Data Privacy Week: Are you meeting the fundamentals?

Share post:

Data Privacy Week is a period when organizations should reflect on whether they are at least doing the basics, says British Columbia’s privacy czar.

“The basic fundamentals” are what privacy pros need to be pondering this week, Michael McEvoy, B.C’s information and privacy commissioner, said in an interview. “Which,” he added, “you have to be thinking about all the time.

“When you are putting together a new product, or considering a new marketing tool, or anything of that kind, you need to be thinking about the personal information you’ll be collecting about patients, clients, customers, and how you’re going to protect it, how you’re going to use it and how you’re going to be transparent to your customers.

“People are far more aware of these issues than they were 10 years ago. They are far more sensitive about how their personal information can be used, and misused. And if you misuse it, you’re quickly going to lose the trust of those customers, clients and patients. So you have to think about these issues — and you have to think about them at the outset [of a project], not as an afterthought.”

This is a time when many innovative companies are pushing new technologies to corporate buyers, he said, such as facial recognition and artificial intelligence applications. But before organizations jump into new technologies, they have to ask whether they will serve their clients well and build trust with customers.

As an example, he cited a case his office handled of “a large retailer” in B.C. that used a facial recognition application to reduce shoplifting. It collected images of everyone who walked into stores and compared them to images of known shoplifters. As soon as management learned the privacy commissioner was investigating in November 2021, they pulled the systems and wiped the servers.

“Had they thought about some of these issues at the beginning, I don’t think they would have gone down that path,” McEvoy said.

He didn’t name the company, but it was a reference to four independently owned Canadian Tire affiliate stores. Last year McEvoy ruled the stores didn’t adequately notify customers and did not obtain consent for the collection of personal information using facial recognition technology.

Asked if companies just don’t think about some things they do, or deliberately want to test the limits of privacy law, he replied “My experience as commissioner is for the most part organizations want to do the right thing. And sometimes they will come to us, not sure if they are doing the right thing.” His office can’t give legal advice but does give guidance.

The best privacy action any organization can take is to create a privacy management program, he said. That doesn’t apply to just large firms, he added, because even small companies can collect a lot of personal information.

Related content: How to create a privacy management program

A privacy management program sets up a data privacy governance structure with processes employees have to follow — and includes measures to ensure they are being followed.

Senior management must actively champion the privacy program, according to guidance from three of the country’s privacy commissioners: “When senior management is committed to ensuring that the organization is compliant with privacy legislation, the program will have a better chance of success, and a culture of privacy will more likely be established.”

A data management program starts with the firm doing an inventory of all of the personal information it holds and categorizing it by sensitivity. When McEvoy’s office gets data breach reports, the first question asked is what information was breached. “You’d be surprised at the number of organizations that don’t have a good handle on exactly what they have,” he said.

A data inventory should lead to the creation of a data access policy, which restricts access to sensitive data to only those who need it.

Management also needs to decide why it is collecting, using, and disclosing data.

Then it has to develop internal policies to respect the principles in private-sector privacy legislation that the firm has to follow in each jurisdiction. That includes a policy on following data breach notification requirements to customers and/or a regulator.

Firms should conduct a privacy risk assessment of their data handling processes at least once a year.

Most of the incidents his office investigates could have been avoided, McEvoy said, had data been properly secured.

“That’s a hard lesson lots of organizations learn after the fact,” he said. Sometimes they didn’t want to spend the money. “But what is often not thought about is cost on the other side: what happens when things go wrong? What is the cost of that?”

Usually it’s far more worthwhile to spend on protecting data upfront than to pay for the costs of cleaning up after a privacy incident, he said. “Most cases are far more costly than any protection system you would have put in place”

The post Data Privacy Week: Are you meeting the fundamentals? first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

FBI rapidly hacks into Trump shooter’s phone, raises privacy concerns

Just two days after the attempted assassination at a Trump rally, the FBI announced it had gained access...

Disney investigating a potential major leak of internal communications

Disney is investigating a significant data breach by the hacking group Nullbulge, which claims to have accessed and...

National Health Service hack leads to publication of huge amount of sensitive information

A significant cyberattack has resulted in the publication of sensitive patient data stolen from Synnovis, a blood testing...

Cyber Security Today, June 19, 2024 – How an attacker hid on an IT network for three years

How an attacker hid on an IT network for three years Welcome to Cyber Security Today. It's Wednesday June...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways