Federal Privacy Commissioner Publishes Survey of Canadian Businesses on Privacy Issues
The Office of the Privacy Commissioner of Canada (the “OPC”) recently published the results of the 2019-20 Survey of Canadian business on privacy-related issues (the “Study”).
Conducted for the OPC between November 29 and December 19, 2019, the Study involved a telephone survey with senior decision makers of 1003 Canadian businesses. The results were weighted by company size, sector, and region using Statistics Canada data to reflect the distribution of businesses in Canada.
Key Findings of the Study
The Study provides insights on Canadian businesses’ privacy policies and practices and reveals notable areas for improvement.
I. Importance of Protecting Customers’ Privacy
The Study found that most businesses regard customers’ privacy as an important concern. While 69% of companies attribute extreme importance to protecting customers’ privacy, the concern is stronger among businesses that sell directly to customers, rather than those that sell to other businesses.
II. Awareness of Obligations Under Canadian Privacy Law
More than half of businesses said they were highly aware of their obligations under Canadian privacy law, including 40% who said they were extremely aware. Further, over 75% of businesses reported that they had taken steps to comply with Canada’s privacy laws. Businesses that feel they are not aware of or have not taken steps to comply with their obligations under Canadian privacy law are in a shrinking minority.
III. Accessibility of Personal Information and Obtaining Meaningful Consent to the Collection, Use and Disclosure of Personal Information
According to Canadian private-sector privacy legislation, businesses are generally required to obtain meaningful consent for the collection, use and disclosure of customers’ personal information. In order for businesses to obtain meaningful consent, the OPC’s Guidelines for obtaining meaningful consent (the “Consent Guidelines”) stress that, among other things, businesses must make their personal information available to customers in complete form, disclose the risk of harm associated with how their personal information will be processed and notify customers of any significant changes to their privacy practices or policies.
IV. Management of Privacy Risks and Data Breaches
The Study found that anxiety about data breaches is polarized: 30% of businesses are extremely concerned about a data breach, whereas 33% are not at all concerned. Only 38% of companies have policies or procedures in place to assess privacy risks related to their business (including data breaches).
According to the Study, 95% of businesses said they have not experienced a data breach where the personal information of their customers was compromised. This high percentage may reflect a misunderstanding of the nature of a data breach, which encompasses everything from a hacker stealing financial information to an email containing a small amount of low sensitivity personal information being sent to the wrong recipient. If a business believes it has not experienced any data breaches, it may not have adequate monitoring and training in place to ensure it is aware of all data breaches.
What the Study Tells Us (and Doesn’t Tell Us)
- The Consent Guidelines were published more than 18 months before the Study. The low percentage of businesses that seem to adhere to the Consent Guidelines – including by making their personal information readily accessible to customers and clearly outlining the risk of harm that could result from a data breach when seeking customers’ consent to collect, use and disclose personal information – suggests that businesses are not reviewing their privacy policies regularly. Privacy policies and practices should be reviewed at least annually to ensure they keep up with legislative changes.
- The low percentage of businesses that proactively assess and disclose the risk of harm that could result from a data breach, and that have reported experiencing a data breach, suggests that many businesses are not taking sufficient stock of their specific cybersecurity vulnerabilities. While data breaches were once uncommon, cybersecurity risks are quickly becoming some of the most significant data-related risks for organizations and increasingly a critical, enterprise-level risk.
- It is unclear what percentage of businesses are adequately prepared to respond to a data breach. The Study did not ask specifically about Incident Response Plans, which help businesses “detect, respond to, and recover from a cyber-incident (i.e. a data breach or an unauthorized attempt to gain access to a computer network or system), limit disruptions, and reduce data loss.” However, a Statistics Canada 2018 survey found that 87% of businesses lacked a written policy to manage cyber incidents. Organizations that are not prepared for incidents are in a weak position to stop incidents and reduce harm, and are therefore at risk of increased reputational damage, and regulatory and civil actions.
For more information about the Guidance or any other Canadian privacy laws, please contact the authors and see our Cybersecurity, Privacy & Data Management group page.