The first step to ensuring that your organization complies with all applicable laws, and has a system in place to adequately protect personal information, is a privacy audit. This will help the organization to understand what information it collects, and how it uses, stores and disposes of such information. At a minimum, an initial privacy audit should include assessment of the following:

  • How is personal information collected by the organization?
    • Electronic messages
    • Website
    • Paper documents
    • Social Media forums
    • Verbally
    • Images – Photographs/videos
  • What personal information is collected by the organization?
  • Is the organization collecting highly sensitive information?
    • Medical information
    • Financial information
    • Biometric information
    • Information that can be used for identity theft (e.g., Social Insurance Numbers)
  • Whose personal information is collected by the organization?
    • Customers/clients
    • Employees
    • Service providers
    • Members of the public
    • Other third parties
  • Does the organization engage in any form of monitoring?
    • Computer
    • Telephone
    • Video
    • GPS or other location tracking
    • RFID
    • Biometric
  • Where is personal information stored?
  • In what form is personal information stored?
    • Paper records
    • Electronic records
    • Video recordings
    • Verbal recordings
  • What security measures are used to protect personal information held by the organization?
    • Physical Protections
    • Technological Protections
    • Administrative Protections
  • Who has access to the personal information that the organization uses?
    • Internally
    • Externally
  • How does the organization use the information that it collects?
    • For what purpose is it used?
    • In what manner is it used?
  • To whom does your organization disclose personal information?
    • What information is disclosed to contractors?
      • For what purpose?
      • Where are they located?
      • Are contractual data protection provisions in place?
    • What information is disclosed to affiliates?
      • For what purpose?
      • Where are they located?
      • Are contractual data protection provisions necessary and/or in place?
    • What information is disclosed to other third parties?
      • Who are such third parties?
      • For what purpose?
      • Where are they located?
      • Are contractual data protection provisions in place?
  • Does the organization collect consents to collection, use and disclosure of personal information?
    • Written
    • Verbal
    • Implied
  • How are consents stored/managed?
  • Is there a mechanism in place for individuals to revoke consent?
  • Does the organization have data sharing agreements with third parties?
    • Are appropriate privacy protections in place, based upon the sensitivity of the information?
  • Is any personal information transferred across borders?
    • For what purpose?
    • Are appropriate security measures in place for transmission of data?
    • Have the privacy implications of cross-border transfers been considered/addressed?
  • Does the organization have appropriate privacy policies?
    • Commercial privacy policy
    • Web privacy policy
    • Employee privacy policy
    • Social media policy
    • Bring your own device policy
    • Record retention policy
    • Working from home policy
    • Technology usage policy
    • Other
  • When were the organization's privacy policies last reviewed/updated?
  • Does the organization evaluate the privacy impact of new projects?
    • Formal privacy impact assessments
    • Informal consultations
    • Who is involved in assessments/consultations?
  • Does the organization provide privacy training to employees?
    • New hires
    • Role specific training
    • Periodic updates
  • How long does the organization retain personal information?
  • How does the organization dispose of personal information?
    • Are appropriate controls in place?

The above list is not intended to be comprehensive. Privacy audits should be specifically tailored to the unique requirements of your business. You should consult with a privacy law expert to assist with the development of your organization's privacy audit. Furthermore, privacy audits should not be a “one-time” endeavour, but rather, should be performed periodically to evaluate business and legal developments. It is particularly important to perform an updated, targeted audit when the organization undertakes a new project that will involve unprecedented collection, use or disclosure of personal information by the organization.