Privacy Commish Issues Guidance for IT Administrators

On Dec. 4, 2012, the Ontario Information and Privacy Commissioner published a paper called “Operationalizing Privacy by Design: From Rhetoric to Reality” setting out a framework to help organizations design and implement effective IT privacy policies and practices. The paper lists 7 recommendations for employers:

1. Approach privacy issues proactively rather than re-actively;
2. Make privacy the default setting for collection, use and disclosure of personal information, i.e., when in doubt, err on the side of too much rather than too little privacy;
3. Make sure privacy controls are embedded into IT systems and designs;
4. Treat privacy as a benefit rather than something you “trade off” as a cost of doing business;
5. Don’t confuse privacy with information security and implement encryption by default for devices that can be lost or stolen and secure information destruction practices to ensure security;
6. Be open and transparent about your organization’s privacy policies and practices; and
7. Look out for the end user’s privacy even if the end user doesn’t do it himself/herself.