Ontario Information and Privacy Commissioner Ann Cavoukian today challenged all Boards of Directors to immediately ask their CEOs what policies and procedures their own company has in place for the proper handling – and destruction – of personal information records.

The inadvertent release of the very sensitive health information of an Ontario woman should be a wake-up call to all businesses, said the Commissioner. The medical records appeared on the back of real estate flyers distributed to a number of Toronto-area homes recently. The path of exactly how the papers containing the personal information, which reportedly were put out for recycling, ended up at a printer’s shop (which printed the real estate flyers on the other side) is still being determined.

Commissioner Cavoukian called the incident a “wake-up call for all companies. If I were on the board of directors of any firm and heard this type of story, I would immediately call my CEO and ask, ‘Are we at risk? What procedures do we have in place?’”

“Every company,” said the Commissioner, “must have strong privacy and security policies in place – written policies that have been clearly communicated to all staff.”

“Personal information,” she said, “should never just be thrown out in the trash or put out for recycling. Every company must have a standard operating procedure for the secure disposal and destruction of personal records – a procedure that does not allow for the records to be restored.” 

“Senior officers at every company today should be demanding answers on what happens to personal information at their company. Each company should assign one individual to be responsible and accountable for the retention and disposal of all personal records, and to ensure that the necessary sign-offs have been obtained.  Audit trails are also essential.”

“Privacy is a business issue. Not only is there a liability risk, but a huge risk to reputation. Smart businesses have strong policies that protect their clients’ privacy – it’s just good business, and customers are demanding it,” said the Commissioner.

As of January, all businesses in Canada will fall under federal privacy legislation. The Commissioner notes that the Personal Information Protection and Electronic Documents Act sets out rules for how the private sector will be permitted to use personal information in the course of commercial activities. “Be forewarned now, and start putting your house in order,” said Commissioner Cavoukian.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, and helping to educate the public about access and privacy issues.

Media Contact:
Bob Spence
Communications Co-ordinator
416-326-3939 or 1-800-387-0073
bob.spence@ipc.on.ca