Earlier this year, Elections Ontario revealed that the personal information of at least 2.4 million Ontarians had been compromised in what was the largest data breach in the province’s history. The province’s Information and Privacy Office has recently released an important report, which aims to make clear the connection between policy and practice.
“A Policy is Not Enough”
According to Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian:
Whilst addressing a meeting of the privacy section of the Canadian Bar Association in Halifax, Cavoukian said, “If you don’t enforce your policy, it has no value. And don’t dare to assume that your frontline staff will know automatically how to implement a policy.”
Although the report does not specifically target Elections Ontario, it does make some important suggestions as to improving privacy protections at any organization, including developing privacy education awareness training programs.
Seven Foundational Principles
The paper outlines a series of steps that organizations should consider implementing. These steps include:
- Link each requirement within the policy to a concrete, actionable item – operational processes, controls and/or procedures, translating each policy item into a specific practice that must be executed.
- Demonstrate how each practice item will actually be implemented.
- Develop and conduct privacy education and awareness training programs to ensure that all employees understand the policies/practices required, as well as the obligations they impose.
- Designate a central “go to” person for privacy-related queries within the organization.
- Verify both employee and organizational execution of privacy policies and operation al processes and procedures.
- Proactively prepare for a potential privacy breach by establishing a data breach protocol to effectively manage a breach.
These steps are based on the Privacy by Design framework, a proactive approach to privacy which provides a framework as well as a methodology. Privacy by Design is based “on the notion that privacy is best assured when strategically interwoven into all business processes and practices (e.g. work processes, management structures, physical spaces, information technology and networked infrastructure).”
Response from Elections Ontario
Julia Bennett, spokeswoman for Elections Ontario, mentioned that she wouldn’t comment on the Privacy Commissioner’s report, as it was still being reviewed. Bennett did mention that Elections Ontario would submit a report to the Speaker of the provincial legislature by the end of the year, to outline the steps taken thus far to improve privacy protections.
This article focuses on Ontario’s Information and Privacy Commissioner’s September 2012 paper entitled Policy is Not Enough: It Must be Reflected in Concrete Practices. Prompted by one of the largest data breaches, which took place in the fall of 2011 with the province’s voter data, the paper sketches out a seven-step action plan on the successful execution of appropriate privacy policies, and embedding it in the day-to-day practices of any organization.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Canada (CIPP/C) exam, a privacy professional should be comfortable with topics related to this post, including:
- Provincial privacy commissioners (I.A.c.i.1.b.)
- Privacy principles (I.C.)
- Privacy incidents – commissioner expectations (II.B.g.i.)
- Privacy Impact Assessments (III.B.a.i.)