SASKATOON — Lawyer and corporate director Patricia McLeod gave Saskatchewan hoteliers a toolbox to help them navigate the world of compliance with Privacy Legislation and gave tips on preventing cyber security breaches at the SHHA's Hotel, Bar and Restaurant Conference held in at TCU Place in Saskatoon recently.
Breaches and their implications have been in the news this past spring, as data from 87 million Facebook users was shared with Cambridge Analytica in one of the social network’s largest data breaches. And emails requesting permission are popping up in inboxes as the European Union has passed legislation tightening the rules involving consent.
In Canada, data protection and cybersecurity are governed by complex legal and regulatory frameworks. Failure to understand and take active steps to reduce these risks (or the impacts of a breach) can have serious legal, financial and personal liability consequences for organizations and leaders.
There are two levels of legislation in Canada, the federal act, PIPEDA, and in some provinces, provincial legislation that is substantially similar to the federal legislation, McLeod said.
What is personal information?
It's difficult to say what personal information is; it's easier to say what it's not, McLeod told the hoteliers in the room. “What is on your business card — your name, company, address and phone — is not personal information. Nearly everything else is: your birthdate, opinions, financial information, thumbprint, biometrics, blood, voice recordings….”
Companies think they're providing great customer service when they are able to look at their computer and say to a guest, “How was your anniversary?” But privacy compliance depends on how you have obtained that information, whether the guest wanted you to know about their anniversary, and whether you have obtained their consent to keep that information, say if you wanted to send something offering them a deal on their anniversary. The information should be used for that purpose only, and you keep it, you need to protect it.
While the law doesn't make a distinction, there is such a thing as sensitive information — information about health, financial information and information that would facilitate identity theft.
McLeod provided 10 principles of information practices.
Principles of Information Practices
1. Accountability belongs to all of us.
2. Identify the purposes for which you are collecting the personal information.
3. Always obtain consent.
4. Limit collection to only that information which you reasonably require.
5. Limit use, disclosure, retention — use of disclose personal information only for the purpose which is was collected, and only keep it as long as necessary to satisfy these purposes.
6. Ensure accuracy when recording or disclosing personal information.
7. Safeguard personal information from unauthorized access, disclosure, copying or use.
8. Practice openness about our management of personal information by directing clients and employees to the company's Privacy Statement.
9. Provide individuals with access to their information, and correct or amend it as necessary to ensure accuracy and completeness.
10. Provide recourse by developing simple and accessible complaint procedures, and taking appropriate measures to correct information handling practices and policies where necessary.
— Source Western Financial Group