Information at risk

CanWest reports on the lack of attention paid to consumer privacy by businesses in Canada, as many businesses still aren't even trying to meet their obligations under the governing legislation which was passed in 2001:

The majority of businesses in Canada collect personal information from customers, but many are ignoring privacy laws and might be using sensitive data illegally, putting Canadians at risk of fraud, warns new research unveiled yesterday by the federal privacy commission.

What's more, a new survey conducted for the commission reveals an overwhelming proportion of staff - about two-thirds - at Canada's small, medium and large businesses have little to no training to handle personal information and ensure it doesn't fall into the wrong hands.

Results of the survey were made public in conjunction with the commission's annual report, which urges the private sector to do more to protect the personal information it collects in order to prevent massive security breaches like the ones experienced earlier this year by TJX Cos., the parent company of Winners and HomeSense, as well as the Canadian Imperial Bank of Commerce's Talvest Mutual Funds...

Despite the fact that more than 60 per cent of businesses said they collect personal information from customers, about one-third aren't complying with the Personal Information Protection and Electronic Documents Act, which sets rules and limits on how the private sector collects, uses and discloses the personal information it collects.

Although it was passed seven years ago, 15 per cent of businesses surveyed said they still haven't started putting the necessary policies in place to comply with the law, while 16 per cent said they are in the process of putting measures in place.

Of course, it's breaches in widespread actors such as Winners/HomeSense that are more likely to attract major media attention. But the potential dangers from a breach are no less severe even in a business too small to capture the public eye. And based on the significant number of businesses which haven't yet made any effort to meet their legal obligations to protect customer data, it looks like there's still a need for plenty more awareness about the responsibility of private-sector actors for personal information about their customers.