Privacy Compliance: Another Corporate Governance Issue

Privacy compliance is a corporate governance issue and should be subjected to the same due diligence testing as other elements of an organization’s statutory compliance requirements. The new privacy laws establish standards not only for corporate governance, but also for privacy rights of individuals, which, if compromised, may expose the organization to significant liability.

To ensure that their privacy compliance frameworks satisfy these new standards and shield them from liability exposure, organizations should initiate a program of an annual privacy audit. Most organizations made significant efforts to achieve privacy compliance by January 1, 2004, the full effectiveness date for PIPEDA and the B.C. and Alberta privacy laws. Now, with more than a year’s experience under the new procedures, organizations should have already undertaken their first audit to test the system and identify gaps.

Indeed, under the new private sector privacy laws, the privacy compliance audit is an integral part of an organization’s privacy compliance infrastructure. In essence, the compliance audit should take the form of a periodic review by an organization, designed to assess the status of its privacy compliance systems, to determine how they measure up with the requirements of the new laws, to identify any deficiencies, and to make recommendations to close these deficiencies. In a word, the audit, as with a financial audit, should provide the organization, its governing body and its stakeholders, with an opinion respecting the organization’s privacy compliance status.

When Should the Audits be Conducted?

The audit should be conducted on a periodic basis. An annual audit is the best practice. An annual review of the organization’s privacy compliance would enable it to demonstrate a level of due diligence that should satisfy most regulatory scrutiny and, arguably, legislative requirements. Whether or not an organization commits to annual audits, it is recommended that all organizations with significant privacy exposure (i.e., those that are significant collectors and users of personal information) should have undertaken an audit early this year to test the effectiveness of their compliance efforts marshalled to meet the January 1, 2004 in-force date of the new privacy laws.

Why an Audit?

Most, if not all, commercial organizations with significant privacy exposure committed resources during the latter half of 2003 directed at achieving what they or their advisors perceived as a sufficient level of privacy compliance. Certainly, the perceived requirements differed among organizations, depending on many factors, not the least of which was the lack of clarity in the law regarding the exact detail and nature of those requirements. Now, with more than a year’s experience gained in working with the new procedures, it is appropriate for organizations to test the system and identify any gaps that may have been overlooked at the design stage, or with operational experience that may have become evident where they were not before. Above all, however, an audit will enable the organization to determine how well (or poorly) the system is working.

The privacy compliance audit must be an integral part of an organization’s compliance infrastructure. Whether performed by an external auditor or performed internally, the audit enables the organization to ensure its ongoing compliance with the new laws and, by doing so, to minimize its risk to both regulatory and civil liability.

As well, compliance with the new privacy rules can be characterized, significantly, as a corporate governance issue. Society, primarily through the medium of the new laws, has established new, higher standards for organizations in their treatment of the personal information provided by (or collected about) their customers, prospective customers, their employees and other individuals who have dealings with them. These laws address both the uses and the protection of personal information. This data can no longer be perceived as simply a property right that may be acquired and used for the purposes of the organization. Personal information, if it is “owned” by anyone, is the property of the individual to whom it relates; individuals may convey rights of use (and potentially ownership) to organizations but those rights must be clearly articulated and, typically, limited. Individuals have a right to require organizations that hold their information not only to use and disclose it strictly in accordance with the terms on which they provided it, but also to protect the information from loss, corruption or misuse.

Who Should Carry Out the Audit?

The privacy compliance audit may be conducted in one of several ways. It may be conducted internally by the organization. Best practice dictates that if performed internally, the audit should be carried out by a part of the organization separate from that which is responsible for privacy compliance on a day-to-day basis (i.e., the Privacy Office). Many large organizations have internal audit departments that could effectively perform the role. However, many other organizations do not have this capability but have only limited resources, outside of the Privacy Office, to perform the audit. In these organizations, the only practical option will be for the Privacy Office to perform the function.

Whichever part of the organization is tasked with the audit, guidance should be sought from an external resource to assist in designing the project and establishing the audit criteria. This will ensure that the initial design has the benefit of both internal and external expertise, including potentially conflicting views as to compliance criteria and applications of the new laws. It should be borne in mind that once the framework and design has been established for purposes of this initial audit project, essentially the same model can be applied in subsequent periods, with only appropriate adjustments needed as may be dictated by changing laws or new areas of privacy focus within the organization. The initial audit exercise should involve the development of a model that reflects both the organization’s operations and all relevant privacy criteria.

An alternative to the internally conducted audit is for the review to be performed by an external resource such as a legal, accounting or consulting firm with the sufficient specialized expertise. The externally conducted audit provides an audit capability independent of the Privacy Office if such does not exist within the organization, as well as providing external expertise in design and audit criteria. As a further alternative, the organization may decide to combine resources provided by an external firm with its internal resources. Under this model, the design of the audit would be developed jointly by a project team encompassing both the internal audit personnel and representatives of the external advisor. Allocation of responsibilities for execution of the work would be determined by the team.

Audit Report

The report of the privacy compliance audit should be addressed to the Privacy Office. If appropriate, the report could also be addressed to other senior management and, potentially, the Board of Directors.

The Auditor’s Report should encompass or be:

1. a report outlining the review conducted, including – in greater or lesser detail as deemed appropriate – an itemization of the areas of activity within the company that were reviewed;
2. a review of each of the key categories of the privacy system – [only partly suggested above and set out more fully in the unexpurgated version of this article] – and providing comments as to compliance status and identifying deficiencies, if any; and
3. an opinion on the organization’s privacy compliance status relative to legal requirements and best practices, including recommendations for change.

Some Final Words

Completion of the privacy compliance audit is a key step in addressing the organization’s due diligence obligations under the new privacy laws. The review of its current system will serve as a key input for the Privacy Office to identify adjustments required to maintain the organization’s compliance status.

David Young is a partner and Co-Chair of the Privacy Law Group in Toronto. Contact him directly at 416-307-4118 or dyoung@langmichener.ca.

This article appeared in InBrief Summer 2005, and a longer version entitled The Privacy Compliance Audit, appeared in Privacy Brief  Winter 2004.  To subscribe to these publications, visit our Publications Request page.