David Fraser has an excellent post on how to handle customer privacy complaints under the Personal Information Protection and Electronic Documents Act. Notably, David stresses the importance of instilling a privacy-centric culture. This point cannot be emphasized enough – your people must be sensitized and alive to the importance of this issue. Money quote:
All businesses need to think about information through the eyes
of their clients. Even more, they need to think about it through the
eyes of their most sensitive, paranoid clients. Personal information is
important and must be treated accordingly.
David’s comments on who ought to fill the role of CPO are also apposite:
I’m often asked by my clients about who should assume the role of
privacy officer for their company. If they are a large company, they
often think it should be their in-house counsel. At first blush, this
seems sensible since a lawyer has the tools to understand and apply the
law. I always say that it depends upon the individual lawyer. Many
lawyers reflexively get defensive and switch into denial mode. (Or at
least begin denying until they have a chance to investigate.) Because
this is a customer service issue as well as a legal issue, the privacy
officer needs to be customer-friendly. Not all lawyers have this trait.
Automatic denials and switching to "damage control" tend to escalate
matters, while empathy, understanding and focusing on a solution for
the customer will calm the situation. A lawyer with privacy expertise
should always be consulted, because this is a legal,
risk-management issue. Few employees have the knowledge of PIPEDA to
fully understand the company’s obligations and the risk it faces in a
particular situation.