The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, June 14, 2005

Privacy Officers: Security Types Need Convincing 

People often confuse privacy and security. Security is a part of privacy. (Security is also an important part of protecting other corporate assets.) Some may that privacy is the latest buzzword for applying security to personal information. It's more than that.

In IT Management, Ray Everett-Church writes about how to explain privacy to security-types, and particularly the need to have a privacy officer.

Privacy Officers: Security Types Need Convincing:

"I've spent much of the last six or seven years promoting the importance of privacy officers. Much to my dismay, over the course of the years, some of the greatest skepticism I've met has come from security professionals.

Much of the skepticism boils down to some basic misconceptions about the relationship between privacy and security, and fears that privacy officers are just going to be competing for the same organizational ''turf''. But as I have sat with security professionals to explain why the role of the privacy officer is complimentary, but fundamentally different, the concerns and misconceptions are easily dispelled.

Indeed, many security executives quickly realize that privacy officers get to deal with many of the murkier, subjective, and often politically-charged issues that many security officers try to avoid being drawn into -- such as marketing strategies or legal and regulatory compliance.

But let's not miss the bigger point here.

Assuming Congress could fix the law so it would require the auditing of privacy practices, instead of the day-to-day work of the privacy officer, this is something that should be encouraged. A critical element of the Federal Trade Commission's enforcement actions in the realm of privacy has been the requirement that companies bring in outside auditors to oversee their privacy fixes and ongoing practices.

If this panel believes you should only audit after a problem is discovered, then they don't appear to have a good grasp on the reality of today's privacy methodology in use at the most enlightened organizations the world over.

The methodology is pretty simple... I ought to know. I helped develop it. The four elements of a coherent privacy program are:

  • Know your current privacy-related practices;
  • Articulate those practices in a privacy policy;
  • Implement those practices through training and oversight, and
  • Audit those practices, from within and without, to ensure compliance.

All of this may be for naught, however.

According to reports, Rep. Tom Davis (R-Va.), chairman of the U.S. House of Representatives Government Reform Committee, is pushing legislation that would repeal the appropriations language that mandated the CPO appointments. But if the Davis proposal does not become law by year's end, the ranks of America's CPO population will grow by a few dozen, and somebody will finally be accountable for privacy practices at federal agencies.

And know knows... maybe by then some government committee will have grasped what these new CPOs are supposed to be doing!"

At least in Canada's legal environment, the status quo may not be acceptable. I would therefore suggest that a coherent privacy program has the following elements:

  1. Know your current personal information management practices: where it comes from, where it is kept, how it is used and to whom it is disclosed;
  2. Benchmark your current personal information management practices against a recognized standard, such as the Canadian Standards Association Model Code for the Protection of Personal Information;
  3. Modify your practices to accord with the standard (collect only what you need, use and disclose it only in the ways you've articlated, secure the information)
  4. Articulate your new practices in an easy to understand privacy statement and document them in an operational policy;
  5. Train all staff to implement your new practices; and
  6. Audit your practices.


Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs