The Principles of Privacy Protection

Privacy is a fundamental right. Personal information is a core part of who we are as individuals, and respecting privacy rights, as noted by Philippe Dufresne, Privacy Commissioner of Canada, is essential to our dignity and to the enjoyment of other freedoms. Creating a culture of privacy means limiting the collection, use, retention and disclosure of personal information to what is necessary and proportional to achieve the purpose for which it was collected. It also means being transparent about what is being collected and why it is being collected. And importantly, it means training the individuals dealing with personal information about the importance of protecting privacy and ensuring that regular monitoring is in place to ensure accountability with respect to the use, collection and disclosure of personal information. In the digital age, ensuring an individual's privacy is more challenging.

There are ten privacy principles that form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. These principles provide individuals with control over how their personal information will be dealt with by organizations. Following these principles will ensure that your organization is treating privacy as a fundamental right and taking appropriate steps to protect any personal information that is obtained. Those privacy principles are as follows:

1. Identify purpose - identify in writing the purpose for the collecting of personal information, the basis on which that information is being collected and the name of the person who can be contacted to answer any questions about the collection. This purpose must be identified either before or at the time of collection of the information.

2. Limit collection - collect only that information that is necessary for the purposes that you have identified and must be collected by fair and lawful means.

3. Get consent - obtain written and explicit consent to obtaining, using or disclosing the personal information. The knowledge and consent of the individual whose personal information is being collected is required for its collection, use or disclosure, except in very limited circumstance.

4. Limit use, disclosure and retention - you may only use or disclose personal information for the purposes that you identified when you collected the information, or another reason authorized by FOIPPA. Personal information should be retained for a limited period of time and appropriately destroyed.

5. Reasonable security - you must put in place processes to protect the personal information that you have obtained, proportional to the sensitivity of the information.

6. Be accountable - be responsible for all personal information under your organization's control and be able to demonstrate that the personal information collected was collected, retained and used in accordance with the principles of privacy protection. An organization is responsible for all personal information that is under its control and must appoint someone to be accountable for compliance with the ten privacy principles.

7. Be open and transparent - be clear on the manner in which your organization is dealing with personal information and have your processes available

8. Ensure accuracy - your organization is required to make reasonable efforts to ensure that any personal information that is collected is accurate. Personal information must be as accurate, complete, and up to date as possible in order to properly satisfy the purposes for which it is to be used.

9. Right of access and correction - individuals have a right to their own personal information and have a right to have that information corrected when errors or inaccuracies are identified. Upon request, an individual must be informed of the existence, use and disclosure of their personal information and be given access to that information. In addition, individuals must be given the opportunity to challenge the accuracy and completeness of the personal information collected by the organization and have it amended as appropriate.

10. Provide recourse - have a process in place for dealing with any complaints with respect to the handling of personal information. Individuals must be given the ability to challenge an organizations with these principles and any challenge should be addressed to the person who has been identified as being responsible for the organization's personal information.

As noted by the Privacy Commissioner of Canada:

Resources spent on protection and promotion privacy - on creating a "culture of privacy" - are smart investments in the security and trust that Canadians have in organizations. By considering privacy at the front-end and building it into our innovations, policies, and practices, and by demonstrating a commitment to transparency, accountability, security, and the protection of privacy, you generate efficiencies down the line so that these costs become investments that are good for businesses and governments alike.

While complying with the ten principles of privacy protection can feel onerous, particularly if your organization has not had culture of privacy, remember that doing so can create efficiencies for your organization at the same time as building trust that your clients or customers have in your organization. That good will can contribute significantly to the successes that an organization realizes.

If you have questions about this or other privacy-related matters, please get in touch with Rose Keith, KC or another member of our Privacy and Data Protection team. For more blog posts, click here.