Insights Header image
Insights Header image
Insights Header image

Privacy Policies

June 2015 Privacy Bulletin 3 minute read

Privacy professionals are known for constantly recommending that organizations develop privacy policies. However, useful privacy policies require input from experts (which costs money), as well as an investment of time and effort by employees at different levels of the organization. Given the competing demands on organizations, it is not surprising that policies do not always rank high on their lists of priorities.

So, why should organizations focus on privacy policies? There are three very good reasons why policies are worth your organization’s attention.

1.    It’s the law

Privacy legislation in Canada specifically requires that organizations develop and implement privacy policies. For example, the federal Personal Information Protection and Electronic Documents Act, SC 2000, c 5, states that:

Organizations shall implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures. (emphasis added)

Private sector privacy statutes in Alberta, British Columbia and Manitoba also explicitly require that organizations “develop and follow policies and practices” that are necessary/reasonable for compliance with such legislation.

2.    Privacy regulators focus on them

In 2013, the Office of the Privacy Commissioner of Canada and the Office of the Privacy Commissioner of British Columbia participated in a global Internet sweep of policies on websites and mobile apps, together with privacy enforcement authorities in 18 other countries, including Australia, Finland, France, Germany, Hong Kong, Ireland, New Zealand, Norway, United Kingdom and the United States. This was the first initiative of the Global Privacy Enforcement Network, which connects privacy enforcement authorities for the purposes of promoting and supporting co-operation in cross-border enforcement of privacy laws. The fact that the inaugural undertaking by the Global Privacy Enforcement Network was focused upon privacy policies demonstrates that regulators consider policies to be a fundamental aspect of privacy compliance.

Furthermore, when privacy complaints are filed, the relevant privacy commissioner typically reviews the organization’s privacy policies. The question of whether an organization has developed and followed reasonable privacy policies is often an important consideration when determining whether the organization complied with its statutory obligations.

3.    They can keep you out of the news

An old adage says: “There is no such thing as bad publicity.” Organizations that have recently been subject to media barrages (and in some cases class action lawsuits) related to data breaches or poor information handling practices would likely disagree with this sentiment. Good privacy policies can help an organization to avoid negative attention that can hurt its reputation (and its stock prices), because such policies reduce the risk of privacy breaches. Also, when breaches do occur, comprehensive privacy policies can be used as evidence that the organization did everything it could to protect the data.

Of course, in order for privacy policies to be useful in this respect, they must be tailored specifically to the organization. The global sweep of Internet policies described above found that a high percentage of privacy policies were either long and legalistic or much too brief, and many of these policies contained vague, over-generalized statements or legalistic regurgitation of applicable statutes. Such policies are unlikely to be helpful to any organization.

In addition, privacy policies are only beneficial to the organization if employees actually follow them. For more on this, stay tuned for upcoming Privacy Basics bulletins on privacy training and privacy programs.

Given these three very good reasons to focus on developing privacy policies, all organizations should review their current policies and consider whether they are comprehensive and useful. Policies relevant to privacy compliance include: (i) internal commercial privacy policies; (ii) internal employee privacy policies; (iii) external/web privacy policies; (iv) social media policies; (v) record retention and destruction policies; (vi) bring your own device policies; (vii) technology usage/monitoring policies; (viii) breach response protocols; and (ix) remote access/working from home policies.

by Lyndsay A. Wasser, CIPP/C, Co-Chair Privacy

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2015

Insights (5 Posts)

Featured Insight

Fanning the Flames of Liability: The Ontario Court of Appeal Considers Product Liability Issues in Burr v. Tecumseh Products of Canada Limited

The decision of the Court of Appeal in Burr v. Tecumseh Products of Canada Limited, 2023 ONCA 135 provides a helpful overview of product liability law.

Read More
Mar 20, 2023
Featured Insight

A Look at Some Key Findings by the Alberta Securities Commission in Re Bison Acquisition Corp.

On December 21, 2021, a panel of the Alberta Securities Commission issued its written decision providing its reasons for the oral ruling it made on July 12, 2021 regarding applications brought by Bison Acquisition Corp. and Brookfield Infrastructure Corporation Exchange Limited Partnership, as well as Inter Pipeline Ltd. and Pembina Pipeline Corporation.

Read More
Mar 20, 2023
Featured Insight

Employer’s Disturbing Termination Conduct Results in $15,000 Moral Damages Award

Teljeur v Aurora Hotel Group 2023 ONSC 1324 provides example of post-termination conduct and bad faith damages.

Read More
Mar 16, 2023
Featured Insight

Succeeding at Succession: Tips on Corporate Governance including How to Navigate Board Renewals and Elections

Stakeholders are demanding good corporate governance, which includes effective succession planning where a range of skills, experience, and backgrounds are highly valued and reflected. In collaboration with WATSON, a national multidisciplinary governance firm, join us in the morning on Wednesday, April 19, to discuss strategies and action plans that drive robust succession planning and strong corporate governance.

Details
Wednesday, April 19, 2023
Featured Insight

Adjudication under the Construction Act: Court Confirms Test to Apply for Judicial Review a “High Bar”

Adjudication under the Construction Act: Court Confirms Test to Apply for Judicial Review a “High Bar” Anatolia Tile & Stone Inc. v Flow-Rite Inc. 2023 ONSC 129.

Read More
Mar 15, 2023