FRANÇAIS   Contact Us CA Store Login
Chartered Accountants of Canada
Home  >  Service & Products  >  Privacy
Decisions matter.
Subscribe / Unsubscribe
Annual Report 2008-2009 Navigating in Turbulent Times
RSS Feed

 

Frequently Asked Questions (FAQs)

 

1. What is privacy?
2. What is personal information?
3. What is the PIPEDA? Who does it apply to?
4. What are the “privacy rules” covered by the PIPEDA?
5. What is the most important thing a business can do to make customers feel more comfortable about how the business protects their privacy?
6. What does independent verification mean? What does it entail?
7. What do consumers want independently verified?
8. Can’t laws or regulations get companies to comply with their privacy policies? Isn't this sufficient for consumers to trust the company?
9. What is privacy-related risk?
10. What are value-added privacy services?
11. How long have CA firms been doing privacy examinations?
12. Why are CAs performing privacy examinations? What are the benefits to businesses? What are the benefits to consumers?
13. Are privacy examinations part of a CA’s responsibility to a client or employer?
14. Why is it better for a CA firm to examine a company's privacy practices than for the company to self-declare that it complies with its privacy policies?
15. What is the CICA doing to support CAs in their privacy protection efforts?


Question 1
What is privacy? 
Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information. One of today’s key business challenges is maintaining the privacy of a customer’s personal information. As business processes become more complex and sophisticated, more and more personal information is being collected and used. As a result, the privacy of personal information has become more vulnerable and is a critical concern for organizations, the government and the public in general. With identity theft, which Canada’s Privacy Commissioner has called the fastest-growing crime in North America, and financial or medical records being accessed inappropriately, consumers fear they have lost all control over their personal information. To calm those fears and to comply with the PIPEDA legislation, businesses must establish a privacy program. (return to FAQs)

Question 2
What is personal information? 
Personal information is information about an identifiable individual that includes any factual or subjective data, recorded or not, in any form. Personal information might include, for example:

  • name, identification numbers, address, income or hair colour;
  • employee files, evaluations and disciplinary records;
  • driving records and credit or loan records;
  • documented disputes between consumer and merchant;
  • intention to acquire goods or services.

Some personal information is considered sensitive and, therefore, prone to abuse if handled improperly. Sensitive personal information might include information on medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and sexual preference. (return to FAQs)

Question 3
What is the PIPEDA? Who does it apply to? 
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) creates an enforceable right to privacy with respect to the collection, use and disclosure of personal information by private sector organizations. The PIPEDA governs “organizations,” a term that includes persons, associations, partnerships and trade unions. The term “persons,” in turn, includes corporations as well as individuals. Organizations are generally subject to the Act in connection with the collection, use or disclosure of personal information in the course of a commercial activity.

PIPEDA is currently undergoing a mandatory five year review by the Standing Committee on Access to Information, Privacy & Ethics.  Their report is expected to be presented to the House of Commons in spring 2007. (return to FAQs)


Question 4
What are the “privacy rules” covered by the PIPEDA? 
The PIPEDA is groundbreaking legislation because it establishes Canada as the first country to implement private sector privacy rules based on national standards, the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. Formally launched in 1996, the CSA Model Code contains privacy principles that address the challenges faced by businesses in accommodating the personal information protection concerns of customers and employees and the varying circumstances under which personal information is collected and used for commercial purposes. It is technologically neutral, representing solid core principles that apply equally to paper-based files and electronic commerce.

 At a minimum, the PIPEDA calls for the following principles to govern the collection, use and disclosure of personal information: accountability, identifying the purposes for the collection of personal information, obtaining consent, limiting collection, limiting use, disclosure and retention, ensuring accuracy, providing adequate security, making information management policies readily available, providing individuals with access to information about themselves and giving individuals a right to challenge an organization’s compliance with these principles. (return to FAQs)

Question 5
What is the most important thing a business can do to make customers feel more comfortable about how the business protects their privacy? 
The most important thing a company can do to make its customers feel more comfortable about their privacy is to have its privacy policies and practices independently verified by an outside third party. Having a clear and accessible privacy notice and a responsible individual (Chief Privacy Officer) are important and necessary first steps towards earning independent verification reports. (return to FAQs)

Question 6
What does independent verification mean? What does it entail? 
Independent verification involves testing the people, processes, technology and controls that ensure a company is following its stated privacy policies and practices. An independent verification report provides assurance that a company is doing what it says. Independent means performing the verification objectively and without conflicts of interest.

CAs are in the business of providing assurance services, the most well recognized of which is the financial statement audit. An audit report signed by a CA is valued because CAs are knowledgeable about financial accounting and assurance matters, and are recognized for their independence, integrity, objectivity and discretion. Financial statement assurance is only one of the many kinds of assurance services that CAs provide. They also provide assurance on subject matter such as internal controls and compliance with specified criteria.

The business and professional experience, subject matter expertise (privacy, security and control), and professional characteristics (independence, integrity, objectivity and discretion) needed for such engagements are the same key attributes that enable a CA to comprehensively and objectively assess the risks and controls associated with systems reliability. In addition, CAs are required to follow comprehensive ethics rules and professional standards when providing professional services. (return to FAQs)

Question 7
What do consumers want independently verified? 
A 2002 Harris Interactive study indicates that consumers want the following items related to a company’s privacy policies and practices independently verified:

  • maintenance of security procedures to protect personal data;
  • release of personal data to third parties only with explicit consumer consent;
  • collection and sharing of personal information in conformity with the company’s stated privacy policies; and
  • maintenance of internal controls to limit access to personal information to authorized users.

By definition, independent verification requires that each of these actions must be verified against a set of standards for performance. The CA profession is the only one that uses a set of standards for the audit and reporting on controls, ethical standards for the conduct of the work, and requirements for independence in appearance and fact from the organization for which they issue the report. These audit standards are expanding to include specific criteria for practitioners to evaluate new trust issues, such as privacy. (return to FAQs)

Question 8
Can’t laws or regulations get companies to comply with their privacy policies? Isn't this sufficient for consumers to trust the company?
A study conducted by Harris Interactive for Privacy & American Business (sponsored by the American Institute of Certified Public Accountants and Ernst & Young) has shown that existing efforts by companies have not done enough to alleviate the public’s privacy concerns, including compliance with privacy laws or regulations. Consumers indicated that they are most trusting of companies that have undergone independent verification of their privacy practices.

Laws to date have not been effective in building trust and confidence among consumers, and the survey reinforces this point. Leading companies and those seeking to be winners in the economic recovery are taking a proactive, robust and holistic approach to privacy. Leaders treat the personal information collected from consumers and employees as a strategic asset.

Forward-thinking companies invest in and maintain the processes for this data collection, protection and destruction as critical infrastructure processes. Leaders are active in their communication of privacy policies and practices, and are focused on communicating their trustworthiness to stakeholders as a matter of brand image and demonstrated leadership.

Leading companies develop privacy policies that reflect their corporate philosophy, business model and the needs of their target market. They understand what kinds of information they are collecting, how they use such information, how they share it and whether they really need it. They benchmark these policies, not only against industry-specific laws, but also against accepted fair information principles and any self-regulation programs that the company has pledged to meet. Leaders design their policies and practices to attract and retain consumers, not just to meet minimum compliance requirements. Laws will continue to change to try to address the greatest concerns of the public. Leading companies do not wait for the issues that prevent the active participation of their consumers to get to the point of requiring regulated responses. (return to FAQs)

Question 9
What is privacy-related risk?
Protecting the privacy of personal information presents management with a number of risks to be addressed, including:

  • Image and Branding – breaches in privacy protection have the potential to negatively affect an organization’s image and brand, and hence its perception in the marketplace.
  • Financial Loss – significant financial loss may result from breaches in privacy protection, directly (for example, to re-issue credit cards) or indirectly (for example, lost customer loyalty and sales).
  • Stakeholder Loss – the marketplace may react to breaches in privacy protection by having a negative impact on an organization’s stock, resulting in a loss of market capitalization.
  • Regulatory Compliance – failing to comply with regulatory requirements may result in poor public relations, as well as fines and penalties.
  • Business Partner Confidence – business partners who share personal information but fail to adequately protect that information may suffer a loss of confidence and trust.
  • International Agreements – when an organization cannot meet established privacy standards, certain international privacy laws may restrict or prohibit the export of personal information.

To determine the significance of such risks, it is important to conduct a privacy risk assessment. The results of that assessment will dictate whether, and to what extent, a privacy compliance regime should be implemented. (return to FAQs)

Question 10
What are value-added privacy services?
CAs can provide a number of value-added privacy services, for example:

  • assessing and managing privacy risk;
  • developing a privacy philosophy and strategy;
  • providing privacy advice and training;
  • preparing and reviewing privacy policies;
  • facilitating the development and implementation of privacy compliance programs, such as the existing WebTrust Seal of Assurance, to help protect online privacy;
  • providing assurance on the effectiveness of privacy control systems. (return to FAQs)

Question 11
How long have CA firms been doing privacy audits?
Although it varies among firms, privacy is a trust issue on which CAs have been advising clients for many years. CAs have been contributing to the privacy debate, standards organizations, and thought leadership since its inception. It is a natural fit for CAs to provide advice to clients about their internal controls and data protection. Personal information is just another data set with which CAs have worked to help clients manage and control more effectively. (return to FAQs)

Question 12
Why are CAs performingprivacy audits?
What are the benefits to businesses? What are the benefits to consumers? CAs are in the business of helping build trust — around financial statements, and now issues like privacy — and this is a natural evolution of the services they provide to clients. Benefits to businesses are that they can establish trust with consumers, build their brand, and manage privacy-related risks. Benefits to consumers are that they have increased confidence and trust in a business that has had its privacy practices independently verified. (return to FAQs)

Question 13
Are privacy auditspart of a CA’s responsibility to a client or employer?
The audit of privacy policies is not typically included in the audit of financial statements. In the normal course of the financial statement audit, CAs often examine the controls over the processing and protection of financial data. CAs have developed the skills necessary to effectively examine these information management processes. Organizations are asking CAs to examine other data management processes such as those supporting privacy policies. (return to FAQs)

Question 14
Why is it better for a CA firm to examine a company’s privacy practices than for the company to self-declare that it complies with its privacy policies?
One of the key issues for consumers is that they do not trust a company’s stated privacy policies and practices. They are concerned about privacy breaches or inappropriate use of personal information. Although it is important for a company to make declarations of its policies and practices to its customers, the trust issue is not fully addressed until the company can get the customer to believe it is complying with those privacy policies and practices. A CA firm can provide assurance through independent verification that a company complies with acceptable privacy standards for protecting personal information. (return to FAQs)

Question 15
What is the CICA doingto support CAs in their privacy protection efforts?
Privacy is a governance and risk management issue. Accordingly, many organizations are looking for assistance in managing privacy risk and implementing privacy programs. In response, the Canadian Institute of Chartered Accountants (CICA) has prepared a number of guidance materials including1

  • Generally Accepted Privacy Principles (see below)
  • 20 Questions Businesses Should Ask About Privacy
  • Privacy Resource Guide (see below)
  • Privacy Compliance: A Guide for Organizations & Assurance Practitioners
  • Incident Response Plan.

The CICA and the American Institute of Certified Public Accountants (AICPA) jointly established a Privacy Task Force in 2001. In 2006, the Task Force published Generally Accepted Privacy Principles (GAPP) that contains 10 privacy principles and related criteria that are essential to the proper protection and management of personal information. These privacy components and criteria are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and best practices. GAPP can be used by CAs, both in industry and in public practice, to assist the organizations they serve in addressing privacy issues.2

The CICA has also published a Privacy Resource Guide to provide CAs with a privacy knowledge base along with methods and detailed illustrations that can be used to:

  • strategically guide management in developing a privacy plan;
  • diagnose an organization’s privacy practices and assess privacy risks;
  • operationally guide management in developing and implementing a privacy program;
  • manage and sustain privacy policies and procedures against measurable criteria;
  • guide a CA firm in providing assurance based on measurable criteria and cultivating a privacy practice.

Using the Privacy Resource Guide, CAs can offer organizations a full range of value-added services.3 This includes privacy strategic and business planning, privacy gap and risk analysis, benchmarking, privacy policy design and implementation, performance measurement, and independent verification of privacy controls. (return to FAQs)

1 These and other privacy-related guidance materials are available, free-of-charge, at the CICA online privacy resource centre (www.cica.ca/privacy). 
2 The Generally Accepted Privacy Principles is available, free-of-charge, at the CICA web site (www.cica.ca/privacy).
3 The CICA Privacy Resource Guide, Solutions for Today’s Privacy Issues, can be ordered online from the CICA bookstore. To order, visit www.knotia.ca/store, call the CICA order department at 416-977-0748 (Toronto) or 1-800-268-3793 (rest of Canada) or send a fax to 416-204-3416 and ask for product #02980.

  Privacy Statement  |  Copyright  |  Site Map  |  Links
THE CANADIAN INSTITUTE OF CHARTERED ACCOUNTANTS
277 Wellington Street West Toronto ON M5V 3H2 Canada
Tel: 1.416.977.3222 Fax: 1.416.977.8585