Corporate privacy policies are more than words on paper or a Web site, says Ontario’s privacy commissioner – they have to be actively worked on, supported and communicated.
“Privacy policies alone, without a proper strategy for implementation and ongoing compliance procedures, will not protect an organization from privacy risks,” Ann Cavoukian said Wednesday as she released a how-to privacy guide for the private sector and governments.
“The seven recommendations presented in this paper will provide organizations with concrete guidance on how to effectively execute an appropriate privacy policy, and have it reflected in actual practice,” she said in a statement.
The 17-page document builds on Cavoukian’s internationally respected Privacy by Design framework.
The importance of following up on privacy policies was highlighted in July when Elections Ontario publicly confessed that two temporary staff had lost track of two data sticks with the unencrypted personal information on as many as 2.4 million voters.
The department had policies to protect the data, but they weren’t followed.
The seven steps are:
1.After conducting a privacy impact assessment, implement a policy that reflects your organization’s privacy needs and risks;
2.Link each requirement to a concrete actionable item;
3.Show how each practice will be implemented;
4.Create privacy education and awareness training;
5.Designate a central person to answer questions;
6.Verify policies and procedures are being followed;
7.Have a policy ready in case there’s a privacy breach.