Interview with LCBO

April 2003

Carol-Ann Marshall, Nymity's Senior Consultant, spoke recently with Sheetal Bedi, Manager of the Freedom of Information and Privacy and Privacy Officer for the Liquor Control Board of Ontario, (LCBO) about the challenges of becoming compliant and managing privacy in a large retail government enterprise. The LCBO is both a government agency and a retail organization and thus Nymity believes LCBO privacy experiences will be of value for our private sector subscribers.

Nymity:   What privacy legislation impacts the LCBO and how are your experiences relevant to the private sector covered by PIPEDA?

Bedi: LCBO has been subject to Ontario's Freedom of Information and Protection of Privacy Act (FIPPA) since1988. The privacy principles in FIPPA are based on the OECD (Organization for Economic Co-operation and Development) guidelines, which were adopted by Canada in 1984. The OECD guidelines represent international consensus on general guidance concerning the collection and management of personal information. PIPEDA is based on the 10 principles of the CSA Model Code for the Protection of Personal Information, which too has been inspired by the OECD guidelines. Therefore, the process for compliance is quite similar for private sector organizations, since the privacy principles under both legislation's balance the privacy rights of individuals and define the information requirements for organizations. Specifically, each organization has to name an individual responsible for privacy, a Privacy Officer who is responsible for managing privacy on a day-to-day basis, handle privacy challenges and complaints, and confirm on behalf of the organization, that the privacy principles are being upheld.

Nymity:    What are the most important aspects of the role of the Privacy Officer?

Bedi: The Privacy Officer needs to be able to work with all areas of the organization to ensure that people within the organization embrace and comply with the privacy legislation. The Privacy Officer should not be seen as an obstructionist, restricting the lines of business. One of the most important criteria for success is to get commitment from the highest level of management in the organization. Without senior executive commitment it will be difficult for the Privacy Office to implement privacy policies and get buy in from the business units. Without the support of the business units the privacy policies will be less effective and implementing employee education programs will be difficult.

Nymity:   What areas should the Privacy Officer focus on in the beginning?

Bedi: To begin, the Privacy Officer has to become familiar with the organization and how it handles personal information. While there is no one method for implementing a program to manage personal information and protect privacy, a good place to begin may be with an audit based on criteria derived from the privacy principles. This will give the Privacy Officer the knowledge needed for policy creation and build a successful "win-win" relationship with the business units. Another key area that the Privacy Officer will need to focus on is training. The sooner all staff handling personal information in an organization is trained in the privacy principles, the fewer the chances of major privacy breaches. The third area is the development of a comprehensive privacy program that includes in-depth guidelines for the entire organization.

Nymity:    After compliance, what are some of the activities for the Privacy Officer?

Bedi: As organizations introduce new programs the Privacy Officer will need to be available to consult with the different business units. It may be necessary to provide policy advice on tentative business initiatives and on occasion perform privacy reviews and privacy impact assessments for specific projects. Also, the Privacy Officer should spend time keeping abreast of recent developments with respect to privacy legislations and monitor internal privacy practices to determine if changes are required as a result of these developments.

Nymity:    Any final advice for new Privacy Officers?

Bedi: Organizations that have already implemented privacy programs have realized substantial savings in their operations and created a climate of openness and trust in relationships with their customers and employees. It is important therefore, for new Privacy Officers to approach privacy not as a legislated requirement but as a need expressed by customers and employees and essential to their core business practices. Privacy breaches, on the other hand, can cost a lot. As an example an embarrassing article in the newspaper can potentially damage an organization's reputation. Privacy Officers must, as far as possible, try to integrate privacy principles in the day-to-day operations of their organizations.