Privacy Management Plan
The intention of this document is to describe how XCompany intends to fulfill its privacy compliance obligations as a company.
- Committing to Privacy as an important organizational value.
XCompany is committed to promoting best practices in privacy compliance as an organization. The Privacy Officer will encourage all people and organizations working with the company to consider privacy implications to all internal and external transactions.
- Choosing a Privacy Officer
XCompany will appoint a Privacy Officer for the company and will ensure that they have the proper resources and authority to carry out their duties. The Privacy Officer is responsible for overseeing the development, implementation and maintenance of the organization’s privacy management program.
These responsibilities of the Privacy Officer include the following:
- Monitoring and updating personal information inventory continuously to keep it current and identify and evaluate new collections, uses and disclosures;
- Reviewing and revising policies as needed following assessments or audits, in response to a breach or complaint, new guidance, industry-based best practices, or as a result of environmental scans.
- Conducting privacy impact assessments and security threat and risk assessments so that the privacy and security risks of changes or new initiatives within the organization are always identified and addressed.
- Reviewing and modifying training and education on a periodic basis as a result of ongoing assessments and communicating changes made to program controls.
- Reviewing and adapting breach and incident management response protocols to implement best practices or recommendations and lessons learned from post-incident reviews.
- Reviewing and, where necessary, revising requirements in contracts with service providers.
- Updating and clarifying external communication explaining privacy policies.
The Privacy Officer of the company shall be the Operations Manager until such time as the CEO otherwise determines.
- Personal Information Inventory
XCompany is able to identify the personal information in its custody or control, its authority for the collection, use and disclosure of the personal information, and the sensitivity of the personal information.
Privacy law is focused on the protection of personal information. In Canada, any information that can be used to identify an individual, either by itself or in combination with other information, is defined as personal information.
Personal information can include the following information but this list is not exhaustive:
- Name;
- Home address;
- Home phone number;
- Personal email address;
- Gender;
- Image;
- Personal health number;
- Medical and genetic information;
- Emergency contact information;
- Names of family members and relationship;
- Date of birth;
- Social insurance number;
- Driver’s license number;
- Driver’s abstract;
- Employment history;
- Education:
- Income;
- Passwords; and,
- Financial information (including bank branch, bank account #, credit card #, etc.)
Some personal information is more sensitive or more vulnerable than others. Although current Canadian privacy law does not include a definition for sensitive personal information, organizations must consider the personal information’s sensitivity and safeguard it accordingly. As a general guideline, information that includes numbers can be used for identity fraud and should be considered sensitive. This includes birth date, social insurance number, driver’s license number, banking information, etc. Health related information is also considered sensitive.
- Privacy Officer Training
The Privacy Officer shall complete such training and professional development as they deem appropriate to keep up to date with best practices for privacy compliance.
- Completing a Privacy Impact Assessment
The Privacy Officer shall complete a Privacy Impact Assessment in the form attached as Schedule A whenever a new project or a new system is implemented that needs to be evaluated from a privacy compliance lens.
- Implementing Privacy Policies and Practices
The following company policies have been implemented and are the responsibility of the Privacy Officer to review and update as necessary on a regular basis:
- HR Policy Manual
- Website Privacy Policy
- Website Terms of Use
- Cookies Policy and Cookies Preferences Pop-Up
- Employee NDA
- Contractor NDA
- Technology Acceptable Use Policy
- Privacy Breach Management Plan
The Privacy Officer shall maintain and implement as necessary a privacy breach management plan for the company.
The Privacy Breach Management Plan shall consist of the following four steps:
- Identify the privacy breach.
A privacy breach is the unauthorized access, disclosure, or use of personal or confidential information that is collected and held by the company. Privacy breaches can occur due to various reasons, including but not limited to unauthorized access to information without proper authorization, data theft, failed security measures, improper handling of data by employees or contractors, third-party breaches or technical malfunctions.
A privacy breach may be identified by an employee, contractor, client or other person and shall be immediately reported to the Privacy Officer.
- Evaluate the risks. Within 48 hours of being informed of a privacy breach, the Privacy Officer shall take all appropriate steps to evaluate the risks of the breach including identifying the types of information disclosed, the causes of the breach including evaluation of technology and whether the cause was an error or a malicious act and the size of the breach. The Privacy Officer may need to engage external expertise as required to complete this investigation and evaluation.
- Notify any appropriate parties of the breach. - The Privacy Officer must determine whether any notification is required under applicable privacy legislation to parties whose personal information or confidential information has been involved in the breach. The form of notification (email, letter etc.) will be chosen and notification will be sent within 3 weeks of the breach being identified. The Privacy Officer will document all decisions made about notification and notices sent.
- Take preventative measures to prevent the breach from happening in the future - Within 2 months of the breach occurring, the Privacy Officer will conduct a review of the Privacy Management Plan and do a debrief of the privacy breach incident with appropriate persons within the organization. The Privacy Officer will determine whether additional policies, training, resources or technology solutions are required to prevent and contain future privacy breaches.