On April 17, 2012, the Office of the Privacy Commissioner of Canada and its counterparts in the provinces of British Columbia and Alberta announced a new guidance document on accountability, entitled, “Getting Accountability Right with a Privacy Management Program“.
The accountability guidance assists organizations in considering the following essential elements of demonstrating accountability under privacy legislation in Canada. In particular, privacy legislation in Canada is typically interpreted as requiring:
- Privacy Officer. The appointment of a designated person to oversee compliance with Canadian privacy legislation. In larger organizations, this may require a privacy group or office.
- Policies & Education. The establishment of privacy policies and processes for training and on-going training of employees with respect to those policies.
- Governance of Third-Party Processors. The inclusion of privacy guarantees and audit rights with respect to the organization’s third-party processors of personal information.
- Inquiries & Complaints. Systems to identify requests for access and correction of personal information or complaints regarding the collection, use, retention or disclosure of personal information and trained staff to respond to those requests and complaints. This also requires organizations to understand what personal information they have collected and who has custody of it.
- Risk Assessment. Organizations are responsible for engaging in risk assessment in all aspects of the life-cycle of personal information – collection, uses, new uses, retention, disclosure and destruction of information – and to demonstrate risk-minimization strategies through administrative, physical and technological procedures.
- Breach Response Procedures. Organizations should have breach detection and response protocols that are compliant with general privacy principles and any applicable mandatory breach notification requirements.