Protecting personal data of employees, customers crucial yet few companies use automated solution
Many private-sector businesses in Canada are no further ahead in the execution of privacy compliance initiatives, despite the introduction of federal and, in the cases of British Columbia, Alberta and Quebec, provincial privacy legislation.
Originally, it was thought government legislation alone would compel companies to seek an automated solution to privacy compliance. And for years software applications have been available to facilitate the timely implementation of corporate privacy compliance initiatives and reduce the cost and effort it takes to facilitate this best practice.
These applications provide a single place for companies to keep customers and employees informed about:
•their personal data;
•why the data is collected;
•who has access to the data;
•consents they have given and the consequences of changing these;
•where the data can be found; and
•how to lodge and follow the progress of a complaint.
The applications also provide company privacy officers with tools to help develop a corporate privacy policy or track the progress of challenges made by people keen to know about the personal information held by a company.
Most privacy compliance applications are designed so little or no training is necessary; clients and employees need only know their user name and password to access the system. Companies using the software also need not worry about maintenance or upgrades. Automation of privacy compliance, much like manager self-service and employee self-service in an HR application, can be a cost-effective alternative to manual, paper-based solutions.
In addition, privacy compliance applications contain no confidential information. They provide easy access and guidance via the Internet so customers and employees can verify what personal information a company is keeping and provide a way to manage their consents and lodge complaints.
But poor government enforcement, a split opinion of corporate legal advisors and a focus on data security have meant a limited demand for such applications. It seems that, in North America, privacy compliance has taken a back seat to data security. Maybe that’s because of confusion between the two.
Data security, in addition to a disaster recovery component, deals with preventing sensitive company, customer and employee data in any format from being taken, accidentally or deliberately, from company premises without proper authorization. In a recent example, it was discovered the credit and debit card transaction information of millions of Canadian customers of Winners and HomeSense was stolen by hackers between 2003 and 2006 when they broke into the computer system of parent company TJX Cos. in the United States.
On the other hand, privacy compliance deals with how a company conducts itself in the collection, use and disclosure of confidential employee and customer data. Employees and customers have limited rights under federal and provincial privacy laws regarding what data a company has about them, why the company needs the information, how they will use it and to whom it may be disclosed.
One factor contributing to the lag in corporate privacy compliance has been the inability of the federal privacy commissioner to enforce the law. The commissioner does not have the power to levy fines against a company found guilty under the law, but can post the names of violators. So far, no companies have had their names posted and this lack of enforcement apparently has some companies taking a “wait and see” position.
Another goal of privacy law is to protect employers and employees from unauthorized collection of information when they are using a computer to check pay statements, for example, or surfing the Internet. Many sophisticated applications collect and track the personal information and habits of computer users and web surfers without their knowledge or consent.
Canadian companies are moderately aware of privacy legislation and its purpose. What’s puzzling is why some employers are waiting for guidance from the government and legal advisors on this issue. Best practice would dictate that it’s good business for a company to respect the privacy of its customers and employees.
Alfred Tuitt is a founding owner of HRWARE in Brampton, Ont., and played a role in the development of eConsent, privacy management software by eQuest Systems. He can be reached at [email protected] or (905) 840-2521 ext. 101.
Originally, it was thought government legislation alone would compel companies to seek an automated solution to privacy compliance. And for years software applications have been available to facilitate the timely implementation of corporate privacy compliance initiatives and reduce the cost and effort it takes to facilitate this best practice.
These applications provide a single place for companies to keep customers and employees informed about:
•their personal data;
•why the data is collected;
•who has access to the data;
•consents they have given and the consequences of changing these;
•where the data can be found; and
•how to lodge and follow the progress of a complaint.
The applications also provide company privacy officers with tools to help develop a corporate privacy policy or track the progress of challenges made by people keen to know about the personal information held by a company.
Most privacy compliance applications are designed so little or no training is necessary; clients and employees need only know their user name and password to access the system. Companies using the software also need not worry about maintenance or upgrades. Automation of privacy compliance, much like manager self-service and employee self-service in an HR application, can be a cost-effective alternative to manual, paper-based solutions.
In addition, privacy compliance applications contain no confidential information. They provide easy access and guidance via the Internet so customers and employees can verify what personal information a company is keeping and provide a way to manage their consents and lodge complaints.
But poor government enforcement, a split opinion of corporate legal advisors and a focus on data security have meant a limited demand for such applications. It seems that, in North America, privacy compliance has taken a back seat to data security. Maybe that’s because of confusion between the two.
Data security, in addition to a disaster recovery component, deals with preventing sensitive company, customer and employee data in any format from being taken, accidentally or deliberately, from company premises without proper authorization. In a recent example, it was discovered the credit and debit card transaction information of millions of Canadian customers of Winners and HomeSense was stolen by hackers between 2003 and 2006 when they broke into the computer system of parent company TJX Cos. in the United States.
On the other hand, privacy compliance deals with how a company conducts itself in the collection, use and disclosure of confidential employee and customer data. Employees and customers have limited rights under federal and provincial privacy laws regarding what data a company has about them, why the company needs the information, how they will use it and to whom it may be disclosed.
One factor contributing to the lag in corporate privacy compliance has been the inability of the federal privacy commissioner to enforce the law. The commissioner does not have the power to levy fines against a company found guilty under the law, but can post the names of violators. So far, no companies have had their names posted and this lack of enforcement apparently has some companies taking a “wait and see” position.
Another goal of privacy law is to protect employers and employees from unauthorized collection of information when they are using a computer to check pay statements, for example, or surfing the Internet. Many sophisticated applications collect and track the personal information and habits of computer users and web surfers without their knowledge or consent.
Canadian companies are moderately aware of privacy legislation and its purpose. What’s puzzling is why some employers are waiting for guidance from the government and legal advisors on this issue. Best practice would dictate that it’s good business for a company to respect the privacy of its customers and employees.
Alfred Tuitt is a founding owner of HRWARE in Brampton, Ont., and played a role in the development of eConsent, privacy management software by eQuest Systems. He can be reached at [email protected] or (905) 840-2521 ext. 101.
