Privacy professionals are known for constantly recommending that
organizations develop privacy policies. However, useful privacy
policies require input from experts (which costs money), as well as
an investment of time and effort by employees at different levels
of the organization. Given the competing demands on organizations,
it is not surprising that policies do not always rank high on their
lists of priorities.
So, why should organizations focus on privacy policies? There
are three very good reasons why policies are worth your
1. It's the law
Privacy legislation in Canada specifically requires that
organizations develop and implement privacy policies. For example,
the federal Personal Information Protection and Electronic
Documents Act, SC 2000, c 5, states that:
Organizationsshallimplementpoliciesand practices to give effect to the
principles, including (a) implementing procedures to protect
personal information; (b) establishing procedures to receive and
respond to complaints and inquiries; (c) training staff and
communicating to staff information about the organization's
policies and practices; and (d) developing information to explain
the organization's policies and procedures. (emphasis
Private sector privacy statutes in Alberta, British Columbia and
Manitoba also explicitly require that organizations "develop
and follow policies and practices" that are
necessary/reasonable for compliance with such legislation.
2. Privacy regulators focus on them
In 2013, the Office of the Privacy Commissioner of Canada and
the Office of the Privacy Commissioner of British Columbia
participated in a global Internet sweep of policies on websites and
mobile apps, together with privacy enforcement authorities in 18
other countries, including Australia, Finland, France, Germany,
Hong Kong, Ireland, New Zealand, Norway, United Kingdom and the
United States. This was the first initiative of the Global Privacy
Enforcement Network, which connects privacy enforcement authorities
for the purposes of promoting and supporting co-operation in
cross-border enforcement of privacy laws. The fact that the
inaugural undertaking by the Global Privacy Enforcement Network was
focused upon privacy policies demonstrates that regulators consider
policies to be a fundamental aspect of privacy compliance.
Furthermore, when privacy complaints are filed, the relevant
privacy commissioner typically reviews the organization's
privacy policies. The question of whether an organization has
developed and followed reasonable privacy policies is often an
important consideration when determining whether the organization
complied with its statutory obligations.
3. They can keep you out of the
An old adage says: "There is no such thing as bad
publicity." Organizations that have recently been subject to
media barrages (and in some cases class action lawsuits) related to
data breaches or poor information handling practices would likely
disagree with this sentiment. Good privacy policies can help an
organization to avoid negative attention that can hurt its
reputation (and its stock prices), because such policies reduce the
risk of privacy breaches. Also, when breaches do occur,
comprehensive privacy policies can be used as evidence that the
organization did everything it could to protect the data.
Of course, in order for privacy policies to be useful in this
respect, they must be tailored specifically to the organization.
The global sweep of Internet policies described above found that a
high percentage of privacy policies were either long and legalistic
or much too brief, and many of these policies contained vague,
over-generalized statements or legalistic regurgitation of
applicable statutes. Such policies are unlikely to be helpful to
In addition, privacy policies are only beneficial to the
organization if employees actually follow them. For more on this,
stay tuned for upcoming Privacy Basics bulletins on privacy
training and privacy programs.
Given these three very good reasons to focus on developing
privacy policies, all organizations should review their current
policies and consider whether they are comprehensive and useful.
Policies relevant to privacy compliance include: (i) internal
commercial privacy policies; (ii) internal employee privacy
policies; (iii) external/web privacy policies; (iv) social media
policies; (v) record retention and destruction policies; (vi) bring
your own device policies; (vii) technology usage/monitoring
policies; (viii) breach response protocols; and (ix) remote
access/working from home policies.
The foregoing provides only an overview and does not
constitute legal advice. Readers are cautioned against making any
decisions based on this material alone. Rather, specific legal
advice should be obtained.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).