Last year, when Canadian Imperial Bank of Commercesubsidiary Talvest Mutual Funds was forced by the federal privacy commissioner to reveal it had lost a file containing confidential information on almost half a million clients, Jeff Green must have felt a shudder of sympathy mixed with schadenfreude. Such a public drubbing over handling of private data is the nightmare of any chief privacy officer — especially one who works for a bank.
But for Mr. Green, the privacy czar at Royal Bank of Canada, it's not accidental gaffes but targeted attacks that cause the most concern. "We have to ensure that the information clients have given us is safeguarded, and is only used for the purposes for which they have given it to us," he says. Working in concert with RBC's chief information security officer — as well as privacy "designates" or "champions" at every business unit and branch who report to his team — Mr. Green is responsible for putting in place policies that protect clients' data and training employees in these procedures. Recently, his team launched a Phishing Resource Centre to help customers avoid tricksters digging for their financial information. Scammers who go "phishing" use official-looking websites or e-mails to try to get customers to supply their personal or account information.
High-level executives charged with keeping consumer data safe from scammers and snoopers are increasingly common at major Canadian companies, especially those with vast databases of personal client information, such as financial institutions, utilities and telcos. And, according to a report by Forrester Research in Cambridge, Mass., their efforts are making Canadian corporations privacy leaders.
"The Privacy Commissioner in Canada and individual provincial commissions have highlighted privacy as an issue, and so consumers are more aware of it and are pushing for it more," says Jennifer Albornoz Mulligan, the report's author. As a result, among the more than 2,000 organizations in five European and North American countries surveyed, Canadian companies came out on top as most likely to implement comprehensive privacy programs, educate employees about privacy and track privacy policy breaches.
Forrester found that 84 per cent of Canadian organizations — the highest proportion — reported having formal privacy programs involving representatives from multiple departments, compared with fewer than half the companies in France. As well, nine out of 10 Canadian organizations polled said they go beyond personal data to cover corporate information in their policies — again, the highest percentage among the countries studied.
Ms. Albornoz Mulligan notes that privacy laws vary around the world, but Canada benefits from having national legislation. The Personal Information Protection and Electronic Documents Act, introduced in 2001, applies to most businesses that collect, use or disclose personal information. The act requires that someone be accountable for implementing and monitoring policies covering the reasons for obtaining the information, ensuring consumers have consented to the data-gathering and safeguarding against unauthorized disclosure.
Today, chief privacy officer responsibilities are often tacked onto those of the head of information technology or security, but Ms. Albornoz Mulligan expects to see more dedicated privacy czars at public companies. "People have been mostly concerned about security, so privacy was given short shrift. But a lot of solutions to security problems are technology-based, while privacy is more about process and education than technology." That said, she adds, "If you don't have good security, you can't have privacy."
