Editor’s Note: Microsoft has been a proponent of accountability, a globally recognized principle of privacy and data protection, and prioritizes the concept in our privacy program. We recently published an accountability-based analysis of Microsoft’s privacy program and shared our position that organizations need clear guidance on how to demonstrate accountability, and that regulators need consistent means of measuring accountability. We’ve asked Elizabeth Denham, the Information and Privacy Commissioner for British Columbia, to share her thoughts on accountability timed to the recent release of accountability policy guidance in Canada.
Three of Canada’s Privacy Commissioners collaborated to publish policy guidance to help businesses effectively manage their obligations under privacy legislation.
Getting Accountability Right with a Privacy Management Program is getting noticed by businesses, regulators and organizations in Canada and internationally. Here is what you need to know about the paper, including why implementing a comprehensive privacy management program for your business is smart practice.
Accountability is at the heart of Canada’s privacy laws. When a business is held “accountable,” it means that business is both legally and ethically responsible for the personal information it collects.
There are some pathfinder companies in Canada with robust privacy programs. But despite the legal requirement to be accountable, most Canadian businesses have failed to put even the most basic privacy controls in place. Other businesses have done the “paperwork of privacy” but can’t demonstrate concretely to regulators or to consumers how they manage privacy — how they have breathed life into the policies.
We want to change that. The Commissioners in British Columbia, Alberta and at the Federal level got together to publish a document to help move data protection from policy to practice.
Getting Accountability Right is a roadmap to sound data governance. The paper is a practical, workable and scalable framework to help businesses demonstrate accountability and better protect personal information.
The paper takes a “building block approach” to privacy management, beginning with an organizational commitment to privacy, followed by the implementation of program controls as well as ongoing review and updates.
By implementing these building blocks, businesses can demonstrate to customers, clients and regulators that they are committed to privacy and accountability, which can also enhance their reputation and build trust in those relationships.
The building block framework is inter-operable. That means there will be certainty for business and consistency in the regulators’ expectations of private sector organizations operating across Canadian jurisdictions.
As regulators, we are already using this tool in our enforcement work. In British Columbia, we’ve applied the program elements in our systemic investigations as well as investigations of privacy breaches. In these investigations, we are assessing not only the event or technical breach in question but also the broader privacy management program. This is a sea change in our approach to oversight.
Privacy management is a fundamental corporate responsibility, beyond a matter of compliance or legal risk management. By implementing a comprehensive privacy management program, one that is woven into the organizational fabric, a business can distinguish itself as a company that respects consumer privacy, one that deserves the public trust.
The guidelines are available via the Commissioners’ websites: www.priv.gc.ca; www.oipc.ab.ca; and www.oipc.bc.ca.