Knowing Is Not Enough: PIPA And The Privacy Management Plan That Keeps You In Compliance
Goethe wrote, “Knowing is not enough; we must apply. Willing is not enough; we must do.” In this beautifully simplistic quote, he speaks of the importance of action and how action is essential to success.
HR leaders are the most important people to front-line online safety. The secret to having a successful cybersecurity defense plan is in a collaborative partnership of human resources, IT, CRM and R&D of every organization in building a crucial tool known as the privacy management plan (PMP). Having a PMP keeps your organization in compliance with the Personal Information Protection Act (PIPA).
During this pandemic, we have been reminded of the fundamental role cyberspace is playing in our daily lives and business operations, yet many cybersecurity experts agree that human error still accounts for the majority of all data breaches.
Cybersecurity laws are executed (and violated) by people; so, it is at our peril that we help our staff wrap their minds around these laws and best practices. And although the laws can seem daunting, it is essential to understand how to action these laws and policies.
The best way forward with PIPA is to have a privacy management plan.
This article will take a brief look at PIPA and give you best practice actions for building your PMP, based on information from the Office of the Information & Privacy Commissioner (OIPC).
PIPA applies to private-sector organizations across British Columbia that collect, use or disclose personal information during a commercial activity. According to the OIPC website, “The purpose of this Act is to govern the collection, use, and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
PIPA’s 10 Fair Information Principles
PIPA’s 10 fair information principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information.
1. Accountability: An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
2. Identifying Purposes: The organization must identify the purposes for which the personal information is collected before or at the time of collection.
3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
4. Limiting Collection: The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
5. Limiting Use, Disclosure and Retention: Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
6. Accuracy: Personal information must be as accurate, complete and up to date as possible to properly satisfy the purposes for which it is to be used.
7. Safeguards: Personal information must be protected by appropriate security relative to the sensitivity of the information.
8. Openness: An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
9. Access: Upon request, an individual must be informed of the existence, use and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance: An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance.
Privacy Management Plan
A PMP tracks and clarifies your organization’s actions to protect all personal information gathered. This plan helps reduce privacy risk, identify areas of weakness in your privacy practices and ensures employees know what is expected of them. In her 2020 IT World Canada article on understanding security laws, professor Melissa Lukings wrote, “Cybersecurity laws, data protection, and privacy legislation are laws that aim to safeguard information technology and computer systems from privacy breaches and unauthorized activity as well as to compel corporations and organizations to protect their online infrastructures from cyber-attacks.” A well-structured and applicable PMP builds trust in staff and customers.
Here is a quick overview of where to start and the 10 sections required for compliance with the PIPA.
1. Get buy-in from the top: This is a leadership goal because the authority to action the PMP details are given from the top. As the laws hold the entire company responsible and a breach could lose customers and jobs, it is crucial for the C-suite to sign-off on your PMP.
2. Designate a privacy officer: This person is your company’s lead coordinator and PMP manager. Depending on your organization’s size, this leadership role may manage a team or operate as a sole resource.
3. Identify reporting structure: Like with all best project management practices, you must be able to measure, analyze, review and adjust processes. This can only come from developing a clear and actionable structure presented to the entire company by the privacy officer.
4. Develop a personal information inventory: Here, your privacy officer analyzes what information is gathered from people and why it is necessary. This includes the how you collect and handle the personal information. If the information is shared with outside partners, consider why and with who you share that information. Before the privacy officer can explain the collection and care process, they must develop a personal information inventory.
5. Draft Policies: This is a chance for the privacy officer to bring all department’s voices into the conversation, through interviews of colleagues, research of your industry’s best practices and in-depth exploration of laws to ensure your policies comply with current laws.
6. Evaluate risk assessment: Much like all risk assessment, this is an ongoing process as the landscape of cyber safety keeps changing. Even laws, software and systems cannot fully keep up with newly developed risks. The more attention you give, the safer your company will be.
7. Conduct training: The more creative your company is in engaging staff in cybersecurity training, the more buy-in you will get from all employees.
8. Document breach response: This details how you handle breaches, including recovery, restoration and legally compliant disposal of personal information. This is the information that customers and staff can request by law from every company that collects their personal information.
9. Manage service providers: Having strong policies and evaluation processes helps ensure you can confirm that vendors match your company’s PMP and that they will not put your information at risk. A sign-off sheet for vendors (that includes them sending you their PMP) ensures they are fully aware of your company’s policies and breach response practices.
Ongoing Assessment and Revision
10. Review and Revise: The commitment to PIPA can incinerate if there are no regular reviews and revisions in place. It may seem like an obvious and easy thing to plan; however, this is where it falls apart. It is best practice for all staff to participate in the review and revise procedures to ensure every employee stays aware and focused on potential threats.
The following list of the Top 5 cyber-security laws will give you an additional landscape to build your privacy management knowledge. These are statutory frameworks for Canada’s privacy and data management laws affecting cybersecurity and its the regulatory and governance. These are recommendations to minimize the risk of cyber threats.
The Top 5 Cybersecurity Laws HR Teams Need to Be Aware of
- The Privacy Act
- Access to Information Act
- Criminal Code of Canada
- Personal Information Protection and Electronic Documents Act
- Canada’s Anti-Spam Law
Data protection and cybersecurity laws that govern Canadian businesses are continually changing. The framework that governs businesses, non-profits and other organizations is a vital source to help reduce risk; risk that can impact any organization severely with legal and financial consequences that can be detrimental and prevent a business from making a comeback.
Note that this article addresses the PIPA for British Columbia, and the other provinces have similar laws and policies governing how you collect, store and share personal information of your customers and staff. Please learn more about the laws relevant to your location.
Goethe said, “Doubt can only be removed by action.” Make building a PMP your best practice to removing doubt and building trust with your staff and customers.
To fully understand the relevant Canadian laws around cybersecurity, you must do your due diligence into the individual legislations that have shaped Canadian privacy laws. My company, Inspiration FX, has specialized in working with organizations in the private and public sectors to develop their PMPs and other relevant training programs around privacy compliance, business tech and cybersecurity laws and policies. Please reach out if we can be of any help to you and your colleagues.