We recently had the pleasure to chat with Philippe Dufresne, Canada’s Privacy Commissioner, who shared his valuable insights regarding some of the key things SMEs need to know about privacy, different services offered by his office to small and medium-sized enterprises, and the benefits of those services, how do they work with businesses to ensure their data is protected, the issues SMEs should consider when it comes to safeguarding personal information, and lastly his advice to small businesses during this challenging time.
Philippe Dufresne was appointed Privacy Commissioner of Canada in June 2022. A leading legal expert on human rights, administrative and constitutional law, he previously served as the Law Clerk and Parliamentary Counsel of the House of Commons.
Before that, he was the Canadian Human Rights Commission’s Senior General Counsel, responsible for legal services, litigation, investigations, mediations, employment equity and Access to Information and Privacy. He successfully represented the Commission before all levels of Canadian Courts, including the Supreme Court of Canada, in a number of key human rights and constitutional cases.
Commissioner Dufresne is a member of the Bars of Quebec, Ontario, and Massachusetts. He holds degrees in common and civil law from McGill University’s Faculty of Law and has been a part-time professor with the University of Ottawa’s Faculty of Common Law and Queen’s University’s Faculty of Law where he taught international criminal law, human rights and appellate advocacy.
What are some of the key things SMEs need to know about privacy? What are your thoughts on the future of data privacy for small and medium-sized businesses?
SMEs subject to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), need to understand and follow PIPEDA’s 10 fair information principles. For example:
- Organizations must generally obtain an individual’s meaningful consent before they collect, use, or disclose their personal information;
- People have the right to access their personal information held by an organization as well as the right to challenge its accuracy;
- Businesses can only use personal information for the purposes for which it was collected; and
- They must use appropriate safeguards to protect the personal information in their care.
Customers appreciate working with organizations that respect their privacy. We have many online resources to help businesses do this.
In June, the federal government introduced a bill that would replace PIPEDA in an effort to modernize our federal privacy framework. We are in the process of analyzing the bill and will welcome the opportunity to share our views with Parliament in the fall.
Can you explain the different services you offer to small and medium-sized enterprises? What are the benefits of using your services?
My office provides advice and guidance to businesses of all sizes on how to comply with PIPEDA. Our Business Advisory team offers consultation services involving a review of ongoing privacy practices or new programs and initiatives. We can help identify good practices and compliance risks and provide practical advice to proactively address those risks, including how to frame initiatives and practices to comply with PIPEDA. Our team can also arrange short meetings with businesses to address specific privacy questions. An advisory consultation may also be requested for more complex issues. Any business subject to PIPEDA can contact us to request these services, which are free and voluntary.
Practical compliance advice can help businesses to innovate and grow with confidence that they are protecting the privacy rights of their customers. By ensuring privacy compliance from the start and addressing issues early, businesses can limit risks to their reputation and avoid potentially costly damage control measures. Robust practices for managing and protecting personal information are a competitive advantage that help to build trust and confidence among customers.
How does your office help SMEs meet their obligations under the federal privacy law? How do you work with businesses to ensure their data is protected?
Our website (www.priv.gc.ca) has many resources to help businesses better understand and meet their obligations under PIPEDA. For example, we have published the ‘Privacy Guide for Business,’ which provides an overview of PIPEDA and your responsibilities as a business.
We also have many issue-specific guides and bulletins, including the ‘Preventing and responding to a privacy breach’ guide and ‘Interpretation Bulletin: Safeguards.’
Could you elaborate on the issues SMEs should consider when it comes to safeguarding personal information?
A good starting point is to ensure that you do not collect or keep more personal information than necessary. Before or when collecting any personal information, SMEs must assess the purpose for collecting this information, and whether it is necessary for that purpose. Once the identified purpose has been fulfilled, the personal information should be disposed of, unless it is required to be retained by law.
Our guide on ‘Personal Information Retention and Disposal: Principles and Best Practices’ can help SMEs consider how to determine appropriate retention periods and securely dispose of personal information.
What do SMEs need to know about data breaches?
A common challenge SMEs face regarding data security is understanding the threats and vulnerabilities in their environment. Our guide to ‘Preventing and responding to a privacy breach’ provides some best practices on preventing privacy breaches, such as conducting risk assessments to identify weak points in your organization and being aware of breaches in your industry. We also outline the immediate steps SMEs should take to contain a breach if one occurs, and tips for preventing future data breaches.
We understand data breaches can occur, even when adequate safeguards are employed. Our ‘What you need to know about mandatory reporting of breaches of security safeguards’ guidance offers more information on breach reporting obligations, including how to submit a breach report to the OPC, and what kind of notice must be provided to individuals.
Dealing with breaches transparently is not just about following the law, it sends a message to customers that even during challenging times, you take their interests to heart.
What is your advice to small businesses during this challenging time?
We understand that it can be challenging for small businesses to navigate the privacy landscape, especially in an increasingly complex digital environment. We would encourage SMEs to take advantage of the resources on our website. For specific questions, a good starting point is to contact our Information Centre, toll free at 1-800-282-1376. Our Business Advisory team may also be able to provide answers to specific or more complex questions.
