We suggest that the first steps for small to midsize community organizations seeking to improve privacy are the following:
1. Create a privacy officer role
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) affirms that every organization should have a designated privacy officer. This does not only mean appointing an individual, but defining a role: Who will the privacy officer need to consult with? Which committees will he or she sit on? What actions or changes will need to be approved by the privacy officer? While the privacy officer’s role will be unique to your organization, it is helpful to keep in mind that privacy connects multiple areas, including policy, communications, information technology, service delivery, and staff training.
2. Review communications
3. Investigate information management
4. Develop breach response protocols
What will be done if there is a privacy breach – for instance, if your website or record-keeping system is hacked? Do you have the ability to block access from a hacked account, or are you dependent on service providers to manage access? What if a USB, laptop, or smartphone containing personal information is lost or stolen? Are these devices password protected? How much information could be compromised by a breach? Who needs to be notified in the event of breach? At this stage, the privacy officer will need to consult with IT staff to reduce security risks and develop breach response protocols.
For public and private organizations across Canada:
Privacy Toolkit: A Guide for Businesses and Organizations – Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Office of the Privacy Commissioner of Canada.
For healthcare organizations and health professionals in Ontario:
A Guide to the Personal Health Information Protection Act (PHIPA). Information and Privacy Commissioner of Ontario.