Privacy from the Corporate Standpoint – OPC requirements per PIPEDA

Like many of you, I believe privacy is a seriously pressing concern in the modern age. As users of social media, we are subject to data collection that can then be shared with organizations with whom we have never had direct contact. However, I think it’s interesting to think about it not just from the standpoint of the user, but also from the perspective of organizations. What safeguards are they required to have in place, both internally and when sharing data with third parties?
For example, this article (“Thinking of Outsourcing Your Customer’s Data? What You Need to Know Ahead of Time”) discusses the safeguards/measures that TD Bank took when it outsourced customer data internationally without first obtaining additional consent. The article suggests that companies should have “proper assessments and have strong contractual protections in place.” I don’t know about you, but I like the sounds of the former a lot more than the latter, especially considering the lack of real negotiating power on the part of the consumer. But that might be a whole other discussion!
On the internal side, this article (also from MLT Aikins!) discusses a different fact situation with Desjardins where the OPC determined that they did NOT have sufficient protections in place. As a result, an employee was able to gather a substantial amount of personal information and store it on their work computer, even though they did not have permission to access that data. They recommended organizations take the following steps to avoid such things:

“1 – Ensure that employees are following policies and procedures on an ongoing basis.
2 – During training, require employees to demonstrate that they understand the policies.
3 – Frequently review whether employees are following procedures and policies.
4 – Ensure that access controls do not permit for restricted information to be easily moved to more widely accessible domains.
5 – Implement active monitoring systems such as a data loss prevention (DLP) solution and other ongoing monitoring mechanisms (particularly for organizations which handle highly sensitive personal information).
6 – Implement appropriate personal information retention and destruction policies and have mechanisms in place to ensure that they are followed.”

What do people think of these steps? Are they sufficient, and can we be confident rogue employees couldn’t get access to data anyway? If not, what else could we be requiring companies to do?

Leave a Reply

To use reCAPTCHA you must get an API key from