Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Terry McQuay

July 2005

 

 

Interviewee: Terry McQuay, President of Nymity

Interviewer: Melissa Thurlow, Communications Officer, Canadian Marketing Association (CMA). Interview to be posted in Regulatory Affairs Section on the CMA's web site.


Subject: Nymity's National Privacy Policy Index
 
Thurlow: What is the National Privacy Policy Index?


McQuay: The National Privacy Policy Index resulted from a research project conducted for subscribers of Nymity's PrivaWorks program. PrivaWorks is an online privacy resources toolkit for Privacy Officers. The mandate was to identify and catalog all privacy policy considerations, as identified by Canadian, USA and European authorities, for privacy policy development. We found over 15 sources for privacy policy considerations and over 130 specific considerations.

After six months of research, Nymity announced the National Privacy Policy Index and made it available, for free, to our PrivaWorks subscribers. New considerations are added to the Index monthly.


Thurlow: What is the secret to an effective privacy policy?


McQuay: Transparency, as clear and complete disclosure of personal information management policies and practices helps organizations:

 

    • demonstrate accountability to consumers, business partners and Privacy Commissioners;

    • mitigate organizational liabilities from customer complaints;

    • build consumer trust as consumers that read privacy policies are looking for specific information;

    • implement effective consent processes; and

    • comply with privacy laws.
 
  

 

 

Now Hiring

 

 

 

 

 

 
Thurlow: What sources did your research use to identify the policy considerations found in the Index?

 

McQuay: We located several sources, and of course there was lots of duplication, but in total we found over 130 policy considerations from:

  1. The Canadian Institute of Chartered Accountants Site. Jan. 12, 2005
    Canadian Institute of Chartered Accountants

  2. The American Institute of Certified Public Accountants Site. Jan. 12, 2005
    American Institute of Certified Public Accountants

  3. Implementing Consent Requirements for Customers
    Office of the Information & Privacy Commissioner of Alberta. Mar. 24, 2005

  4. OECD Privacy Statement Generator Site. Mar. 19, 2005
    Organisation for Economic Co-operation and Development

  5. The BBBOnline Site. Mar. 12, 2005
    Council of Better Business Bureau, Inc. Jan. 8, 2005

  6. EKOS Research Associates survey, Canadians, Privacy, and Emerging Issue. Jun. 20, 2005
    EKOS Research Associates

  7. European Commission, Data Protection Site. Mar. 23, 2005
    European Commission

  8. Goldman, E. and Goward, C. "RE: Drafting a Privacy Policy? Beware!" Online
    Posting. Undated. Eric Goldman. Jan. 8, 2005

  9. The Office of the Information and Privacy Commissioner of Alberta Site. Mar. 8, 2005
    Office of the Information and Privacy Commissioner of Alberta

  10. The Office of the Information and Privacy Commissioner for British Columbia Site. Mar. 8, 2005
    Office of the Information and Privacy Commissioner for British Columbia

  11. Online Privacy Alliance, Guidelines for Online Privacy Policies Site. Feb. 25, 2005
    Online Privacy Alliance

  12. Personal Information Protection Private Sector Privacy Legislation: Implementation Tools
    Site. Mar. 23, 2005
    Government of British Columbia, Ministry of Management Services

  13. PIPEDA Case summary #301: Property management company improves privacy policy
    Privacy Commissioner of Canada.

  14. PIPEDA Case summary #302: Pharmacy's privacy policy and practices considered exemplary
    Privacy Commissioner of Canada.

  15. P. Platt, L. Hendlisz, and D. Intrator. Privacy Law in the Private Sector â€" An Annotation of the legislation in Canada, Canada Law Book inc. 2004.

  16. The Privacy Commissioner of Canada Site. Mar. 8, 2005
    Privacy Commissioner of Canada.

  17. Privacy Rights Clearinghouse, A Checklist of Responsible Information-Handling Practices Site. Mar. 26, 2005
    Privacy Rights Clearinghouse

  18. Truste. "RE: TRUSTe Guidance on Web Site Disclosures" Online
    Posting. Undated. Truste. Jan. 8, 2005

  19. U.S. Department of Commerce, Safe harbor Site. Mar. 19, 2005
    U.S. Department of Commerce. Feb. 3, 2005
Thurlow: Why does the Index provide a ranking of the top privacy policies in Canada?


McQuay: When we completed the assessment questions outlining the over 130 policy considerations we tested the Index to ensure that the best practices policy considerations identified where indeed being used in corporate privacy policies. We looked at hundreds of privacy policies to identify the industry leaders and completed an assessment. The leading policies are:

  1. Bell
  2. Telus
  3. Scotiabank
  4. Trans Union
  5. TD Bank
  6. Aviva
  7. Sprint
  8. Chapters Indigo
  9. Sears
  10. Royal Bank

When we reviewed the Index with our PrivaWorks customers they asked us to include the details of the assessments of the industry leading privacy policies in the program. They wanted to compare their assessment against the industry leaders. As such, over 20 detailed policies assessments are now available for PrivaWorks subscribers. For an overview of the top 20 visit the Index's Assessment of Industry Leading Privacy Policies.

 

Thurlow: Did Nymity complete assessments based on industries?


McQuay: Yes, the following are the industry leaders.

Banking

 

1. Scotiabank
2. TD Bank
3. Royal Bank
4. CIBC

Telecommunications

1. Bell
2. Telus
3. Sprint Canada
4. SaskTel		 Consumer Services

1. TransUnion
2. eBay
3. Monster.ca
4. Ticketmaster Canada
5. AlarmForce		 Insurance

1. Aviva
2. Belair Direct
3. Primmum Insurance
4. Manulife Financial 		Retail

1. Chapters Indigo
2. Sears
3. Hudson Bay Company
4. Canadian Tire

Thurlow: Do most companies have privacy policies?


McQuay: Yes, most organizations that operate a web site have a privacy policy. The problem is that most privacy policies are largely goodwill statements created in response to privacy laws. The majority of online privacy policies don't provide consumers with the information they are looking for and don't help the organization mitigate business risks.

A poor privacy policy frustrates customers and results in lost business and complaints.


Thurlow: Who reads privacy policies?


McQuay: Consumers, who care about privacy, and:

 

    • customers who have a complaint, privacy related or not;

    • customers who want to access their information;

    • disgruntled employees and other whistleblowers;

    • Commissioners’ office after a complaint;

    • lawyers, for litigation purposes, possibly after a breach;

    • consumer advocacy groups; and

    • competitors.


Policies should be developed in anticipation of all readers.


Thurlow: Should a privacy policy be long?


McQuay: A privacy policy should have at least two components. A short notice to provide consumers with a high-level review of the organizations information handling practices and a detailed privacy policy that clearly and completely discloses the organization's personal information management policies and practices. A policy need not be long, for example, The TransUnion policy is 8 pages, Chapters Indigo 7 pages and Sears 6 pages. Advanced privacy policies include a definition section and a frequently asked questions section.


Thurlow: How does the National Privacy Policy Index help organizations create effective privacy policies?


McQuay: Corporations follow a five part process when using the Index. They:

  1. assess the organization's current privacy policy by reviewing each of the 130 privacy policy considerations to understand which considerations are being addressed and which are not;

  2. compare their assessment with the assessment of the industry leading privacy policies that are included in the Index to better understand which considerations the industry leaders find most relevant;

  3. decide which of the missing considerations should be addressed in the policy;

  4. review the structural suggestions made in the Index; and

  5. they update their privacy policy often using the services of the Index's Authorized Business Partners: Fasken Martineau, Torys LLP, Lang Michener or Deloitte.

It is expected that organizations will complete this process annually.


Thurlow: Do companies care about privacy?


McQuay: Many companies care a great deal and have invested substantial resources in their privacy policies, programs and educating their employees. For example, Bell, Telus, Scotiabank and TD Bank (Index's top ranked privacy policies) have made and continue to make significant investments in privacy. These organizations have been making substantial investments in privacy long before privacy laws were put in place.

Of course not all companies have followed the lead of these organizations. Most organizations care about privacy but have not allocated the resources to maintain effective privacy policies, audit their business practices and educate their employees.


Thurlow: Why is privacy a low priority for some companies?


McQuay: They don't understand the costs of poor privacy policies and practices. The true cost of poor privacy results from frustrated customers and privacy breaches. Frustrated customers purchase less, go to a competitor and in some cases complain. Poor privacy policies and practices lead to privacy breaches. Small and seemingly insignificant privacy breaches frustrate customers and put individuals at risk of identify theft. Larger privacy breaches can have substantial costs as they require customer notification, changes in operating procedures, and have the potential for negative media coverage.

Also, there is the cost of a complaint to a Privacy Commissioner. These costs are often misunderstood. Yes, there is the cost associated with the investigation, but most organizations don't anticipate the costs incurred when they have to implement the Commissioners recommendations and orders. A Commissioner's finding can have far reaching impact, if the organization has to change revenue generating business practices, or has to make changes to operational infrastructure and processes.


Thurlow: In closing, what is the most common misconception companies have related to privacy?


McQuay: Well, I would have to say understanding how to implement an effective, ongoing privacy management program and the value of doing so. Most organizations see privacy as a huge initiative with limited returns. They are wrong. The investments are manageable and returns can be substantial. For example, many companies see the audit process as a daunting task. This doesn't have to be the case as a simple interview based audit can be completed in a few hours and substantially reduce the risk of a privacy breach or a customer complaint.

At Nymity we promote a privacy management framework which is cost effective. It requires an organization to:

  1. complete an annual assessment and update of its privacy policy;
  2. continuously train employees that collect and use personal information on corporate privacy policies;
  3. annually audit business operations that collect, use and manage personal information against the corporate privacy policies.

The returns will easily justify this manageable investment. Nymity provides the resource to create this Privacy Management Framework in our online privacy resources toolkit called PrivaWorks.

Terry McQuay
President
Nymity Inc.
tel_416 214 7838
www.nymity.com
terry.mcquay@nymity.com
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY