The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, April 05, 2005

Privacy is a multidisciplinary issue in Canada 

John Oltsik, an analyst for Enterprise Strategy Group, has in opinion piece in ZDnet about security basics and how elementary steps can be taken to avert privacy disasters. He mentions training as a critical component of securing systems:

Black eye for privacy Tech News on ZDNet:

"... The other elementary security action item is user training. Employees need to know how to recognize and report threats, not act as a patsy. If I want to break into the payroll system, the easiest way to proceed is simply to ask someone in finance for their password. With a bit of 'social engineering'--that is, flim-flam--you'd be surprised how many people will volunteer confidential information. Only 25 percent of companies provide employees with security training; I'd say this is a fundamental problem...."

I have to agree that training is critical for avoiding security disasters. But privacy is not just about security. In too many companies, I have seen the "privacy issue" handed over to the CIO as a technical issue. This may work in the United States where there are no laws governing companies like ChoicePoint and LexisNexis. But this does not fly in Canada.

In Canada, companies have to address the Personal Information Protection and Electronic Documents Act (often known by its snappy acronym, PIPEDA). Security is only one of ten principles that must be followed. The other principles involve accountability, communicating purposes, obtaining consent, limiting collection, use, disclosure and retention, providing access, providing redress.

In Canada, privacy is a multi-disciplinary issue that requires the CIO, HR, internal audit, marketing and just about every other division. I've seen companies that "lock down" all their data, but still let marketing collect way more information than they reasonably need without telling the consumer how the information would be used, in violation of the limiting collection, indentifying purposes and consent principles. I've seen the credit department demand social insurance numbers, which is a no-no under the law. I've also seen well-intentioned people disclose waaaaaayyyyy to much information, resulting in lost jobs and other ill effects.

The companies that do well under PIPEDA are those who see it as a customer service issue and a risk management issue, needing to be integrated into the company's culture and part of its mission to its customers. Everyone who touches customers or customers' information needs to know what they are doing, and how to properly treat and protect customer information. It's a team effort.

Labels: , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs