The responsibilities of the accountability principle can be fulfilled by developing a privacy management program which would aid you in performing the following tasks:
- Designate a privacy official;
- Conduct a privacy impact assessment and threat analysis;
- Understand what personal information you collect, why you collect it, how you use it, how you secure it, who has access to it and more;
- Develop, document, and implement policies and procedures to protect the personal information; and
- Perform regular reviews of your program and address any gaps.
Remember that the person accountable for your privacy program must have the support of senior management in your company and that you need to communicate the position and responsibilities of this person both internally and externally.
- Opening an account;
- Identifying customer preferences;
- Processing a magazine subscription; or
- Verifying an individual’s creditworthiness.
- What personal information is being collected;
- With whom that personal information is being shared;
- For what purposes is the personal information being collected, used or disclosed; and
- What are the risks of harm or other consequences.
Your disclosures should have sufficient details so that the person reading them can meaningfully understand what they are consenting to. This means that a statement such as “we share your information with third parties” is insufficient, while a statement such as “we share your billing information with a third party payment processor to process payments” would provide significantly more context to the individual about the use of their personal information.
The fourth principle imposed by PIPEDA is limiting collection, which means that the collection of personal information must be limited to that which is needed for the purposes that you have identified. To meet the requirements of this principle, you should identify what personal information you collect and ensure that you are collecting only what you need. Do not mislead or deceive consumers about why you need to collect their personal information and do not collect personal without a clear and necessary purpose for it or “just in case.”
Limiting use, disclosure, and retention
The fifth PIPEDA fair information principle is limiting use, disclosure, and retention, which specifies that personal information can only be used or disclosed for the purposes for which it was collected. This principle also requires personal information to be kept only as long as required to serve those purposes. You should document all of the purposes for which you use the personal information, institute and follow a records retention and destruction policies and procedures, practice proper data disposal methods, and train your staff on their responsibilities in protecting personal information.
The accuracy principle requires personal information to be as accurate, complete, and up-to-date as possible to properly satisfy the purposes for which it is to be used. Under this principle, you have the responsibility to minimize the possibility of using incorrect information as such uses could have a negative impact on the consumer. You also have the responsibility to establish policies on what types of information needs to be updated and to respect requests from individuals to exercise their right to amend their personal information.
The seventh PIPEDA fair information principle is safeguards, which requires personal information to be protected by appropriate security measures relative to the sensitivity of the information. This principle requires you to protect all of the personal information stored against loss, theft, or any unauthorized access, disclosure, copying, use or modification. While PIPEDA does not state the specific measures that must be taken, you should consider physical measures, up-to-date technological tools and organizational contorls.
When deciding on the proper safeguards to use, think of the following considerations:
- The sensitivity of the information and the risk of harm to the individual;
- The amount of information;
- The extent of distribution;
- The format in which the information is kept;
- The type of storage; and
- The types and levels of potential risks that you face.
The ninth PIPEDA fair information principle is individual access, which requires that upon request, an individual is informed of the existence, use and disclosure of their personal information. You must respond to the request for access or amendments to personal information as quickly as possible, but no later than 30 days after receiving it, with some exceptions. You must also provide access at minimal or no cost to the individual and notify them of any costs prior to processing their request.
The final principle is challenging compliance, which provides that an individual shall be able to challenge an organization’s compliance with the above PIPEDA fair information principles. You should develop complaint handling and investigation procedures and tell visitors to your website about those procedures. You must also provide information on how individuals can complain to the Office of the Privacy Commissioner of Canada.