Canadian companies still have a long way to go when it comes to understanding and implementing privacy laws, new government research reveals, despite the fact that the vast majority collect and store their customers’ personal data.
The results of a government-commissioned survey were released this week, and they reveal that a staggering 94 per cent of Canadian companies now collect basic contact information like names, phone numbers and email addresses from their customers.
WATCH: Massive data breach at Saks, Lord & Taylor stores
Opinions, evaluations, and comments are collected by 29 per cent of businesses, financial information like credit card numbers by 25 per cent, and identity documents (even social insurance numbers) are collected by 21 per cent. Fifteen per cent tracked “purchasing habits.”
Once they have it in hand, 73 per cent of businesses store this information on-site in electronic form, which the survey notes is “a shift from previous years” when storing information on paper was the most popular method.
“Other methods of storing customer information include the use of portable devices, like laptops, USB stick, or tablets … and off-site with a third-party,” the final survey report noted.
The research was conducted late last fall by Phoenix Strategic Perspectives, and involved 1,014 Canadian businesses, the vast majority of which were small or medium-sized (fewer than 100 employees).
The survey was commissioned by the Office of the Privacy Commissioner of Canada.
Each company representative answered a series questions during a 13-minute telephone survey, with the results weighted to reflect the actual distribution of businesses across the country and considered accurate to within ±3.1 per cent, 19 times out of 20.
There was a mixture of good and bad news when it came to the security of customers’ personal data.
A full 94 per cent of companies said they use at least one security method to protect personal information (passwords and physical security systems were most commonly cited), with 60 per cent using additional technological measures like encryption to keep their data safe from hackers and other breaches.
WATCH: Who is responsible for user privacy on social media?
Additionally, a full 36 per cent of the surveyed business executives said they were not concerned at all about a data breach at their company, while another 14 per cent expressed “low” concern.
“Four in 10 surveyed companies have policies or procedures in place in the event of a breach where customer personal information is compromised,” the report states.
“Almost as many respondents (38 per cent) said their company has policies or procedures in place to assess privacy risks related to their business … virtually unchanged since 2015.”
Meanwhile, just one quarter of executives and owners said they had searched for information or contacted someone for advice about their responsibilities under Canada’s privacy laws. A full 73 per cent had never done so, and 29 per cent of respondents said they had not taken any steps at all to ensure that their company complies with privacy laws.
“When asked what organizations or resources their company uses (or would use) to help clarify its privacy related responsibilities, 27 per cent of business executives pointed to the Internet … as well as to Google (14 per cent) or to specific websites (5 per cent),” the report said.
“Following the Internet, 19 per cent consulted (or would consult) the federal government, 15 per cent a provincial government, and 14 per cent a lawyer.”
“Companies with at least 100 employees tend to collect more types of personal information from customers and they are more likely to store this information on-site electronically,” the report explained.
There were also some regional variations. The likelihood of an executive or owner saying their company is aware of its responsibilities under Canada’s privacy laws was higher among respondents from the GTA (51 per cent), for example, compared to Atlantic Canada (26 per cent) and British Columbia (36 per cent).