Small to midsize organizations serving communities usually have some awareness of privacy regulations and have developed a privacy policy, but may struggle to integrate privacy principles into their daily operations. We seek to answer the question, “Where do we start?”

Most community organizations are aware that they are governed by privacy legislation, and have made some effort to familiarize themselves with the provincial or federal laws that apply to them. Most have developed a privacy policy based on guidelines from federal or provincial privacy commissioners. The challenge usually is knowing how to implement it. Small to midsize organizations serving local communities generally do not have the resources to build a privacy program with expert staff. They may seek consultations such as organizational reviews or privacy impact assessments, but these are intended for contexts where privacy practices are already being integrated into daily operations. So, where should community organizations start with privacy?

We suggest that the first steps for small to midsize community organizations seeking to improve privacy are the following:

1. Create a privacy officer role

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) affirms that every organization should have a designated privacy officer. This does not only mean appointing an individual, but defining a role: Who will the privacy officer need to consult with? Which committees will he or she sit on? What actions or changes will need to be approved by the privacy officer? While the privacy officer’s role will be unique to your organization, it is helpful to keep in mind that privacy connects multiple areas, including policy, communications, information technology, service delivery, and staff training.

2. Review communications

Your organization probably has a privacy policy, but do your clients know about it? One of the privacy officer’s first tasks is to make sure that clients are informed about the privacy policy through channels such as your website, information sheets, and most importantly, frontline service delivery. Clients’ personal information should only be collected with their informed consent, which means that they should know what kinds of information will be collected, how it will be used and stored, who may have access to it, and how long it will be kept. Clients should also know whom to contact about privacy concerns.

Of course, the privacy officer will also need to make sure that what clients are told about how their personal information is managed is true – that your privacy policy is actually being implemented. As clients are invited to raise concerns about privacy, the privacy officer should have a plan for handling questions and complaints.

3. Investigate information management

How do you collect, use, store, and dispose of personal information? How long is it kept, and how is it destroyed? Who manages the data and who has access to it? In particular, what outside service providers do you depend on to manage client information? These could include email and cell phone service providers; cloud data storage providers such as Dropbox or Google Drive; and IT installation and support for software (e.g., appointment booking and client record-keeping systems) and hardware (e.g., internal server, desktop computers and laptops). What client information could they access, and what are their privacy policies and practices? The privacy officer needs to know the answers to these questions, make sure that they are in line with your privacy policy, and ensure that clients are informed of these practices.

4. Develop breach response protocols

What will be done if there is a privacy breach – for instance, if your website or record-keeping system is hacked? Do you have the ability to block access from a hacked account, or are you dependent on service providers to manage access? What if a USB, laptop, or smartphone containing personal information is lost or stolen? Are these devices password protected? How much information could be compromised by a breach? Who needs to be notified in the event of breach? At this stage, the privacy officer will need to consult with IT staff to reduce security risks and develop breach response protocols.

These initial steps are the foundation for implementing privacy policy in regular operations. Once this is done, organizations are in a better position to benefit from an organizational review, which documents privacy policies and practices and identifies any gaps. From there, an important next step is to develop privacy awareness and training across the organization. Later, privacy impact assessments or maturity assessments may be used to refine privacy risk management. Each of these steps aims not just to identify risks and develop policies, but to ensure that privacy considerations are integrated into every aspect of an organization’s daily operations that involves individuals’ personal information.


For public and private organizations across Canada:

Privacy Toolkit: A Guide for Businesses and Organizations – Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Office of the Privacy Commissioner of Canada.

For healthcare organizations and health professionals in Ontario:

A Guide to the Personal Health Information Protection Act (PHIPA). Information and Privacy Commissioner of Ontario.

%d bloggers like this: