Ottawa lawyer Kris Klein advises Canadian organizations on how to set up policies and procedures to comply with federal and provincial data privacy legal obligations.<\/p>\n
But earlier this month he faced data collection as a consumer. \u201cI was parking my car at a grocery store,\u201d he recalled in an interview, \u201cand in order to get the 30 minutes of free parking I had to register my car on an app. So I had to download the app, put in my personal information \u2013my name, email address, licence plate number and a password.<\/p>\n
\u201cDo I have a lot of confidence that this small, little, not terribly sophisticated parking app will protect my personal information? No,\u201d said Klein, a partner at the law firm nNovation<\/a> and managing director of the International Association of Privacy Professionals Canada. \u201cBut I had no choice.\u201d<\/p>\n It would have been better had the mobile app had a least a small explanation of the service provider\u2019s privacy policy, he said.<\/p>\n Incidents like this with small businesses he added, \u201care the areas that I think are posing the greatest risk for us now.\u201d<\/p>\n How big a data privacy problem can a parking app be? It depends on how widely it\u2019s used. Last year the city of Calgary discovered personal information on almost 146,000 people using the city of Calgary\u2019s ParkPlus app was publicly available on an exposed server for over two months.<\/p>\n It\u2019s something business and tech leaders should be thinking about during Data Privacy Week, which starts today. It began as Data Privacy Day every January 28th, a commemoration of the 1981 signing of the Council of Europe\u2019s Convention 108, the first legally binding international treaty dealing with privacy and data protection. More recently it has expanded to a week of thought for individuals and companies<\/p>\n Data privacy and cybersecurity are two sides of the same coin: An organization can\u2019t have data privacy without cybersecurity.<\/p>\n Note that Canada\u2019s federal privacy law (see the sidebar below) says firms may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.<\/p>\n The law also says personal information shall be protected by security safeguards appropriate to the sensitivity of the information.<\/p>\n Many IT and corporate leaders think the privacy of the personal information they hold is an issue for big businesses and governments. But incidents like the one Klein faced \u2014 a squeeze from a small or medium-sized firm \u2014 are a reminder that data privacy cuts across all organizations.<\/p>\n SIDEBAR: A primer on Canada\u2019s data privacy laws<\/a><\/p>\n Klein said if they haven\u2019t already done so, organizations should be asking this week if what they\u2019re doing involves sensitive personal information \u2014 and that can be of consumers, partners and employees \u2014 and if there are risks to individuals. If the answer is yes, \u201cyou should be doing more to make sure you\u2019re complying with privacy obligations. \u201cThere\u2019s not one solution that fits all,\u201d he cautioned. \u201cYou have to figure out where you lie on the [risk] spectrum and develop a program that suits your organization.\u201d<\/p>\n In Klein\u2019s experience, large Canadian firms are the best at spending the time, resources and money to make sure they comply with federal and provincial regulations. \u201cSmaller and medium-sized organizations are having a more difficult time prioritizing this.\u201d<\/p>\n There are three big privacy issues for data and security professionals:<\/p>\n \u2014 getting meaningful consent from individuals to collect and use their personal data. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) requires individuals to know what is being collected, what it will be used for and who it will be shared with. For more see this federal guideline<\/a>;<\/p>\n \u2014 data retention. Laws require firms to keep data only as long as necessary. How long is that? Consider the theft of data on 9.7 million customers by an employee of the Desjardins credit union<\/a>. Of that total roughly half were former customers of the institution;<\/p>\n \u2014 notifying victims and federal or provincial regulators about data breaches. Federal privacy law, which may be similar to provincial laws, requires notification of victims if the breach could involve real risk of significant harm to an individual. That will depend on the sensitivity of the personal information involved in the breach, and the probability that the personal information has been, is being, or will be, misused by the attacker. For more see this federal page.<\/a><\/p>\n The post Data Privacy Week: Time to reflect on your organization\u2019s privacy procedures<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" With Data Privacy Week starting today we look at some of the principles firms must p<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[361,16],"tags":[807,391,396,275],"class_list":["post-34452","post","type-post","status-publish","format-standard","hentry","category-privacy","category-security","tag-data-privacy-week","tag-di","tag-postmedia","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/34452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=34452"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/34452\/revisions"}],"predecessor-version":[{"id":34519,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/34452\/revisions\/34519"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=34452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=34452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=34452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Related content: Privacy by Design to become an ISO standard<\/a><\/h4>\n
Related content: Organizations must continuously manage privacy risks<\/a><\/h4>\n