The Privacy Commissioner of Canada has a mandate to protect and promote privacy rights of Canadians, and this includes conducting public opinion research with the general population and also with Canadian businesses on privacy-related issues. The main goal of the research is to explore Canadians’ awareness, understanding, and perceptions of privacy-related issues. Another goal is to better understand the extent to which businesses are familiar with privacy issues and requirements, to learn more about the privacy policies and practices they have in place, and to determine their privacy information needs.
2018-2019 Survey of Canadians on Privacy
With respect to the Survey of Canadians on Privacy, the Office of the Privacy Commissioner of Canada commissioned Phoenix Strategic Perspectives to conduct a 13-minute telephone survey to 1,516 Canadian residents throughout Canada who were 16 years and older.
Here are some of the selected key findings:
- 92 percent have some level of concern about the protection of personal privacy. More specifically, 37 percent are extremely concerned, 20 percent are concerned, 35 percent are somewhat concerned, and 8 percent are not concerned
- Internet users are concerned about how their online personal information is used to make decisions about them (for example: employment, insurance, or health coverage). That is, 51 percent were concerned, 37 percent were somewhat concerned, and 10 percent were not concerned
- 55 percent were concerned, 32 percent were somewhat concerned, and 12 percent were not concerned about social media platforms gathering information and creating profiles on them
- 62 percent were concerned, 28 percent were somewhat concerned, and 8 percent were not concerned about people using their information to attempt to steal their identity
- Given the high level of concern among Canadians regarding how their online personal information is used, 75 percent have adjusted settings to limit personal information shared on their mobile device, and 74 percent have not installed or uninstalled apps because they were concerned about the personal information they were being asked to provide
- Several Canadians do not believe that businesses respect their privacy. In fact, it was found that 45 percent disagreed that businesses respected their privacy, 17 percent had neutral opinions, and 38 percent agreed that businesses respected their privacy
- On the other hand, most Canadians did believe that the federal government respected their privacy rights. More specifically, 55 percent agreed that the federal government respected privacy rights, 14 percent had neutral opinions, and 29 percent disagreed that the government respected their privacy rights
- Canadians are also concerned about providing their personal information related to their bodies. For instance, 34 percent were very concerned, 16 percent were concerned, 31 percent were somewhat concerned, and 16 percent were not concerned about providing their fitness/health data collected by a fitness tracker to be analyzed and used to make commercial offers to them. In like manner, 37 percent were very concerned, 14 percent were concerned, 32 percent were somewhat concerned, and 16 percent were not concerned about providing saliva for genetic testing to determine future health
- Where a company provides easy to understand information about its privacy practices, 26 percent would definitely increase their willingness to do business with the company, 43 percent would probably increase their willingness, 19 percent would probably not increase their willingness, and 11 percent would definitely not increase their willingness to do with business with the company
- Where a company could face strict financial penalties (such as large fines) for misusing personal information, 71 percent said they would probably or definitely increase their willingness to do business with the company
- 75 percent have refused to provide an organization or business with their personal information. Moreover, 70 percent have not traded their personal information for discounts or incentives on a good or service
- Canadians feel they lack control over how their personal information is being used by companies. More precisely, 27 percent feel they have no control at all over how their personal information is being used by companies, 34 percent feel they do not have very much control, 32 percent feel they have a moderate amount of control, and 5 percent feel they have a great deal of control over how their personal information is being used by companies.
- Canadians also feel they lack control over how their personal information is being used by government. For instance, 31 percent feel they have no control at all over how their personal information is being used by government, 36 percent feel they do not have very much control, 27 percent feel they have a moderate amount of control, and 5 percent feel they have a great deal of control over how their personal information is being used by government
- In terms of who should be responsible for helping to protect their personal information, 67 percent responded that government should be responsible because it is independent and can represent their interests, and 25 percent stated that companies should be responsible because they are collecting the personal information and are responsible for the way they handle it. Also, 6 percent responded that they did not know who should be responsible
- Canadians disagreed with the notion that companies should be able to share their personal information for purposes other than to provide them with a service. In fact, 64 percent strongly disagreed, 22 percent somewhat disagreed, 12 percent somewhat agreed, and 2 percent strongly agreed
2017 Survey with Canadian businesses on privacy-related issues
With respect to the Survey with Canadian Businesses on Privacy-Related Issues, the Office of the Privacy Commissioner of Canada commissioned Phoenix Strategic Perspectives to administer a 13-minute telephone survey to 1,014 Canadian businesses.
Here are some of the selected key findings:
- 94 percent of businesses collect contact information (names, telephone numbers, and mailing or email addresses), 29 percent collect opinions, evaluations and comments, 25 percent collect financial information (invoices, credit cards, or banking records), 21 percent collect identity documents (Social Insurance Numbers), 15 percent collect purchasing habits
- 73 percent of companies store personal information on-site electronically, 56 percent store it on-site on paper, 26 percent store it on portable devices, and 18 percent store it off-site with a third party
- The steps taken by companies to protect customers’ information include passwords (78 percent), physical measures such as security alarms (77 percent), organizational controls such as policies and procedures (60 percent), technological measures such as encryption (59 percent), and system review tests and security updates (55 percent). It is interesting to note that 6 percent of companies do not take any measures whatsoever
- 58 percent state that it is extremely important and give it a rating of 7 out of 7 (the highest possible rating on the scale)
- Interestingly, there is an uneven implementation of privacy compliance practices, whereby some practices appear to be considered more important than others. For example, 59 percent of companies have designated a person to be responsible for handling privacy issues, but only 37 percent of companies regularly provided staff with privacy training and education
- There is a split on concern over data breaches. On one end of the scale, 23 percent of businesses are extremely concerned about data breaches, and on the other hand, 36 percent of businesses are not concerned at all about data breaches
- Given the divide on the issue of data breaches, a similar split can be found in relation to protocols that have been put in place to address data breaches. More precisely, only 40 percent of businesses have procedures to deal with data breaches, 52 percent do not have procedures, and 8 percent do not know if they have any procedures
- Along the same lines, only 38 percent of businesses have privacy risk assessment policies, 55 percent do not have these policies, and 7 percent do not know if the company has these policies
- 29 percent of companies view themselves as extremely aware of their responsibilities under privacy laws and give a rating of 7 out of 7 (the highest possible rating on the scale). That said, 8 percent state that they are not at all aware and give a rating of 1 out of 7 (the lowest possible rating on the scale)
- 66 percent of companies state they have taken steps to comply with privacy laws, 29 percent state they have not taken any steps, and 5 percent state they do not know if they have taken any steps
- Only 27 percent of companies have searched for information concerning privacy law compliance. This means that 73 percent have not conducted searches for information on how to comply with privacy laws
What does the Privacy Commissioner do with these findings, and what does this mean?
The Privacy Commissioner uses the information gleaned from the 2018-2019 survey to better understand levels of privacy awareness and subsequently inform and guide its outreach efforts to Canadians.
Moreover, the Privacy Commissioner uses the information generated by the 2017 survey to provide guidance to both individuals and organizations on privacy issues and enhance its outreach efforts with small businesses.
On review of the 2018-2019 survey, it becomes clear that Canadians are concerned about their privacy protection when dealing with companies. What is also revealed in the 2017 survey is that several companies do not have privacy policies and procedures in place. This could be due to the fact that many are not aware of the requirements, or that some have not yet taken steps to make compliance a priority.
Employers can learn from this information by examining the factors that are considered important to measure in the 2017 survey, and ask whether they have such features in their companies. For example, employers may ask themselves what kinds of information they collect, and strategies they use to store the personal information of customers and also employees. Employers may question what techniques they use to protect the personal information of customers and employees, whether it is through the use of passwords, physical measures, organizational controls, technological measures, and system review tests and security updates.
Moreover, employers are encouraged to conduct an examination of their own privacy policies and procedures involving privacy compliance, communication with customers and employees about their privacy practices, data breaches, privacy risk assessments, and proactive steps that can be taken in order to enhance knowledge and training for management and employees. In fact, employers are recommended to take a closer look at online learning and training tools. The Privacy Commissioner has these tools available on the page, “PIPEDA compliance and training tools” here.
More specifically, businesses can find a toolkit, set of privacy tips, self-assessment tool, a presentation package, and more.