Steven Williams, Emond Harnden, LLP
This is the first in a series of articles which will appear in Up-Date this year. Our hope is to address the growing number of privacy law compliance issues facing your organization today and in the coming months. In this particular article our subject matter is the role, responsibilities and qualifications of the Chief Privacy Officer (CPO).
The Personal Information Protection and Electronic Documents Act (PIPEDA) has applied to the collection, use, and disclosure of personal information in federal jurisdiction organizations since January 1, 2001. Today, provincial jurisdiction organizations are not subject to PIPEDA unless they are selling personal information across provincial or international borders. PIPEDA, however, will apply to the collection, use or disclosure of personal information in the course of any commercial activity by provincial jurisdiction organizations within Ontario if “substantially similar” legislation is not enacted by the provincial government before January 1, 2004. We do not expect the Ontario government will enact such legislation by this date. Please note, however, that if you are a provincial jurisdiction organization, PIPEDA will not apply to your employee personal information.
We begin with a brief description of PIPEDA to understand why the CPO position is required. In essence, PIPEDA sets out basic rules to govern how private sector organizations are to collect, use and disclose personal information. The purpose of the Act reads in part,
…in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances
All organizations covered by PIPEDA must comply with the following privacy principles found in the Act:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure, and retention
- Individual access
- Challenging compliance
The first principle is accountability. In the context of PIPEDA, Accountability means that a person or persons responsible for ensuring compliance must clearly be designated.
This individual is typically referred to as the Chief Privacy Officer (CPO). Most organizations have opted to assign the CPO role to an existing member of the executive. Others, typically larger ones, have created a separate CPO position. The choice is yours.
The CPO is your organization’s point person for privacy matters. The CPO is a tangible representation of your organization’s overall commitment to privacy protection. In a recent speech the Privacy Commissioner stated that “CPOs are the front line in the protection of privacy. And they have to be able to be the internal privacy advocates in the organization.”
The CPO must also ensure that appropriate information security safeguards are in place and used by staff. Such safeguards include physical measures (locked filing cabinets, alarm systems), Technological tools (passwords, firewalls), and organizational controls (security clearances, staff training).
Finally, the CPO is required to ensure that personal information that is no longer required is destroyed.
In addition to daily compliance responsibilities, the CPO also plays a critical role during a Privacy Commissioner investigation. These responsibilities include:
- establishing with the investigator that he/she is the prime contact person;
- keeping a log of contacts, conversations, and correspondence with the Office of the Privacy Commissioner;
- keeping a log or a copy of all records accessed by the investigator;
- being directly involved in any dispute resolution process;
- asking to be kept informed about the investigation process;
- at all times, dealing courteously and professionally with the Office of the Privacy Commissioner; and
- working to resolve the problem with the complainant as quickly and efficiently as possible.
To be an effective Chief Privacy Officer, the person must have a clear understanding of privacy law.
CPOs are often required to make “tough” decisions which may be unpopular within some quarters of your organization. In order to do this, the CPO needs to be cloaked with the authority of a senior position. A senior position ensures the CPO access to the highest levels of management and the resources needed to do the job properly.
The individual chosen as CPO must have credibility within your organization.
As stated earlier, the job of the CPO cannot be done alone. The CPO must be able to lead your privacy team and your organization as it addresses sometimes difficult privacy issues.
All CPOs seem to agree that the one critical qualification for the position is patience. The obligations imposed by the various privacy laws are complicated and will require many organizations to change the way they treat personal information, and in a few instances change the way they do business. In some instances, the changes necessary to comply with PIPEDA will be resisted within your organization. An empowered, credible leader with a healthy dose of patience will be most likely to succeed in the CPO role.