Nova Scotia’s privacy commissioner says businesses need to increase privacy awareness

HalifaxToday.ca received the following editorial by Catherine Tully, the Information and Privacy Commissioner for Nova Scotia:

Where’s Waldo? Searching for chief privacy officers in Nova Scotia

In today’s digital age, people find it increasingly difficult to understand the privacy implications of the technology they use every day. Trying to read, let alone understand privacy policies is a daunting task. Businesses are faced with the equally daunting task of understanding how to protect customers’ and employees’ privacy in the face of new technological innovations and advancements.

January 28 is Data Privacy Day. Its purpose is to raise the privacy consciousness of individuals and businesses. At the Office of the Information and Privacy Commissioner for Nova Scotia (OIPC) we decided to try something new this year to assess the privacy consciousness of Nova Scotian organizations. We conducted a simple phone survey of businesses and organizations in communities across the province. We contacted large and small organizations, non-profits to big-profits. Our goal was to see how privacy-ready Nova Scotian organizations are by asking a few straightforward questions beginning with a request to speak with the organization’s privacy leader or chief privacy officer.

In these days of big data, it is difficult to find any business that isn’t collecting and using large amounts of data to advance its business interests. Big data doesn’t necessarily include personal information, but it often does. In addition, all businesses will have personal information about customers and employees. One of the best ways that a business or government can ensure that it has proper privacy practices and protections in place is to have an executive level privacy leader – a chief privacy officer. Chief privacy officers lead their organization’s privacy program, investigate privacy breaches and ensure that customers’ privacy concerns are answered properly and in compliance with Canada’s privacy rules.

Staff at the OIPC contacted 52 Nova Scotian businesses and organizations and asked to speak with the chief privacy officer or privacy leader. A sort of “Where’s Waldo” response occurred.

Half of the businesses simply never responded. Of the remainder, most had no idea what a chief privacy officer was or who was responsible for managing privacy, instead referring us to a senior manager. Ten of the 52 businesses identified a privacy leader. Interestingly, only six of the privacy leaders were able to answer our rudimentary privacy questions. The rest either didn’t respond or promised to get back to us and didn’t.

What does this mean for Nova Scotians and our privacy rights? Nova Scotian businesses are subject to privacy rules if they are engaged in commercial activity that involves personal information. Those rules are set out in the federal law known as PIPEDA. It is indeed very troubling to find that 80% of Nova Scotian businesses simply have no privacy leader, or if they did, they couldn’t identify him or her. Further, it seems that even if a Nova Scotian organization has someone it calls a privacy leader, that person may be in need of some privacy training. Nova Scotians are poorly served when businesses have no privacy leader to ensure that their customers’ and employees’ privacy rights are properly respected and protected.

In a recent survey of privacy attitudes, 51% of Atlantic Canadians reported that they have chosen not to do business with an organization due to its privacy practices. More than three quarters of Atlantic Canadians would like to see large financial penalties such as fines imposed on organizations that misuse personal information.

The digital age brings with it both opportunity and risk. While citizens’ awareness of privacy risks is steadily improving, Nova Scotian businesses are lagging behind. It is time for Nova Scotian organizations to raise their privacy awareness, improve their privacy management and train their privacy leaders. The Office of the Information and Privacy Commissioner for Nova Scotia has an education mandate and has provided training to new chief privacy officers. Further information is available on our website at www.foipop.ns.ca.

Catherine Tully
Information and Privacy Commissioner for Nova Scotia