The first principle of the 10 Privacy Principles of PIPEDA is Accountability.
The principle of Accountability states that an organization shall designate someone to be accountable for the management of personal information. This includes the collection, usage, disclosure, retention, and transfer of personal information to third parties for processing.
The Privacy Officer
The title of the person performing this role is usually known as a Privacy Officer or a Chief Privacy Officer (CPO), depending on whether the role is at an executive level within an organization.
It is not necessary to externally hire a privacy officer for the position. Many organizations simply choose to promote and train someone to this role internally.
It is not only a good idea to publish the role of a privacy officer internally and externally – it’s also good business sense. Employees, as well as customers and external stakeholders, will gain confidence in an organization when it knows the organization is serious about privacy.
Part-time or Full-time?
Depending on the size and business an organization is in, the role of a privacy officer may not provide sufficient work to warrant a full-time position.
Smaller organizations usually make the role of a privacy officer secondary to an employee’s primary role. Larger organizations, especially those that manage much personal information, will usually have a full-time privacy officer or choose to blend this role with the executive Chief Information Officer, human resources, or a corporate lawyer.
The privacy officer must develop procedures to protect personal information and effectively receive and respond to complaints and inquiries with respect to the way it manages personal information. The privacy officer should also develop materials to train staff and communicate this information internally and externally.
This therefore requires that the privacy officer have an intimate understanding of the business the organization is in and exactly how it manages personal information across the entire organization.
Third Party Protection
Another requirement under this principle is that the privacy officer is not only responsible for the management of personal information under the organization’s control, but also the personal information it transfers to a third party for processing.
When creating contracts with third parties, an organization ensure that a clause is included that states that the third party will provide a comparable level of privacy protection.
The organization may also choose to perform audits on third parties to ensure that their policies and procedures are adequate. If so, it should be ensured that details of the audit procedure are worked into the contract.
Remember, an organization is not “off the hook” once it transfers information to a third party.