Being compliant is good, but being able to demonstrate it is even better! : A look at Bill 64 and the concept of privacy management program

Vanessa Deschênes [1]
ROBIC, LLP
Lawyers, Patent and Trademark Agents

On June 12, 2009, the National Assembly announced a major reform of the Act respecting the protection of personal information in the private sector (the “Privacy Act“) by introducing Bill 64.[2] Among the planned changes are the obligation to put in place policies governing the protection of personal information (“PPI“), the appointment of a person responsible for ensuring their implementation, as well as new requirements regarding the destruction or anonymization of personal information (“PI“), privacy impact assessments and privacy incident management.

Thus, Bill 64 formally introduces the need for a Privacy Management Program (“PMP“), also known as compliance program. Indeed, in section 144, Bill 64 adds a new provision[3] to the Privacy Act, which allows the Commission on Access to Information (“CAI“) to require the production of any information or document that would allow it to verify the application of the Privacy Act. Given that Bill 64 also provides that “a decision of the Commission prescribing a particular course of action to a party is enforceable 30 days after its receipt by the parties“[4], any business should take the implementation of such a PMP seriously and make it a top priority. The good news is that we now have statistics available to demonstrate the return on investment for companies that have implemented such PMP.[5]

Although implementing and maintaining a PMP that complies with the legislation and is adapted to the reality of your business may seem complex, several models already exist to serve as a starting point. To help you in this reflection, you will find, in this brief article, some universal concepts to consider when developing a PMP.

Privacy Management Program: How to get started!

The objective of any PMP is to ensure effective compliance, corporate sustainability and the PPI and privacy of individuals. In order to achieve this goal, it is essential to pay particular attention to organizational commitment, the implementation of appropriate policies and mechanisms, and risk assessment.

1. Senior Management Buy-In

The support of senior management is undoubtedly one of the key elements for a successful PMP. Indeed, directions chosen by senior management define the commitment – and use of resources – of the company, the senior management’s endorsement of the PMP therefore allows the embedment of the PMP requirements within the corporate culture.

Thus, before thinking about implementing a PMP, you should first and foremost develop the company’s mission or vision for PPI and privacy. This step is important to ensure consensus among the various stakeholders and thus facilitate acceptance during the implementation phase. This mission/vision should address, among other things, the following points:

• The value your company places on privacy and PPI;
• Your company’s objectives in this regard;
• Strategies to guide the tactics used to achieve the desired results; and
• Clarification of roles and responsibilities within the company.

This commitment by senior management must also be accompanied by the appointment of a Chief Privacy Officer (“CPO“). Indeed, whether it is an executive of a large business or the owner of a small organization, there must be an individual who has formal responsibility for the Privacy Act. While this requirement was already included in several statutes, such as the federal Personal Information Protection and Electronic Documents Act or the General Data Protection Regulations in Europe, this is a new provision added as part of Bill 64.

It should be noted that Bill 64, by default, appoints the person with the highest authority within the company as the CPO, with the possibility of delegating this responsibility. Although this delegation is not necessary for a very small company, our experience shows that medium and large organizations would be well advised to delegate this responsibility to a person specifically dedicated to this function.

A good way to ensure the legitimacy of the CPO within your organization, if this responsibility is delegated, is to create and implement an internal policy in which you can also formalize the elements related to your mission/vision and the responsibilities you assign to the CPO and to any other person working within the organization regarding the PPI.  This policy will also serve as an internal “guide” to remind employees and managers of their PPI obligations.

2. The Establishment of a PMP

To implement a PMP, there is no need to reinvent the wheel. If you already have in place corporate compliance programs, risk management programs, or an information security management program, you may well be able to build on the foundation of these programs and, in some respects, even reuse or adapt existing documentation.

Here are some things to consider:

1. Validate/verify if there are existing programs, processes or procedures within your organization that can be reused or into which your PMP could be integrated;
2. Define the scope of your PMP (Applicable laws, sectoral rules, etc.);
3. Structure your PMP team (One person? A CPO and employees under his responsibility? Respondents by sector?);
4. Develop a strategy aligned with the business objectives of your organization and its various sectors (Information security, marketing, sales, etc.); or
5. Choose a privacy framework to follow (Is it the law itself? Is it the framework proposed by an external firm?).

3. The State of Play

Now that you have put in place an internal privacy policy, appointed a CPO and defined and identified the privacy framework to be followed, you can take stock of the situation, i.e. assess and identify the gap between your privacy framework and what you actually have in place within your company.

By comparing your framework to the organization’s current privacy management processes, procedures and practices, you can assess your compliance, determine what to prioritize and implement and apply best privacy practices.

Here are a few ideas to guide you in your assessment:

1. Identify the PI in your possession, i.e. what types of PI are in your possession, who uses, handles or accesses them and how you use them;
2. Identify the legal requirements;
3. Conduct a review of the capabilities of current systems, management tools, hardware, operating systems, administrator skills, system locations, outsourcing services and physical infrastructure;
4. Keep in mind the alignment with corporate strategies, objectives and goals, the effectiveness of controls in place, the project, program and organizational risk, and the implementation/upgrade costs; and
5. Document your evaluation.

Once your analysis is completed, you can, if you wish, evaluate your level of maturity. Maturity models are recognized methods by which organizations can measure progress against established benchmarks and measures.[6]  Among other things, this allows you to position yourself in relation to the rest of the industry.

Finally, by conducting such a status report, it will be easier for you to determine where and how to begin your compliance in regard of the Privacy Act, in addition to identifying areas of potential legal risk within your organization and therefore areas that require your immediate attention.

4. Development of Internal Policies and Procedures

Although it may sometimes seem difficult and without any real added value to write internal policies and procedures, it allows the company to easily demonstrate, at the very least, its real desire to comply with the legislation, in addition to being a good way to inform and guide employees on what they must or must not do.

The Office of the Privacy Commissioner of Canada[7] has identified the following as key policies that organizations should have in place:

• Collection, use and disclosure of PI, including consent and notification requirements;
• Access to and correction of PI;
• Retention and disposal of PI;
• Responsible use of information and information technology;
• Possibility to make a complaint about non-compliance with the principles.

This list should also include policies and procedures related to telework, third party providers and privacy incident management, to name a few. A company should have policies and procedures in place to protect PI throughout its life cycle, from collection to destruction or anonymization.

5. Ongoing Compliance

In order for the PMP to work and be effective, organizations must also make sustained efforts, which include providing privacy training and awareness programs, monitoring compliance efforts, and regularly evaluating and reviewing the PMP’s policies and controls.

A. Training and Awareness

A good PMP should include a training program to ensure that all members of the organization are aware of PPI and privacy obligations. An organization may have the best internal policies, but what good are they if they are not known and properly applied by employees?

A good training program should be aimed at all employees, including management, and should cover, at a minimum, the following topics:

• Applicable privacy laws and policies;
• Techniques to identify and recognize potential breaches;
• The handling of privacy complaints; and
• The consequences of violating privacy laws and policies.

Since humans are recognized as the weakest link in PPI, training and awareness of employees should be a top priority and not only once a year but on a regular basis.

B. Monitoring, Evaluation and Adjustment of Policies, Procedures and Controls

Organizations must also have a monitoring plan in place to ensure that their PMP is functional and up to date and that the measures in place are effective, meaning that they truly meet the need for which they were put in place. These regular audits should identify any new threats or risks, while determining whether existing controls are adequate to address them. In other words, it is essentially an internal audit of the privacy practices, procedures and controls of your company.

The application of such a monitoring program is normally the responsibility of the CPO. The CPO should put in place a concrete plan, including a timetable for reviewing all the policies or other measures provided for in the PMP.

The following are some elements that should be considered during your audit:

• Any changes in the company, such as new business lines or geographic areas that may affect the program controls;
• Changes in legislation that affect compliance or risk levels; and
• Areas for improvement based on monitoring results, complaints or other documentation.

A privacy management program not only allows the company to demonstrate compliance with the legislation, but also ensures that privacy and PPI are integrated into all company initiatives, programs or services. When mature, such a program not only allows the organization to be proactive and adequately manage risks, but also creates added value and return on investment.

Want to get ahead of the curve and start implementing such a program? Our professionals are there for you!

OUR DATA PROTECTION, PRIVACY AND CYBER SECURITY PROFESSIONALS

---