Canadian companies still have a long way to go when it comes to understanding and implementing privacy laws, new government research reveals, despite the fact that the vast majority collect and store their customers’ personal data.
The results of a government-commissioned survey were released this week, and they reveal that a staggering 94 per cent of Canadian companies now collect basic contact information like names, phone numbers and email addresses from their customers.
WATCH: Massive data breach at Saks, Lord & Taylor stores
-PKG_848x480_1200421443740.jpg?w=1040&quality=70&strip=all)
Opinions, evaluations, and comments are collected by 29 per cent of businesses, financial information like credit card numbers by 25 per cent, and identity documents (even social insurance numbers) are collected by 21 per cent. Fifteen per cent tracked “purchasing habits.”
READ MORE: BMO, CIBC’s Simplii warn of client data breach
Once they have it in hand, 73 per cent of businesses store this information on-site in electronic form, which the survey notes is “a shift from previous years” when storing information on paper was the most popular method.
“Other methods of storing customer information include the use of portable devices, like laptops, USB stick, or tablets … and off-site with a third-party,” the final survey report noted.
The research was conducted late last fall by Phoenix Strategic Perspectives, and involved 1,014 Canadian businesses, the vast majority of which were small or medium-sized (fewer than 100 employees).
The survey was commissioned by the Office of the Privacy Commissioner of Canada.
Each company representative answered a series questions during a 13-minute telephone survey, with the results weighted to reflect the actual distribution of businesses across the country and considered accurate to within ±3.1 per cent, 19 times out of 20.
Data protection
There was a mixture of good and bad news when it came to the security of customers’ personal data.
A full 94 per cent of companies said they use at least one security method to protect personal information (passwords and physical security systems were most commonly cited), with 60 per cent using additional technological measures like encryption to keep their data safe from hackers and other breaches.
WATCH: Who is responsible for user privacy on social media?
But fewer than half said their company has a privacy policy that explains to customers how the business will collect and use their personal information.
Additionally, a full 36 per cent of the surveyed business executives said they were not concerned at all about a data breach at their company, while another 14 per cent expressed “low” concern.
“Four in 10 surveyed companies have policies or procedures in place in the event of a breach where customer personal information is compromised,” the report states.
“Almost as many respondents (38 per cent) said their company has policies or procedures in place to assess privacy risks related to their business … virtually unchanged since 2015.”
Meanwhile, just one quarter of executives and owners said they had searched for information or contacted someone for advice about their responsibilities under Canada’s privacy laws. A full 73 per cent had never done so, and 29 per cent of respondents said they had not taken any steps at all to ensure that their company complies with privacy laws.
“When asked what organizations or resources their company uses (or would use) to help clarify its privacy related responsibilities, 27 per cent of business executives pointed to the Internet … as well as to Google (14 per cent) or to specific websites (5 per cent),” the report said.
“Following the Internet, 19 per cent consulted (or would consult) the federal government, 15 per cent a provincial government, and 14 per cent a lawyer.”
Size matters
The biggest predictor of the level of security, knowledge of the laws, and privacy policy implementation among the companies was their size. The bigger the business, the more likely they have their privacy-related issues sorted.
READ MORE: High-profile hacks have experts urging caution when sharing personal information online
“Companies with at least 100 employees tend to collect more types of personal information from customers and they are more likely to store this information on-site electronically,” the report explained.
“Additionally, large companies are more likely to have taken steps to protect their customers’ personal information, to have put in place a series of privacy practices, and to have a privacy policy that explains how they collect and use customers’ information.”
There were also some regional variations. The likelihood of an executive or owner saying their company is aware of its responsibilities under Canada’s privacy laws was higher among respondents from the GTA (51 per cent), for example, compared to Atlantic Canada (26 per cent) and British Columbia (36 per cent).
Comments