With public concern about privacy protection expected to mount, private companies have no choice but to take stock of their privacy practices – and the sooner the better.
That was the main point from the Ontario Information and Privacy Commission last month as it unveiled a free tool – developed with security and privacy experts at Guardent and PricewaterhouseCoopers – for businesses, and consumers, to self-assess their information privacy practices.
‘If you don’t build the privacy up front and invest what you need to protect privacy, you will pay later on,’ says Ontario Information and Privacy commissioner Dr. Ann Cavoukian, pointing to DoubleClick in the U.S. and its privacy woes last year. ‘It’s not a luxury – it’s going to be a cost of doing business.’
The Privacy Diagnostic Tool (PDT) is designed to gauge an organization’s privacy policies, with a series of more than 100 questions in various areas – from accountability to consent – subsequently generating a report identifying what needs to be done or improved. While based on Canadian Standards Association fair information practices, PDT is not unique to Canada – it can be applied in any other country, says Cavoukian – and does not purport to tell a company whether or not it is in compliance with any particular act, but rather, she says, it’s intended to get people oriented to what the requirements, or best practices, are.
Most private companies are not required by law to adhere to any standards like the Personal Information Protection and Electronic Documents Act, or Bill C-6, the federal privacy legislation, which came into effect January 1. The latter established rules that federally regulated companies must follow when collecting and using personal information, including gaining positive consent from each consumer at the time such data is gathered. This would apply to marketers requesting information for contests or promotions, membership drives for loyalty programs and direct-to-consumer e-mail campaigns.
A Bill similar to C6 – which will outline privacy law for private companies – will be introduced this fall, says Cavoukian. She suspects the government will likely pass it next term – forcing private companies to get their privacy practices up to speed much earlier than expected, possibly within six months to a year. BJ
