Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Bell Canada

 

March 2004

 

Terry McQuay, Nymity's President, recently participated at a privacy conference in which David Elder, Assistant General Counsel, Bell Canada spoke of the top 10 lessons learned from 3 years of operating under the Personal Information Protection and Electronic Documents Act (PIPEDA). Mr. Elder has documented the core of his presentation for PrivaViews subscribers.


Top 10 Lessons Learned


10. 3rd Party Agreements

 

  • When providing data to contractors, provide clear and specific direction as to how to handle your data (i.e. use only for intended purpose, keep confidential, etc.)
  • A “one size fits all” approach won’t always work. Try to tailor your agreements to take into account the amount and sensitivity of data transferred as well as the nature of the business and reputation of the transferee
  • Don’t simply try to bind third parties contractually to compliance with your privacy policy, or PIPEDA itself – third parties can’t possibly comply with all aspects or your policy, and PIPEDA doesn’t apply to them as simple transferees for processing. Likely not legally enforceable, either.

9. Access Requests

 

  • Ensure you understand the scope of access requests you receive (i.e. all personal information you hold or some narrower subset) – clarify with requester wherever possible. From a compliance perspective, better to err on side of providing too much rather than too little
  • To simplify process, develop templates of standard written and electronic forms, blocking out fields of data you will not release (non-personal information or exemption claimed)
  • When omitting data from personal information disclosed, provide the requester with a general idea of the type of data you withheld and why – helps avoid follow-up inquiries/complaints and feelings of bad faith
  • Emphasize to all employees that any records they create about individuals may later be seen by those individuals – best way to avoid inappropriate remarks and characterizations

 

8. Training - Culture of Privacy

 

  • Training is perhaps the single greatest challenge of PIPEDA compliance, particularly with large and varied customer-facing channels – a lot rests on the shoulders of the front lines
  • Training is never complete – it must be an ongoing process. In addition to initial training, include regular reminders, communiqués and coaching as part of your training program
  • Try to create a culture of privacy, where employees understand the big picture – the principles and approach underlying PIPEDA. You can’t adequately cover off privacy compliance in a matrix or checklist; you need to influence people’s thinking

 

7. Communications

 

  • Particularly if you are relying on implied customer consent, ensure that your privacy statement is featured prominently in your communications
  • To increase visibility, use as many communication vehicles as you can to get the word out (point of sale, bill inserts, IVR reference, standard contracts, web presence)
  • To enhance understanding, consider a “layered” approach where customers can access both a simplified and more detailed version of your privacy statement.

 

6. Get your Privacy Code Right

 

  • Ensure you privacy statement/policy is clear, easy to understand and as short as possible
  • Beware the spectre of new uses: draft your statement in sufficiently broad terms to cover off possible future uses – or go through the expense and administrative headache of collecting further consents
  • To ensure greater understanding of your purposes for collection, use and disclosure of information, provide clear examples of the type of information you collect and how you use it – promotes understanding and provides comfort to customers

 

5. Know Who You’re Dealing With

 

  • Particularly in telephone and Internet transactions, ensure you are dealing with the customer of record
  • If possible, use passwords or PINs to verify identity; as an alternative, ask for account details that would likely be known only to the account holder
  • Send account details (e.g. access requests, bill reprints) only to the address of record, never to an alternate location
  • Be extra vigilant where you are aware of special needs and circumstances (e.g. marital breakdown, boarders, residents with personality disorders/mental disabilities, etc.)

 

4. Be Sensitive to Identity Theft

 

  • Review the information that you collect to identify personal information that are keys to identity theft (e.g. SIN, DLN, etc.). Could you collect less-sensitive information and still meet your business needs?
  • Review your internal processes and forms to eliminate all unneeded references to identity theft keys. Do you really need to reproduce a SIN number on a contract? Do you need to include sensitive information in eMail message threads?

 

3. Minimize your Risk

 

  • Inevitably, accidents will happen. Ensure that personal information is available within your organization only on a clear, need-to-know basis
  • “Hard” solutions, such as partitioned databases, password-controlled access and locked filing cabinets, are always preferable to “Soft” solutions such as training and job aids
  • Where possible, avoid unneeded references to customers in internal correspondence – this removes a lot of internal correspondence from the scope of a potential access request
  • Where possible, maintain “embedded” representatives with privacy expertise in the business units of your operation, especially marketing and legal (both are good “choke points” for privacy-sensitive activities)

2. Employee Privacy

 

  • Although there are obvious common issues for employee and customer privacy, there are unique issues that arise for employees, particularly where you have a unionized workforce
  • Consider a specialized individual or team to handle employee privacy matters, but maintain constant contact and cooperation between employee and customer privacy designates. Consider a single overseer of customer and employee privacy.


And the number one lesson learned from years under PIPEDA is…


1. Work With the Office of the Privacy Commissioner
 
  • Develop an open, cooperative relationship with the Privacy Commissioner and staff
  • Don’t circle the wagons. When dealing with investigators, tell the whole story; withheld or seemingly irrelevant information could come back to haunt you. When dealing with customers, an explanation or an apology is sometimes all that is required for resolution. The OPC is happy to see complaints settled without the need for a letter of finding.
  • To avoid misunderstanding, provide written summaries of your submissions, even if already provided orally. The OPC is open to agreed statements of fact in some cases – pursue as necessary.
  • Brief the OPC in advance re initiatives that may raise privacy concerns to customers (whether well-founded or otherwise)
  

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY