Interview with Guy Herriges

Call today! 1 866 3 NYMITY

Interview with Guy Herriges

March 2003

Carol-Ann Marshall, Senior Consultant with Nymity, spoke with Guy Herriges, Manager, Access and Privacy Office, I&IT, Policy, Planning and Management Branch, Office of the Corporate Chief Strategist, Management Board Secretariat, shares some privacy best practices.

Nymity: What do you think will be the biggest challenge for provincially regulated organizations when the legislation comes into effect?

Herriges : Initially, they need to understand what the legislative requirements are and begin to put a privacy policy in place. They need to identify someone who is responsible for privacy issues, examine their business practices, document areas where privacy might be a concern, develop policies to comply with the legislation and plan how to implement them. Depending on the organization and the type of personal data being collected, it is important to identify the handling practices that are critical to their business.

Nymity: What are some simple and easy things organizations can do to get ready for implementation?

Herriges : The first thing to do which is also the easiest in my view, is simply to educate staff about the new legislation, particularly at the senior level. There needs to be this initial discussion in order to understand what needs to be done and what resources will need to be applied to the task. Communication within the organization is number 1 because the focus is to ultimately maintain consumer trust.

Nymity: How important is a Privacy Impact Assessment to organizations?

Herriges : A Privacy Impact Assessment can be used in different ways by different organizations - and it can be adapted for use as an audit or implementation tool to look at business practices from a privacy perspective. It will describe what your current practices are, identify any gap between the practices and the legislation and show where modification of those practices are required. Mapping current business practices is a good starting point in developing your privacy policies.

Nymity: What are some of the tools organizations could use to protect individual privacy?

Herriges : There are a number of data base privacy management products specifically designed to help organizations comply with the legislation. Some of these products help implement access control policies and others help to map and integrate on-line privacy policies to actual business and information management practices. There are also educational materials to familiarize and train employees about the legislation.

Nymity: What can private sector organizations learn from the public sector?

Herriges : There are similarities between the two sectors. The need to educate staff across the organization is common to both sectors. Employees need to know what the privacy legislation is about and become comfortable working with it because it will affect much of what they do. Even if the organization has been compliant previously, there will be changes to business plans and it is important for everyone to have a working knowledge of the legislation in order to remain in compliance over time. There will likely be new policies, partnerships, marketing strategies and products that may affect your compliance with privacy requirements when they are introduced. Most organizations are used to dealing with legislation at specific points in time, but compliance with this legislation is on-going and needs to be integrated into day-to-day operations.

Nymity: What advice would you give to organizations to help them deal with the legislation?

Herriges : I would advise them to go into it with a positive perspective because complying puts an organization in good stead with its customers and will help build and maintain client trust. This will reinforce a positive relationship which will benefit both parties. Careful planning and time spent thinking about priorities should help reduce compliance costs. A positive message from the top will help to facilitate implementation. Be methodical and have a planned approach. Prioritize the operational practices that are critical to the organization's business success and make sure they are compliant.