A review of the recently released Annual Report of the Office of the Privacy Commissioner of Alberta reveals some interesting statistics concerning the Freedom of Information Act (FOIP), the Health Information Act (HIA) and the Personal Information Protection Act (PIPA).
The majority of the Office's activity under HIA was focused on impact assessments at the request of custodian's of information. 70% of cases under FOIP were as a result of complaints from the public. 32% of cases under Pipa were privacy complaints 57% were opened in response to requests or complaints of public. 83% of PIPA cases were resolved in the mediation/investigation process. There were significantly more breach cases over 2010 when the requirement to notify of breaches under PIPA came in to effect – 92% more.
Beyond the statistics
Looking beyond the numbers we can gain some insight into areas that organizations would do well to focus on in the coming year. In the private sector, for example, organizations that are subject to PIPA can learn from the most common mistakes made by others. The most common complaints under PIPA were:
1. The over collection of personal information.
Lesson: Always limit what information your organization collects and retains -it is an easy way to lower your risk that is often overlooked.
2. Lack of reasons for collecting info provided to individual's at time of collection.
Lesson: It is essential to understand what your organization collects information for and make that known, not just in a privacy policy but on forms used to collect info, and ensuring staff can explain the need for information they request.
3. Marketing practices and inability of individual to easily refuse marketing.
Lesson: Start preparing for the new Anti-Spam legislation and coordinate marketing and privacy functions in your organization.
Reviewing the common causes of breaches is also instructive. While criminal activity and system failures accounted for some breaches the most common cause was human error. This is a good reminder that privacy protection needs to be a culture in an organization to be truly effective.
As 2013 unfolds and we turn our minds to a new year make a review of your organization's privacy practices, using the Office's statistics as a guide, your New Year's Resolution.
About BLGThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.