Canada: Privacy Issues And Canadian Businesses: Federal Privacy Commissioner Publishes Results Of 2019-2020 Survey

The Office of the Privacy Commissioner of Canada (OPC) recently released its 2019-2020 Survey of Canadian businesses on privacy-related issues. The survey was conducted between November 29 and December 19, 2019 and consisted of a 13-minute telephone survey to 1,003 businesses across Canada. The survey collected data on the type of privacy policies and practices business have in place, compliance with the law by businesses and their awareness and approaches to privacy protection. The OPC intends to use this data to provide guidance to both individuals and businesses on privacy issues, as well as to enhance its outreach efforts with small businesses.

The OPC identified several key findings:

• At least one-third of businesses incorporate some of the guiding principles in their privacy practices regarding consent. This includes things like making privacy information easily accessible to their customers, being clear to customers when information is collected, used, or disclosed as per their terms of service, and notifying or obtaining consent from customers in the event of a change to the privacy policy
• Roughly two-thirds of businesses surveyed have a privacy policy in place. Of those businesses, many have a policy that explains how the organization collects, uses and discloses customers' information, the purpose for which the information is being collected, what information is being collected and with which parties the information will be shared.
• Half or more of businesses have implemented most of the privacy compliance practices measured in the survey. This includes practices like having a designated individual responsible for privacy issues, establishing processes for responding to customer access requests, regularly providing staff with privacy training and education and documenting internal policies and obligations related to privacy.
• Most businesses have not experienced a privacy breach (approximately 95%); however, concern about a breach is polarized. Thirty percent of businesses are extremely concerned about a breach whereas 33% of companies are not at all concerned.
• Business size continues to be the strongest predictor of a business's privacy practices. Large businesses (with at least 100 employees) are more likely to have implemented privacy practices, such establishing policies and procedures to assess privacy risks and having a privacy policy.

The target responders of the telephone survey were senior decision makers with responsibility and knowledge of their business's privacy and security practices. Of the businesses surveyed, 86% were small businesses (1-19 employees), 10% were medium businesses (20-99 employees), 4% were large businesses (100+ employees) and 2% did not respond or did not know. A significant portion of the businesses were from Ontario (37%) with 21% coming from the Greater Toronto Area (GTA). The business profile was also made up of businesses from Quebec (21%), Alberta (16%), British Columbia (14%), Manitoba and Saskatchewan (7%) as well as Atlantic Canada (6%). The results were weighed by size of the business, sector, and region to ensure that they reflect the actual distribution of businesses in Canada.

The OPC conducts this type of survey every two years with businesses to inform and guide their own outreach programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.