Organizations should be routinely assessing privacy and security of their important data and the personal information they hold. New systems, innovative uses of information and threats are evolving.
Sophisticated organizations will have a privacy framework in place. Others may still be developing their basic privacy plans.
On March 7, 2019, the B.C. Office of the Information & Privacy Commissioner ("OIPC") launched the "PrivacyRight" program. PrivacyRight is an online educational initiative that is intended to assist private sector businesses in British Columbia in complying with their obligations under the Personal Information Protection Act ("PIPA"). It will include various tools such as webinars, videos, podcasts, and guidance documents. These tools will be published on the first Wednesday of each month in 2019 on the OIPC website.
One of the first tools launched as part of this program is a Privacy Management Program Self-Assessment tool. This self-assessment tool can be used by organizations to assess whether there is an effective privacy management program in place, to identify gaps and areas of risk, and to prioritize the privacy measures which need to be implemented or improved.
The self-assessment directs organizations to examine various aspects of their privacy-related policies and practices, including the following:
- the role of the privacy officer;
- the level of awareness about privacy management in the organization;
- the support and resources available to promote regulatory compliance;
- the types of personal information that the organization is collecting, and the purposes for collecting, using or disclosing that information;
- how the organization is storing and securing personal information;
- the organization's privacy policy;
- how the video and audio surveillance is utilized (if at all);
- the scope and content of employee training;
- the contracts that the organization has with third party service providers who are given access to personal information;
- any risk assessments that have been conducted (e.g. Personal Information Assessments); and
- the nature of security safeguards in place to protect personal information.
While the OIPC has said that the PrivacyRight program was developed with small and medium sized organizations in mind, all private sector organizations in British Columbia that are subject to PIPA of all sizes can benefit from regularly reviewing and assessing their privacy practices and policies, and from implementing a privacy management program. Doing so will help organizations minimize risks such as data breaches and complaints by individuals about improper collection, use or disclosure of their personal information.
The completion of this self-assessment tool is completely voluntary and is by no means an exhaustive list of factors that should be considered by an organization in assessing its privacy policies, procedures and practices. As the types of personal information collected, used and disclosed will vary between organizations, and organizations have different privacy and security needs as well as resources, this type of assessment can be tailored to an organization.
Before conducting this type of assessment, we recommend that organizations consider obtaining legal advice in respect of the assessment. Benefits of legal advice include risk assessment by an experienced professional and the protection of solicitor-client privilege over that assessment and related reports. Assessments not protected by privilege are at risk of becoming evidence of an identified gap in compliance or lack of due diligence.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
