What are the Key Elements of a Privacy Management Program?

A comprehensive privacy management program is a key and necessary component of organizations compliance with their duties and responsibilities with respect to the personal information under their control. A privacy management program helps organizations ensure that they are properly equipped to manage and protect any personal information in their custody or control. The key elements of a comprehensive privacy management program include the following:

1. Designation of an individual responsible for the implementation of the privacy management program. This person will be the point of contact for any privacy related matters including privacy questions or concerns. This individual will also be responsible for supporting the development, implementation and maintenance of the organization’s privacy policies and procedures and is the individual responsible for ensuring organizational compliance with privacy laws. This individual must be equipped with the resources to do their job and have the support of senior management to implement and promote privacy management.

2. Personal Information Inventory – organizations must maintain an inventory of the personal information collected that includes:

-The types of information collected and who the personal information is about.

-The purpose for collecting, using or disclosing the information.

-The sensitivity of the information.

-Where the information is stored.

The inventory must be reviewed and updated regularly.

3. Clear and comprehensive policies outlining how personal information will be collected, the use that will be made of the personal information, the circumstances under which personal information will be disclosed and how personal information will be protected. An important component of this is ensuring that policies are established to limit the collection of personal information to only that which is necessary for the intended purpose.

4. Privacy impact assessments which will provide a method for evaluating any new projects or initiatives prior to implementation to assess the privacy implications.

5. Data security measures to ensure implementation of appropriate technical and physical safeguards to protect the personal information held by the organization.

6. A process for completing and documenting privacy impact assessment and information sharing agreements and for ensuring that privacy provisions regarding collection, use, disclosure and security of personal information are clearly written into contracts.

7. A documented process for responding to privacy complaints and privacy breaches including a documented plan for how to manage and respond to the potential breach.

8. Educational activities to ensure that employees are aware of their privacy obligations.

9. Development of methods and policies to ensure that service providers are informed of their privacy obligations and to ensure that third parties entrusted with the organization’s personal information are handling that personal information in the manner appropriate to and required by privacy legislation. 

10. A review process to ensure ongoing compliance with privacy regulations.

11. Policies to ensure that only the necessary personal information will be collected for the intended purpose.

12. Risk assessments that include a review of personal information that is held to determine appropriate safeguards to protect the personal information.

Your privacy management program is your coordinated approach to privacy and data protection and all aspects of the handling of personal information should be considered. A well thought out privacy management program ensures that your organization is compliant with privacy regulations and ready to act in the event of any privacy breach.

If you have questions or need further guidance on this topic, don’t hesitate to reach out to a member of our Privacy & Data Protection group.