Privacy regulation and the role of legal counsel
People are justifiably concerned about their identity being stolen by perpetrators of fraud. Victims of identity theft suffer disruption of lifestyle, severe emotional stress and financial losses.
In this age of corporate accountability, employees and private individuals are entrusting companies with holding their personal information and keeping it confidential and secure — and therefore not susceptible to being compromised for use in identity-theft-related fraud.
To combat identity theft, and to protect the privacy of individuals, the governments of Canada and the United States are passing laws compelling corporations to protect personal information under their custodial responsibility.
Legal counsel should play an important role in educating their clients how privacy regulations apply to them, and then helping them to write the appropriate policies so that their clients will comply with the privacy legislation.
Counsel may need to take further initiatives to educate their clients who may not understand that they are not already compliant.
However, a policy alone is not enough to ensure compliance to regulations. A policy that is not enforced uniformly is in reality not a policy at all.
It is therefore incumbent upon the executives of a client organization to monitor how well their employees are complying with the policy, and to implement modifications to procedures, in order to alleviate instances of non-compliance.
A compliance auditing firm should identify non-compliance and make recommendations to mitigate procedural problems before they fester into legal liability problems.
Counsel can perform a valuable service to those executives, by recommending a service that would provide proof to their executive clients that their organizations are indeed non-compliant with privacy legislation, and that the executives need to engage the services of counsel to create the appropriate policy. Providing this “evidence of non-compliance before the fact” is another situation in which a compliance auditor may be of service.
The key to successful compliance is creating an internal compliance process. This process should include the client’s executive management team, a designated privacy officer, an outside privacy/security audit firm and the education, understanding and full co-operation of all employees. The key elements of the process are:
1. Clear communication and articulation by senior management of policy expectations to employees.
2. Ongoing regular third party auditing to ensure policy compliance.
3. Identifying and dealing with non-compliant behaviour in a consistent manner.
4. Instituting a regular communications mechanism to executives about the status of the policy’s implementation and enforcement.
In addition, management needs to:
1. Appoint a privacy officer.
2. Publish the appropriate paraphrased policy sections, in layman’s language, to employee groups and to third parties such as information contributors.
3. Create a policy awareness program.
4. Inform all concerned that the senior executive team will audit and enforce compliance.
The auditor provides an impartial, third-party view of both employee compliance with the policy and the security of the underlying personal information.
The new privacy laws will work only if corporations engage their counsel to create effective privacy policies, tuned to the specifications of each organization. A policy is only effective if it is uniformly enforced by the executives who are responsible for implementing the policy.