By Tracey Helten, Associate Consultant for Canadian Career Partners

If the owner of your favourite coffee shop told you that you couldn’t set foot in the store unless you provided your date of birth, name, address and email––would you go in? Without knowing why personal information was needed to buy a cup of coffee, or what the owner was intending to do with it, you would likely find another coffee shop. But if the owner explained that the information was only going to be used to randomly select and contact winners of free coffee for a year, you might just consider it.

Consumers are becoming leery of parting with their personal information for fear it may fall into the wrong hands and result in identity theft or fraud. But are people aware that they are sharing their personal information online just by clicking onto a company’s website?

In an online environment it is possible for information to be collected without an individual’s knowledge. Without being told that their personal information may be collected, used and shared, consumers lose the ability to make an informed decision about whether to do online business with the company. They also lose control over their personal information. A company can address consumers’ apprehension by prominently displaying its commitment to protect the privacy rights of its customers in a clear and detailed statement on its website. However, a privacy policy will only be meaningful if the provisions for information security and privacy protection are accurately described and adhered to.

ONLINE COLLECTION OF PERSONAL INFORMATION

Personal information – that is, information that can identify or be tracked back to a specific individual – includes data elements such as a person’s name, address, gender, age, credit card information, photo, occupation, telephone number, email address, income, lifestyle, hobbies and interests.

Companies with websites can collect personal information about users directly, through the completion of forms, or indirectly, by the use of cookies or other means to track users’ online activities. The information collected indirectly is sometimes used for secondary purposes such as contacting consumers with advertising or for other marketing activities.

CREATING A MEANINGFUL PRIVACY NOTICE

The goal in creating an online privacy policy for your website is to create a notice that is easy for users to find, read and understand. Such a statement must notify individuals about the collection, use or disclosure of their information for all websites activities. A website’s privacy policy should identify all of the information it collects online and provide notification before or at the time information is collected. It should also include a description of the steps that will be taken to prevent improper disclosure of the information.

By following the steps below, organisations can identify the information that should appear in their notice to inform users of a particular website’s information, security and privacy practices.

Step 1: List Personal Information Elements
Review every page of the website to identify and list of all of the personal information your company collects. Be as specific as possible.

Step 2: Identify Business purpose
Identify the specific business purpose(s) for each information element. Consider how it is used, and by whom. Be as specific as possible when listing the reasons why the information is necessary. Clearly identify what information is required and what is optional.

Step 3: Method of Collection
For each information element, indicate whether the information is collected indirectly or directly from the user.

Step 4: Review consent requirements
Where personal information is collected on the website, identify and review the type of consent the company uses. Under privacy legislation, an individual may revoke their consent at any time. When reviewing consent requirements, consider how an individual may revoke their consent and whether the revocation for all or some of the personal information will limit the service or product offered to the individual. Identify whether the information needs to be retained by your organization, and if so, for how long.

Step 5: Security of personal information
Identify staff or any third party who may have access to information collected online. Review authorities or any agreements with third parties (e.g. website hosts) to identify whether the potential for unauthorized access to personal information exists. Determine whether access to information is appropriate in relation to their business responsibilities and need to know.

The website statement should include a section discussing the type of security used and a brief explanation of its use. However, avoid statements that focus solely on the security of transactions rather than information collection practices at the website itself.

Step 6: Access
The consumer has the right to access and to request a correction to the information the company holds about them. Consumers must be aware of how to request that they be removed from any mailing or contact lists. Create a detailed description for each process.

Step 7: Contact Information
A Privacy Officer must be designated for the organization to respond to any privacy issues its website users may have. Include the name and contact information for the company’s Privacy Officer on the website.

Step 8: Compliance Challenges
Contact information for the appropriate oversight body (e.g. Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta) must be made available for individuals to refer to in case they have concerns about the company’s privacy practices or the way their personal information has been handled.

GOOD PRIVACY PRACTICES BUILD TRUST

When making the decision to disclose personal information on a website, individuals want to know whether a website is run by a trusted company or organization. They need to know how their data will be used, and specifically, whether information will be shared with third parties.

Privacy policies and proper notification can give customers confidence that their personal information is protected. Generally, the more specific and transparent a company is with respect to its information, security and privacy practices, the better equipped its customers will be to make an informed decision. Otherwise, users will be reluctant to disclose personal information and may decide to provide false information, or worse, refuse your products or services. In short, having a privacy policy makes good business sense.

Tracey Helten is an Associate of Canadian Career Partners, an integrated Human Resource and Business Consulting firm based in Calgary, Alberta. Tracey’s extensive knowledge of provincial and federal privacy legislation and its application to organizations in both public and private sectors enables her to advise clients on a range of privacy services and solutions. Additional information on privacy alignment issues can be sourced at www.career-partners.com.

Contact Point is committed to building trust with our users. View Contact Point’s privacy policy at www.contactpoint.ca/article.pl?sid=03/01/15/212420.