Imagine finding out that a stranger has received highly sensitive information about you because a company has sent your mail to the wrong person; or asking to look at your own personal information for the sake of fixing a suspected error, only to be denied access to it by the company that collected it.
As privacy commissioner of Canada, I want to draw your attention to these kinds of things.
About one-third of complaints to my office under the Personal Information Protection and Electronic Documents Act, the federal private-sector privacy law, involve small businesses that employ fewer than 100 people.
I realize smaller companies face a multitude of compliance pressures on top of day-to-day operational demands, and that they have a limited staff to address them. But I also know that Canadians are increasingly concerned about their privacy, and are choosing to do business with organizations that are sensitive to those concerns.
According to our latest public-opinion poll, 81 per cent of Canadians would choose to do business with a company specifically because it has good privacy practices. And more than half would choose to patronize a company specifically because it does not collect personal information.
But only 16 per cent of Canadians believe that businesses take their responsibility to protect personal information very seriously. Nearly a third say they have suffered negative consequences due to an organization misusing, sharing or losing their personal information.
Nearly one in three respondents say they’ve asked a company how it planned to use or protect their personal information and of them, 43 per cent decided not to do business with that company due to concerns over privacy.
These figures should raise alarm bells for all businesses, especially smaller ones that, in the experience of my office, sometimes appear to be less aware of their privacy obligations under federal law. As a result, they might be less likely to recognize and embrace privacy measures as a competitive advantage.
Smaller businesses should be asking themselves what proactive measures they are taking to safeguard the privacy of their customers and to mitigate data breaches.
Companies should limit the amount of personal information they collect to what is necessary for the purposes of delivering a product or service, and should make it clear to customers why they need such information — ideally through a privacy policy.
To avoid losing personal information or sending it to the wrong person, companies need to know what they collect, where they store it and who has access to it. To that end, training staff on privacy protection is crucial. Companies also need to think twice about collecting sensitive information such as driver’s licences, and if they use video surveillance, make sure that customers are aware they’re being recorded.
If a business stores personal information on laptops, USB keys or hard drives, it should make sure those devices are encrypted and password-protected. Furthermore, businesses cannot simply ignore customer requests for access to their personal information, and must designate a point person to respond to customer questions about privacy.
The most common complaints we receive relate to the use and disclosure of personal information — when companies use information for purposes other than those specified at the time they asked for it, or when it’s discovered that an employee has looked at somebody’s file without authorization.
Landlords, hotels, real-estate agencies, collection agencies, travel agencies, retailers and financial planners are among the most common targets of privacy complaints. Although many complaints to my office are resolved quickly, it’s unfortunate that they arrive at all, as many are entirely preventable.
There is clearly a need for greater awareness about privacy protection. I urge all businesses to take stock of, and strengthen where necessary, their privacy practices. Strong privacy practices are not just good for customers; they’re good for the bottom line.
Daniel Therrien is the privacy commissioner of Canada.
*NOTE: While the Personal Information and Protection of Electronic Documents Act applies to the commercial activities of federally regulated organizations and data flows across borders, B.C. has its own private-sector privacy law, the Personal Information Protection Act, which covers more than 380,000 organizations, including businesses and corporations, unions, political parties and not-for-profits.