Privacy Protection Makes Good Business Sense
Recent polls have clearly demonstrated that Canadian consumers are concerned about their privacy. Consumers are becoming more aware of how their personal information is used by businesses, more informed about their rights and more intent on preserving their privacy. Consequently, it makes good business sense to make privacy protection an integral part of doing business.
Consumers have clearly indicated they want their personal information protected. Privacy protection does not compete with businesses' legitimate needs to gather and use customers' personal information. If anything, it allows customers to be involved in the management of their personal information. In this way, privacy protection can be a key component of good customer service.
Businesses are encouraged to use the following principles to address their customers' privacy concerns. The principles presented here are offered as standards which businesses should strive to meet.
Privacy Protection Principles for Businesses
Recognition and respect for customers
1. Recognize customers as owners of their personal information and consult them when developing policies or practices that may potentially affect their privacy.
2. Develop and adopt privacy protection practices and apply them when handling all customer personal information in paper or electronic form.
3. Assess how any proposed new policy, service or product may affect privacy before adopting it.
4. Provide a means to restore privacy, at no cost to customers, if any service or product alters your company's privacy standards.
5. Inform customers about your company's policies and practices concerning their personal information.
1. Inform customers about any records your company maintains which contain their personal information.
2. Develop a process for responding to customer inquiries or complaints regarding the handling of their information and advise customers that such a process exists.
1. Determine the purpose(s) of collecting, using or routinely disclosing customers' personal information, before it is collected.
2. Do not withdraw access to services or products if customers refuse to permit your company to use their personal information for a purpose not identified at the time of collection, including the exchange or sale of personal information to a third party for marketing purposes.
1. Collect personal information about customers only when it is necessary and relevant to their transactions.
2. Collect customers' personal information directly from the individuals concerned, whenever reasonably possible.
3. Collect customers' personal information with their knowledge and consent, except in very limited circumstances. Identify and inform customers of any exceptional circumstances before or at the time of collection.
1. Inform customers, before or at the time of collection:
- how your company will use and/or disclose their personal information, and
- from what source(s) your company will collect their personal information, if not directly from them.
1. Use customers' personal information only for the purposes identified to the customer at the time of collection, unless the customer explicitly consents to another use, or the use is authorized by law.
Right of Access
1. Give customers the right to access their personal information, except in clear and limited circumstances, such as if access would be an invasion of another person's privacy.
2. Give customers access to their personal information in an understandable format, without undue delay or expense.
3. Inform customers of any reasons why access will not be granted and provide them with a
fair opportunity to challenge a denial.
Right of Correction
1. Give customers the right to challenge the accuracy of their personal information.
2. Correct customers' personal information if it is found to be inaccurate, incomplete, irrelevant or inappropriate.
3. Allow customers to write a "statement of disagreement" if your company and customers disagree on the accuracy or completeness of their personal information. Attach the statement to the customer's file.
4. Take all reasonable steps to inform third parties who use customers' personal information of any customer statements, changes or corrections to a customer's personal information.
1. Take all reasonable steps to ensure that the personal information collected, used and disclosed is accurate, complete and up-to-date.
1. Obtain customers' consent before disclosing their personal information, except where authorized by law or in exceptional circumstances unrelated to marketing purposes. Identify the limited exceptional circumstances and inform customers of these circumstances before or at the time of collection.
2. Obtain customers' consent before renting, selling, trading or otherwise disclosing their personal information to a third party for marketing purposes.
Retention and Disposal
1. Retain customers' personal information for as long as it is relevant to the reason it was collected or for as long as is required by law.
2. Dispose of customers' personal information in a manner which ensures that the customer cannot be identified and linked to the information.
1. Adopt appropriate and comprehensive measures to ensure that customers' personal information is secure against loss or unauthorized access, use, alteration, disclosure or destruction.
1. Ensure that all your staff are aware of, and accountable for, following your company's privacy protection policy and practices.
2. Conduct periodic reviews of your privacy protection policy and practices to ensure they meet customers' expectations and international developments.
1. Build privacy protection measures into contracts with business partners or third parties who will have access to your customers' personal information.
For additional information, the paper Privacy Protection Makes Good Business Sense is available from the IPC Communications department. Call (416) 326-3333 or 1-800-387-0073.
Upon request, this publication will be made available on audio tape to accommodate individuals with special needs.