Privacy Matters “Wanted: Chief Privacy Officer”

Steven Williams, Emond Harnden, LLP

INTRODUCTION

This is the first in a series of articles which will appear in Up-Date this year. Our hope is to address the growing number of privacy law compliance issues facing your organization today and in the coming months. In this particular article our subject matter is the role, responsibilities and qualifications of the Chief Privacy Officer (CPO).

The Personal Information Protection and Electronic Documents Act (PIPEDA) has applied to the collection, use, and disclosure of personal information in federal jurisdiction organizations since January 1, 2001. Today, provincial jurisdiction organizations are not subject to PIPEDA unless they are selling personal information across provincial or international borders. PIPEDA, however, will apply to the collection, use or disclosure of personal information in the course of any commercial activity by provincial jurisdiction organizations within Ontario if “substantially similar” legislation is not enacted by the provincial government before January 1, 2004. We do not expect the Ontario government will enact such legislation by this date. Please note, however, that if you are a provincial jurisdiction organization, PIPEDA will not apply to your employee personal information.

We begin with a brief description of PIPEDA to understand why the CPO position is required. In essence, PIPEDA sets out basic rules to govern how private sector organizations are to collect, use and disclose personal information. The purpose of the Act reads in part,

…in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances

All organizations covered by PIPEDA must comply with the following privacy principles found in the Act:

  1. Accountability
  2. Identifying purposes
  3. Consent
  4. Limiting collection
  5. Limiting use, disclosure, and retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual access
  10. Challenging compliance

The first principle is accountability. In the context of PIPEDA, Accountability means that a person or persons responsible for ensuring compliance must clearly be designated.

This individual is typically referred to as the Chief Privacy Officer (CPO). Most organizations have opted to assign the CPO role to an existing member of the executive. Others, typically larger ones, have created a separate CPO position. The choice is yours.

ROLE

The CPO is your organization’s point person for privacy matters. The CPO is a tangible representation of your organization’s overall commitment to privacy protection. In a recent speech the Privacy Commissioner stated that “CPOs are the front line in the protection of privacy. And they have to be able to be the internal privacy advocates in the organization.”

RESPONSIBILITIES

The CPO’s primary responsibility is to ensure that your organization handles personal information in accordance with the ten privacy principles in the Act. To do so, the CPO’s first task is to develop a privacy policy for your organization. As the privacy policy will apply to the entire organization, the CPO should work with a privacy team drawn from all major departments within your organization.

After a privacy policy has been developed, the CPO is then required to implement the policy. To ensure compliance and understanding with the policy, the CPO will need to ensure that all staff members understand and can properly apply the policy. The CPO must also ensure that customers or clients of the organization are informed of their privacy rights. Contractors and Suppliers to your organization are required to protect your organization’s personal information as well. By educating staff, customers, contractors and suppliers, the CPO can ensure that privacy practices are consistently applied throughout your organization and that PIPEDA is complied with.

With limited exception, PIPEDA provides individuals the right to access any personal information the organization may have about them. Ideally your privacy policy will require individuals to file a written access request with the CPO. The CPO must respond to any access request within the thirty (30) day time limit set out in PIPEDA. Failure to do so is an automatic violation of the Act. Many organizations have been found to be in violation of this provision by the Privacy Commissioner.

The CPO is also responsible for implementing an internal complaint resolution process. If a complaint is filed, the CPO is required to investigate. If a complaint is well founded, the CPO must take the appropriate steps to amend any policies or procedures in the privacy policy, or in your organization’s personal information handling practices that were found to be in violation of the Act.

The CPO must also ensure that appropriate information security safeguards are in place and used by staff. Such safeguards include physical measures (locked filing cabinets, alarm systems), Technological tools (passwords, firewalls), and organizational controls (security clearances, staff training).

Finally, the CPO is required to ensure that personal information that is no longer required is destroyed.

In addition to daily compliance responsibilities, the CPO also plays a critical role during a Privacy Commissioner investigation. These responsibilities include:

  • establishing with the investigator that he/she is the prime contact person;
  • keeping a log of contacts, conversations, and correspondence with the Office of the Privacy Commissioner;
  • keeping a log or a copy of all records accessed by the investigator;
  • being directly involved in any dispute resolution process;
  • asking to be kept informed about the investigation process;
  • at all times, dealing courteously and professionally with the Office of the Privacy Commissioner; and
  • working to resolve the problem with the complainant as quickly and efficiently as possible.

QUALIFICATIONS

To be an effective Chief Privacy Officer, the person must have a clear understanding of privacy law.

CPOs are often required to make “tough” decisions which may be unpopular within some quarters of your organization. In order to do this, the CPO needs to be cloaked with the authority of a senior position. A senior position ensures the CPO access to the highest levels of management and the resources needed to do the job properly.

The individual chosen as CPO must have credibility within your organization.

As stated earlier, the job of the CPO cannot be done alone. The CPO must be able to lead your privacy team and your organization as it addresses sometimes difficult privacy issues.

All CPOs seem to agree that the one critical qualification for the position is patience. The obligations imposed by the various privacy laws are complicated and will require many organizations to change the way they treat personal information, and in a few instances change the way they do business. In some instances, the changes necessary to comply with PIPEDA will be resisted within your organization. An empowered, credible leader with a healthy dose of patience will be most likely to succeed in the CPO role.

Related Articles

Termination of Employment: Not in an Employer’s “Sole Discretion… at Any Time”!

A recent decision of the Ontario Superior Court of Justice provides yet another example of the growing number of ways…

Bill 124 Unconstitutional for Unionized Employees Only, Ontario Court of Appeal Holds

Earlier this week, the Ontario Court of Appeal released its much anticipated decision upholding, in part, the Ontario Superior Court…

Reminder: New Canada Labour Code Termination Entitlements Now In Effect

In past Focus Alerts, we have discussed important changes to the Canada Labour Code (the “Code”), including with respect to…