Commissioner Cavoukian urges organizations to make privacy part of their corporate culture

Releases new how-to guide on putting policies into practice

HALIFAX, Sept. 5, 2012 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, says it is not enough for organizations to have a privacy policy in place - they must take steps on an ongoing basis to make sure it is reflected in every aspect of their operations. A new paper, released today by the Commissioner at a meeting of the Privacy Section of the Canadian Bar Association, provides a 7-step action plan on how to effectively execute an appropriate privacy policy and embed it in the concrete practices of an organization.

The importance of this issue was highlighted recently when Elections Ontario lost two USB keys containing the unencrypted personal information of as many as 2.4 million voters. Commissioner Cavoukian found in her investigation that the agency's failure to systematically address privacy and security issues was at the root of the problems.

"Privacy policies alone, without a proper strategy for implementation and ongoing compliance procedures, will not protect an organization from privacy risks. The seven recommendations presented in this paper will provide organizations with concrete guidance on how to effectively execute an appropriate privacy policy, and have it reflected in actual practice. This information will be helpful to organizations of any size, and in any sector," Commissioner Cavoukian said.

Organizations should develop privacy education and awareness training programs and designate a knowledgeable "go-to" person for privacy-related queries within the organization, the new document states. In addition, processes and procedures are needed to verify compliance with privacy policies - such as comprehensive privacy audits of the organization and informal audits of the mobile devices of employees, to make sure they are protected by passwords and strong encryption.

Commissioner Cavoukian also warns organizations to be prepared to act if a privacy breach does occur. "A disciplined and immediate response is vital in order to address the situation in a manner that protects individuals, meets the expectations of the public, consumers and regulators, and ultimately preserves the reputation of the organization," she said.

The document entitled, A Policy is Not Enough: It Must be Reflected in Concrete Practices, released today, builds on the proactive approach of Privacy by Design (PbD), developed by the Commissioner, and unanimously approved as an international framework for privacy protection in 2010. PbD seeks to embed privacy into the design specifications of information technologies, organizational practices and networked system architectures, to achieve the strongest protection possible.

About the IPC
The Information and Privacy Commissioner is appointed by, and reports to, the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians. A vital component of the Commissioner's mandate is to help educate the public about access and privacy issues.

SOURCE: Office of the Information and Privacy Commissioner/Ontario

For further information:

Media contact:

Anne-Marie Tobin

Media Relations Specialist

Direct Line: 416-326-3939

Cell: 416-873-9746

Toll-free: 800-387-0073


Jetez un coup d’œil sur nos forfaits personnalisés ou créez le vôtre selon vos besoins de communication particuliers.

Commencez dès aujourd'hui .


Remplissez un formulaire d'adhésion à CNW ou communiquez avec nous au 1-877-269-7890.


Demandez plus d'informations sur les produits et services de CNW ou communiquez avec nous au 1‑877-269-7890.