7)
  8. More than $20 million (8)
  9. (DO NOT READ) DK/NR (9)

THNK

End of Interview

Thank you for your cooperation and time!

  1. Completion (1D)

Top of PageTable of ContentsAppendix B: Field Report

Survey Design

The research finding for this study has been drawn from the results of an 11 minute telephone survey with 1,033 businesses in Canada from March 12th to March 29th 2007. Given that the main focus of the study was on the adoption of privacy laws, the survey was designed to contact senior decision makers with responsibility for and/or knowledge of their company's privacy and security practices.

The survey instrument was designed in close consultation with the Office of the Privacy Commissioner of Canada to examine issues relating to the Canadian business privacy landscape as well as awareness and perception of Canadian privacy laws. The final version of this survey (in English and French) is provided in Appendix A.

Sampling Strategy

EKOS used Survey Sample software to produce the sample for this project. This software samples by Random Digit Dial (RDD) methodology and checks its samples against published phone lists to divide the RDD into "Directory Listed" (DL) and "Directory Not Listed" (DNL) RDD components.

Once the sample was determined, the telephone numbers were imported into the surveying software system. Additional criteria were then added to the introduction of the questionnaire to select the individual respondent in the business. For this survey, the respondent had to have knowledge of privacy practices of the company.

Weighting

Once data collection was complete, the results were statistically weighted by business size, region, and industry code to align the data to a 'truer' reflection of Canadian businesses. The weighted findings tend to reflect more closely the responses of small-sized businesses as these businesses account for more than four in five businesses in Canada.

Since medium and large businesses together account for less than 15 per cent of all businesses, the sample was stratified by company size (based on number of employees) and region. In order to ensure that there were enough respondents from both of these two size segments from across the country.

For purposes of this study, the following definitions of size were adopted: small (1-19 employees), medium (20-99 employees), and large (100 or more employees). The results are based on the following samples:

  • 423 surveys with small businesses;
  • 282 surveys with medium businesses; and
  • 299 surveys with large businesses.

Weighting was done using the statistical software package, StatXP. This program carries out this task on the basis of the population marginal distributions for each variable considered in the weighting scheme (i.e. company size, region).

With a sample size of 1033 the results from this survey may be considered statistically accurate to within +/- 3.1 percentage points, 19 times out of 20. The sample sizes broken down by region and company size, as well as the associated margins of error, are summarized in Table 1.

Table 1
  Sample Size Margin of Error Unweighted Percentage Weighted Percentage
Region        
British Columbia 137 +/- 8.4 13% 15%
Alberta 106 +/- 9.6 10% 12%
The Prairies 83 +/- 10.8 8% 8%
Ontario 405 +/- 4.9 39% 32%
Quebec 196 +/- 7.0 19% 24%
Atlantic Canada 106 +/- 9.6 10% 9%
         
Company Size        
Small 423 +/- 4.8 41% 88%
Medium 282 +/- 5.8 27% 10%
Large 299 +/- 5.7 29% 2%
         
Overall 1,033 +/-3.1 100.0 100.0

Response Rate

The response rate for this survey was 25.1 per cent. This is calculated by dividing the cooperative call backs (i.e. those who completed the survey, those who we spoke to but were ineligible, and the quota filled) by the functional sample. The functional sample is the sample remaining after numbers not in service, business/fax numbers, duplicate numbers and numbers blocked by the phone company are removed. Details are provided in Table 2.

Table 2
Total Sample 6,301 (A)
   
Numbers not in service 633
Business/Fax Lines 78
Duplicates 16
Numbers blocked by telephone companies 7
Total out of scope 734 (B)
   
Total functional sample 5,567 (C)
No answers 2,030
Retired (i.e. called 10 times without success) 0
   
Unresolved 2,030 (D)
Language difficulty 23
Other (e.g., require TDD telephone) 108
Unavailable 140
Break offs 25
Refusals 1,383
   
In-scope non responding 2,141 (E)
Completes 1,033
Ineligible (e.g., no one old enough to complete survey) 363
   
In-scope responding units 1,396 (F)
   
Response Rate 25.1% (F) / (C)