By: Bashir Fancy, I.S.P. (ret.), CEO & Chair, CIPS National
CIPS Speaks to Federal Privacy Commissioner:
Based on the submission of our whitepaper in July 2016 see http://www.cips.ca/papers, CIPS was invited to a meeting with the Federal Privacy Commissioner, as well as his Provincial counterparts to discuss the themes that they picked out of the various submissions. Discussions centered around two major issues. Firstly:
a. “Implied Consent” – Legal Counsels/Compliance Officers from General Motors, Xerox and a couple of other Corporations argued that if an individual has consented to something with that Organization, it was a perpetual one and those Corporations could use it for anything and everything. On behalf of CIPS, I presented a counterargument citing real examples. The CIPS position received support from the participants, but more importantly from Daniel Therrien, the Federal Privacy Commissioner.
b. The second issue was whether Corporations should be allowed to self-regulate and how would penalties be applied, given that very few organizations have been charged so far. This issue identified that the Federal Privacy Commissioner did not have sufficient powers. Corporations felt that self-regulation was sufficient and the Federal Privacy Commissioner did not need any more powers. CIPS argued that self-regulation does not work and cited many examples. I personally provided the actual challenges I had encountered during the PCI-DSS role out at Visa and provided examples which the Commissioner found very interesting.
2. CIPS suggested the following approach:
a. The legislation should be updated to allow the Federal Privacy Commissioner additional powers to lay charges where flagrant violation occurs;
b. The Federal Commissioner’s office should be provided with field auditors who have “solid” auditing background to validate compliance;
c. Organizations would be required to map updated PIPEDA legislation to their Corporate Policies;
d. Organization’s processes and policies should be mapped to their own corporate policies (already mapped to PIPEDA).
e. Organizations would need train their staff on their policies and procedures and the heads of each department would sign a declaration that they meet all the control objectives;
f. Internal Audit would validate that all the control objectives are working as intended and are able to demonstrate evidence that it works;
g. Internal Audit would confirm that processes exists to train or retrain staff if deficiencies are identified in the review by them and that system issues are corrected in a timely manner;
h. Once all the relevant documentation and processes are completed The “CIO” and “CEO” would sign a document for submission to the Federal Privacy Commissioner on an annual basis;
i. The Office of the Federal Privacy Commissioner would conduct a random audit to validate that the Corporate Compliance document as filed is valid. Where it is deemed to be valid, that Organization would receive a “Badge of Compliance”. This would provide any Organization with a marketing advantage;
j. If any Organization is deemed to have made a false declaration, the Federal Privacy Commissioner could levy heavy fines until the problem is corrected. Any client affected by a breach would be saved harmless and the defaulting Corporation would be held liable financially;
k. The Federal Privacy Commissioner’s Office will need to be very diligent and vigilant about Organizations where a culture of ticking boxes is prevalent and a risk based approach should be encouraged and recognized
CIPS Mentoring Program
CIPS’ recent call for Mentors received 27 applicants. The applicants are from British Columbia, Alberta, Saskatchewan, Manitoba and Ontario. Some of the applicants are not CIPS Members and at least one did become a Member to participate in this program. Thank you to all who responded.
I will continue to provide members with an update on CIPS activities through CIPS Connections. I welcome your feedback. You can send your comments or suggestions to firstname.lastname@example.org.
I wish you and your families all the best in 2017.
Bashir Fancy, I.S.P. (ret.),
CEO & Chair, CIPS National Board