Releases new how-to guide on putting policies into practice
The importance of this issue was highlighted recently when Elections Ontario lost two USB keys containing the unencrypted personal information of as many as 2.4 million voters. Commissioner Cavoukian found in her investigation that the agency's failure to systematically address privacy and security issues was at the root of the problems.
Organizations should develop privacy education and awareness training programs and designate a knowledgeable "go-to" person for privacy-related queries within the organization, the new document states. In addition, processes and procedures are needed to verify compliance with privacy policies - such as comprehensive privacy audits of the organization and informal audits of the mobile devices of employees, to make sure they are protected by passwords and strong encryption.
Commissioner Cavoukian also warns organizations to be prepared to act if a privacy breach does occur. "A disciplined and immediate response is vital in order to address the situation in a manner that protects individuals, meets the expectations of the public, consumers and regulators, and ultimately preserves the reputation of the organization," she said.
The document entitled, A Policy is Not Enough: It Must be Reflected in Concrete Practices, released today, builds on the proactive approach of Privacy by Design (PbD), developed by the Commissioner, and unanimously approved as an international framework for privacy protection in 2010. PbD seeks to embed privacy into the design specifications of information technologies, organizational practices and networked system architectures, to achieve the strongest protection possible.
About the IPC
The Information and Privacy Commissioner is appointed by, and reports to, the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians. A vital component of the Commissioner's mandate is to help educate the public about access and privacy issues.
SOURCE: Office of the Information and Privacy Commissioner/Ontario
For further information:
Media Relations Specialist
Direct Line: 416-326-3939