What is a privacy programme?
In this guidance note, we describe elements of a privacy programme and direct organisations to links with additional resources.
The Personal Information Protection Act (PIPA), section 5, "Responsibility and compliance" contains the following requirements:
(1) Every organisation shall adopt suitable measures and policies to give effect to its obligations and to the rights of individuals set out in this Act.
(2) The measures and policies in subsection (1) shall be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals by the use of the personal information.
(7) In meeting its responsibilities under this Act, an organisation shall act in a reasonable manner.
These provisions contain a great deal of flexibility. This flexibility is useful, because every organisation is different. Personal information may be used in many different ways and for many different purposes. These varying circumstances create a variety of potential risks to individuals.
Organisations should implement measures and policies that cover the following programmatic elements. The exact nature of these may differ, and the depth or intensity with which an organisation executes them will vary based on the particular circumstances.
Measures and policies should include:
Conducting an inventory and classifying (or, "mapping") what personal information is used;
Documenting personal information use practices in policies and procedures;
Providing appropriate training and awareness to staff or others with access to data;
Analysing the privacy risk in context, utilizing tools such as "Privacy Impact Assessments," and identifying protective measures;
Developing an action plan to respond to incidents or potential breach of security;
Developing procedures to respond to PIPA Rights Requests.
An inventory of an organisation's data holdings will form the basis for any subsequent actions. In order to develop procedures or understand risks, organisations must first know what types and quantities of personal information they hold.
This survey could include details such as the type of data ("health," "financial," "educational," etc.), more specific sub-categories, or individual data elements ("health insurance number," "credit score," "grade point average," etc.). The level of detail could reasonably vary according to organisational needs and risk of harm to individuals.
In addition, organisations should track the flow of information within the organisation. For example, a paper intake form may be received by the receptionist, who scans the paper to create an electronic copy, then stores the paper version in a particular filing cabinet and the electronic version in a particular computer hard drive or cloud storage drive. (Note these various forms and locations of data for use when evaluating risk and determining protective controls.)
Policies & Procedures:
Organisations document various aspects of how they intend to use personal information. This documentation should include policies that outline high-level business purposes to be accomplished, conditions of use under PIPA section 6, type of data to be collected and used, and appropriate standards of protection. One specific piece of documentation is a Privacy Notice, which is further defined in PIPA section 9.
Documentation should also include procedural instructions for employees, staff, or anyone who may access personal information. By documenting these instructions, organisations can show that they have considered relevant issues and undertaken reasonable due diligence to instruct employees and hold them responsible.
Training & Awareness:
Organisations must instruct employees, staff, or anyone who may access personal information with both general awareness training and role-specific training.
General awareness training should be conducted on a recurring, often annual, basis and covers basics on understanding personal information risks. This sort of general awareness training is especially useful to help organisations identify privacy risks, since employees may spot problems in the course of their work.
Role-specific training relates to the particular issues of an employee's specific tasks. These will be different for human resources personnel than for sales personnel, or different for cashiers than general managers. Training and awareness efforts will vary in frequency or intensity according to the type of personal information used and the risks involved.
Organisations must analyse privacy risk in their specific context. For example, information about a person's name and address may not necessarily be high-risk information, but if those same data elements are in a database or on a sheet of paper described as "Potential bankruptcy risks" or another status, then the information may hold a higher risk.
There are formal processes for assessing risk, such as "Privacy Impact Assessments" or "Data Protection Impact Assessments," that walk through a business process to assist with identifying risks or gaps. Such an intensive analysis may not be needed - it will depend on the type of personal information and what would be reasonable in those specific circumstances.
The goal of this risk assessment is to identify what protective controls would be needed. For example, if a business process includes storing personal information in a particular filing cabinet, controls could include placing a lock on the filing cabinet or the door to the storage room, and training employees on who may access the files and under what circumstances. Organisations should also identify when they share information with other organisations and what contractual mechanisms or other protections are needed.
Controls will vary based on the type of personal information and what actions would be reasonable. Be sure to give special consideration to the risks involved with sensitive personal information, described in PIPA section 7.
Incidents could include a variety of circumstances, such as mistakes when sharing personal information or a breach of security. These are stress-inducing moments, so organisations should develop action plans in advance for how they will respond.
If employees note that a mistake has been made or something is awry, they should have clear instructions about who to notify within the organisation. Depending on the size of the organisation, it may be useful to identify who will make decisions regarding incident response when the time comes. Organisations may wish to identify vendors that assist with breaches of security (and may be in a better negotiating position before a breach actually occurs).
If the event includes a breach of security, the privacy officer would be required to notify the Office of the Privacy Commissioner and any individual affected, so the organisation may wish to develop template communications or lists of contact information.
Part 3 of PIPA grants individuals the right to contact organisations to request access to their personal information. Individuals may also request correction or destruction of their data, or block its use, in certain circumstances.
Organisations must be ready to respond to these requests. This includes ensuring that employees such as receptionists, cashiers, or call centre operators who receive requests know where to direct them.
Section 20 of PIPA contains detail on specific actions, such as acknowledging requests in writing and meeting the time period for responding to requests.
In most circumstances, PIPA does not have explicit rules, but leaves many of the specifics regarding an organisation's privacy programme to the organisation's reasonable judgement.
Our office will continue to develop guidance with examples of practices, and we will work with community groups to develop standards.
However, it will be impossible to cover every possible circumstance in advance. For this reason, organisations would be well served to document their due diligence and factors entering into their reasonable judgements to show their good accountability.
Several other expert groups and regulators have described privacy programmes or created guides for compliance with laws that are similar to PIPA. Because of this similarity, our office will find guides by fellow regulators and experts persuasive, and an organisation's use of them will show good faith.
"Bermuda Report on Information Accountability": Published 31 March 2020, in this report from the Office of the Privacy Commissioner and the Information Accountability Foundation, we describe how organisations might demonstrate accountability. Pages 13-16 outline elements of a privacy programme.
Centre for Information Policy Leadership (CIPL): "What Good and Effective Data Privacy Accountability Looks Like: Mapping Organizations’ Practices to the CIPL Accountability Framework." Appendix B. Examples of accountability practices and content of Data Privacy Management Programmes (DPMPs) reprinted with permission.
Office of the Privacy Commissioner of Canada: "Privacy Guide for Businesses"
Data Protection Commission Ireland: "Guide for Organisations"
United Kingdom ICO: "Guide to the General Data Protection Regulation (GDPR)"
Privacy by Design (PbD) forms a useful framework to structure a privacy programme. Originally popularised by the Information and Privacy Commissioner of Ontario, PbD has been incorporated into laws such as the General Data Protection Regulation (GDPR) and guidance by other regulators. The GPS by Design Centre includes video introductions to PbD's seven principles. The European Union Agency for Network and Information Security (ENISA) developed a technical guide to implementing PbD. Numerous sources contain high-level guidance on implementing PbD within an organisation, including this article from the IAPP.
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.