A study by the national watchdog shows a significant number of Canadian businesses haven’t begun to comply with the law. Jennifer Stoddart raises the idea of privacy certification for IT managers
Thirty-one per cent of Canadian businesses are either still in the process of complying with the private sector privacy law or have yet to begin, according to a survey released by Jennifer Stoddart’s office on Thursday.
The Privacy Commissioner of Canada published the results of the survey, which was conducted by Ekos Research Associates, in conjunction with the tabling of her annual report in Parliament. Stoddart’s office reported 424 complaints under the Personal Information Protection and Electronic Documents Act (PIPEDA), up slightly from 400 complaints last year. The biggest increases came from the retail and accommodation sectors, which have only been subject to the law for three years. Those which came under PIPEDA earlier, such as financial services and transportation, saw fewer complaints, the report said.
Only one in two businesses said they have a high awareness of their responsibilities under PIPEDA, and just a third said they have trained staff to handle privacy issues. Worse, according to Stoddart’s office, is the fact that only one in five has sought clarification of their role.
Stoddart’s report comes after a string of high-profile data loss incidents involving CIBC and TJX, which owns the Winners and HomeSense chain stores in Canada. It also follows a five-year parliamentary review of PIPEDA that called for better definitions of such terms as “business contact information” and “destruction” of personal records.
IT managers typically set up the systems for collecting, storing and managing personal information, but they don’t always have responsibility for privacy issues. In an interview with CDN sister publication ComputerWorld Canada, however, Stoddart said she has given a number of speeches highlighting the influence and contribution IT departments could have on PIPEDA compliance.
“Whenever I’ve spoken on that, this has been well-received by the IT community,” she said. “I don’t know quite what they’re doing about this. Certification by the IT community might be a good idea. [IT managers] bear a lot of responsibility because they have to know the standards.”
Murray Long, a privacy consultant based in Ottawa, said the percentage of companies who haven’t yet complied with PIPEDA isn’t surprising given the size of the Canadian marketplace.
“Apart from those that conduct online business or where e-commerce is a vital part of their activities, you tend to find there is a significant percentage that hasn’t paid any attention to privacy,” he said. “They may feel they’re collecting information that isn’t sensitive.”
Long gave Stoddart low marks for raising awareness about PIPEDA, which he said was particularly challenging because of the makeup of the business sector here.
“I don’t know how you do it better – they certainly have been able to reach into major business associations and some of the high-profile kind of businesses like banking and telecom,” he said. “Once you get into the unregulated small business sector, that’s a huge challenge.”
Stoddart disagreed. “Being a small business is really not the excuse it used to be for not knowing what the law is, because of the Internet,” she said. “Everybody can go to our Web site where there are reams of information . . . in terms of the use of Web site, it’s more than doubled in the last three years.”
“They only held two sessions until they got sidetracked. I really hope they’re going to go back.”
A third of those companies polled by Ekos said they don’t collect personal information about customers.
Among those that do, personal information is being stored almost as frequently on paper (74 per cent) as it is being stored electronically (79 per cent), Stoddart’s office said.