Reviews of the National Privacy Policy Index

Ann Cavoukian, Ph.D.

Information and Privacy Commissioner of Ontario

I have always advocated that privacy should not be viewed merely as a matter of compliance, but as a sound business practice. The growing prevalence of high-profile incidents in the media involving compromises of personal information further underscores that all organizations dealing with personal information must make privacy a priority. Having a clear, comprehensive privacy policy is an essential component in building customer trust.

For these reasons, I am very impressed with the National Privacy Policy Index on the Nymity website. Through using this tool, businesses and other organizations can easily scan industry “best practices” in order to facilitate the creation and improvement of their own privacy policies. Nymity has done a wonderful job of thoroughly analysing the privacy policies of leading organizations to identify which are best in fostering customer trust.

I was particularly impressed with the way that Nymity has incorporated source documents (such as guidelines issued by Privacy Commissioners) and the Canadian Standards Association’s Model Code for the Protection of Personal Information, within the Index. These links provide the reader with easy access to the primary sources that elaborate on fair information practices.

I think that the Nymity staff has done a very thorough job in putting together this Index, and I would highly recommend it as a reference for any organization in the process of formulating its own privacy policy.

I should also add that while sound privacy policies are an essential element in ensuring transparent and accountable privacy practices, it is incumbent that steps be taken to ensure that such practices are followed.

David Loukidelis

Information and Privacy Commissioner of British Columbia

The National Privacy Policy Index will be very useful for organizations struggling to comply with one or more of Canada’s various private sector privacy laws, including British Columbia’s Personal Information Protection Act. Like other such laws, PIPA requires organizations to create and follow policies and practices in complying with the law.

Privacy policies are more than mere legal obligations, of course. They are important for building and keeping consumer trust in the information practices of organizations. A clear and comprehensive privacy policy is a powerful tool to this end.

I really like how the Index is organized against the fair information practices found in Schedule 1 to PIPEDA. Since these fair information practices are reflected in British Columbia’s law, organizing the Index around them is a good way to map the essential elements of a privacy policy.

The decision to layer the Index’s material, by allowing users to drill down for more detail and examples of specific privacy policy provisions, was a very good one. Organizations will find it very useful to have specific examples for comparison purposes, recognizing that each policy has to fit the needs of each organization.

Canadian private sector privacy laws are sufficiently similar to each other that the National Privacy Policy Index promises to be an important resource for promoting consistent privacy policies and processes across Canada. I am very pleased with what I have seen in the draft National Privacy Policy Index and congratulate Nymity for its innovative approach to private sector privacy compliance.

Richard Simpson

Director General, Electronic Commerce

Industry Canada

Maintaining effective privacy policies and practices is important not only as a legal obligation, but should also be seen as a competitive advantage in the digital economy. Privacy is good business. It is also a deeply-rooted Canadian value, and consumers have shown that they are very concerned with how organizations protect their personal information. The protection of personal information is therefore fundamental to establishing a positive reputation in an increasingly competitive global economy.

The PrivaWorks National Privacy Policy Index assesses an organization's privacy policy based on its compliance with the ten privacy principles found in the Personal Information Protection and Electronic Documents Act (PIPEDA). These principles are drawn from the CSA Model Code for the Protection of Personal Information, a standard that was developed jointly by business, government, and civil liberty organizations. Therefore, the Index provides organizations with a mechanism for implementing privacy policies that are in accordance with a widely accepted framework for the protection of personal information.

Heather H. Black

Assistant Privacy Commissioner

Office of the Privacy Commissioner of Canada

The Personal Information Protection and Electronic Documents Act which is Canada's national private sector data protection law requires organizations subject to the law to develop and implement policies, practices and procedures for complying with the Act.

The National Privacy Policy Index should be useful to organizations that are in the process of implementing the national law or provincial laws that have similar requirements. The Office of the Privacy Commissioner of Canada encourages all organizations to develop and then live up to their privacy policies.

Elizabeth Denham

Director, Personal Information Protection Act

Office of the Information and Privacy Commissioner of Alberta

As you know, Alberta's Personal Information Protection Act requires organizations to develop privacy policies to demonstrate and ensure that they meet their obligations under the Act. Each organization should tailor its policies and procedures to the types and extent of personal information collected, used and disclosed and to its unique business functions. This is simply not a "cut and paste" job. Effective privacy policies are essential not only for compliance purposes, for also to communicate effectively with customers and employees (who are becoming increasingly privacy savvy), and to gain a competitive edge in business. A privacy policy based on a thorough assessment of the business must also be reviewed periodically and amended to encompass changes in business practices, and well as to reflect emerging jurisprudence in private sector privacy.

The content of the National Privacy Policy Index would be useful to organizations who are developing, reviewing and amending their privacy policies. The index is logically organized according to 10 principles reflected in PIPEDA; with each principle drilling down into extensive detail. Although the Alberta and B.C. PIPAs are not structured in this way, there is enough similarities in the obligations that provincially-regulated organizations operating exclusively within these provinces could make use of the index. And it is certainly helpful for organizations operating across several jurisdictions, in their attempts to harmonize corporate privacy policies. I believe the tool is appropriately intended for an audience of privacy officers and privacy managers in medium to large sized organizations; these individuals are familiar with the privacy principles and are sophisticated users of such guidance.

The links to actual privacy policies of high-profile organizations is very useful in offering real-life examples and industry "best practices". Nymity's commitment to keep this Index updated is critical to its ongoing value to organizations.

I congratulate you on this initiative.

Wally Hill

V.P. Public Affairs & Communications

Canadian Marketing Association

“A Positive Contribution to Awareness about Privacy Protection”

The Canadian Marketing Association continues to be a leader in the protection of personal privacy, working with consumers, industry and governments to promote that goal. Key to the success of CMA’s contribution is our commitment to effective privacy protection along with a strong economy for businesses and consumers. CMA members recognize that protection of personal privacy builds customer trust and loyalty, and that it is good for business.

Nymity’s new National Privacy Policy Index will help to build awareness and knowledge about compliance with privacy policies in Canada. Identifying a range of best practices and leading companies in development and implementation of privacy policies, the Index offers a positive contribution to Industry’s commitment to the protection of personal privacy.

Lance Novak

Director, Information Products

Canadian Standards Association

The Canadian Standards Association (CSA), Canada's leading developer of standards and codes and the developers of the Model Code for the Protection of Personal Information (Q830), has provided a review of the National Privacy Policy Index. In Canada, the key elements of the CSA's Privacy Code are now incorporated into the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into full effect on January 1, 2004. The National Privacy Policy Index also incorporates key elements of the CSA's Model Code, which covers the Fair Information Practices.

Organizations that collect, use or disclose personal information should proactively maintain their privacy policies and programs and, in this regard, the National Privacy Policy Index is an effective tool for the evaluation and maintenance of privacy policies. It provides a comprehensive list of privacy policy considerations that will help all organizations to create effective policies that meet legal requirements as well as business objectives. Privacy policies are key to organizations, providing clarity to personal information handling practices and accountability to both consumers and the Privacy Commissioners' offices.

Canadian Standards Association (CSA) is a membership association serving industry, government, consumers and other interested parties in Canada and the global marketplace. A leading developer of standards and codes, CSA aims to enhance public safety, improve quality of life, preserve the environment and facilitate trade. To help people understand and apply standards, CSA offers information products and training. The Canadian Standards Association is a division of CSA Group which consists of CSA, CSA International for product testing and certification, and, QMI for management systems registration.