What should your privacy policy include?

A detailed written privacy policy is a key component of a privacy management program. A well written privacy policy will include the following components:

1. A statement of your organization’s commitment to protect the personal information it collects.
2. A statement that your organization intends to comply with privacy regulations.
3. A definition of personal information.
4. The types of personal information your organization collects.
5. The purposes or reasons for collecting the personal information.
6. How your organization will obtain consent to collect personal information.
7. The method for withdrawal of consent to collection of personal information.
8. The limits on the use and disclosure of the personal information that is collected.
9. That individuals have a right to access their personal information and how the personal information can be accessed.
10. The steps your organization will take to maintain the accuracy of personal information.
11. Retention periods for storing personal information.
12. How and when personal information will be destroyed after the retention period ends.
13. Administrative, physical and technological security controls to protect personal information.
14. Your organization’s process for lodging and managing privacy complaints.
15. The contact information for the privacy officer in your organization.
16. Mandatory reporting of suspected breaches to the privacy officer or a senior manager.

Taking the time to draft a well thought out, comprehensive privacy policy will help ensure that your organization is compliant with the responsibilities imposed on it by law for the handling of personal information.

If you have questions about this or other privacy-related matters, please get in touch with Rose Keith, KC or another member of our Privacy and Data Protection team. For more blog posts, click here.