Privacy policy is not enough

September 25, 2012

By Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario

When a privacy breach occurs, it can be a nightmare for those affected and take years to rectify. Affected persons may be put at risk for identity theft and other deceptive practices, depending upon the nature of information disclosed. Your organization can also suffer irreparable damage to its reputation, and your bottom lines could also take a substantial hit if there is legal action.

Having a privacy policy cannot, by itself, protect personal information held by an organization.  That is why I have produced a new paper, “A Policy is Not Enough: It Must be Reflected in Concrete Practices,” a guide in effect, which outlines a proactive Privacy by Design approach to reducing the risk of privacy harm arising in the first place, while preserving a commitment to functionality. The seven-step action plan outlined in the paper can be used by organizations of any size, and from any sector, as practical guidance for effectively translating their privacy policies into privacy practices.

Privacy by Design, which was unanimously approved as an international framework for privacy protection in 2010, seeks to embed privacy into the design specifications of information technologies, organizational practices and networked system architectures, to achieve the strongest protection possible, as the default condition. Privacy by Design’s flexible, innovation-driven approach to achieving privacy can help to encourage your organization to both internalize the goal of privacy protection and seek out ways to achieve it.

It is important to develop education programs that begin with an orientation and remain current through ongoing training. Employees must learn about limitations placed on access to, and use of, personal information, and they need to know about the procedures to be followed if someone makes a request for personal information held by the organization. As well, each organization should designate a knowledgeable “go-to” person who can handle privacy-related questions and concerns. For larger organizations, I strongly recommend a Chief Privacy Officer be appointed.

Integrating compliance audits and informal reviews into your organization’s procedures will pre-emptively detect any new privacy challenges, and enable you to update your policies and procedures to deal with issues before a privacy breach occurs.

Despite your best-laid plans, there is still a chance that a breach will occur, and it is important to plan for this by ensuring you have a data breach protocol in place. This would allow you to act both quickly and effectively to meet the expectations of the public, consumers and regulators, and to preserve your organization’s reputation.

The most important point I want you to take away is that a policy is not enough – you have to put it into practice! This means you have to communicate it, educate your staff, and have measures in place to ensure that the policy doesn’t just sit on a shelf somewhere, but is translated into concrete actions.


Dr. Cavoukian will be speaking at the NAID-Canada Data Destruction Policy and Training Development Workshop in Toronto Oct. 18. For more information about the workshop, visit