Guidance on Establishing and Maintaining a Privacy Management Infrastructure

To aid in this effort, on April 17th Canada’s privacy commissioner, along with the privacy commissioners of the provinces of Alberta and British, issued a guidance document entitled "Getting Accountability Right with a Privacy Management Program," along with an "At a Glance" two-page summary.  The guidance document provides easy-to-understand, high-level advice on how to operationalize a privacy management program.

Although the guidance is given in the context of compliance with Canadian privacy law, there has been an increasing focus by privacy regulators in the US and abroad on the establishment of comprehensive privacy programs for organizations that collect, use, and share personal information.  For example, one of the bedrock principles of last month’s Federal Trade Commission privacy framework recommendation was the adoption of a baseline "Privacy by Design" principle through which the FTC recommended that businesses maintain comprehensive data management procedures throughout the lifecycle of their products and services.  The Canadian guidance provides a sound and practical framework for organizations looking to implement Privacy by Design that face the obvious question:  "Where do I start?"

The following is an brief overview of the guidance, as relevant to all organizations, Canadian or not, looking to implement a privacy management infrastructure:

1. Obtain organizational commitment:  The first building block of privacy compliance is the development of an internal governance structure that fosters a culture respectful of privacy.  This involves getting buy-in from senior management; establishing a Privacy Officer responsible for monitoring compliance; establishing a Privacy Office that ensures privacy protection is built into every major function involving the use of personal information; and creating reporting mechanisms reflected in internal controls.

2. Establish program controls:  Privacy program controls help ensure that what is mandated in the governance structure is implemented within the organization.  This involves conducting a personal information inventory; establishing policies relating to (i) the collection, use, retention, and disposal of personal information, (ii) access to and correction of personal information, and (iii) security of personal information; providing for risk assessments; setting up training and education for personnel; establishing breach and incident management response protocols; creating procedures to manage service providers with access to personal information; and developing procedures for informing individuals of their privacy rights.

3. Assess and revise the privacy program on an ongoing basis:  Once a privacy program is established, the organization must maintain the program to ensure ongoing effectiveness, compliance, and accountability.  This involves developing an oversight and review plan; updating the personal information inventory; revising policies as necessary; promptly addressing privacy and security assessments; reviewing and modifying training and education programs; reviewing and adapting breach and incident management response protocols; reviewing and fine-tuning contracts with service providers; and updating and clarifying external communications explaining privacy practices.

Authored by Bret Cohen.