Redress Risk Management (post until May 31/19)

Corporate boards and a person-centred approach to privacy ethics

Corporate boards can begin the process of ensuring a company operates with a person-centred approach to privacy ethics by looking at its mission, vision and values statements, says Vancouver privacy and information lawyer Sara Levine.

“The way in which organizations manage personal information is a reflection of their value systems,” she tells

“Privacy shouldn’t be a separate consideration — it’s all about how the company wants to participate in its community and in society as a whole. It isn’t simply a set of rules and checklists that are done by middle management.”

It's important that a company knows its values, and whether its practices and procedures are consistent with those, Levine says. 

“One hopes they are, but if they aren’t then you fix them,” she says. “A board always has to start with the organizational values, what’s important to it.”

Ethics is the foundation on which all of the organization’s actions are based, she adds.

“Ethics is an overarching framework. It’s a set of principles that you measure behaviour against in any sphere,” Levine says. 

“It’s not restricted to a particular line of business, product or service. So when you think about privacy issues it is in that manner. It’s about how an organization thinks about people. Board members can ask what they want their organization to stand for when they engage with people.”

It’s also critical that employees understand the ethics on which an organization is built, Levine says. 

“Training has been important when it comes to privacy ethics. The duty to be accountable for privacy practices necessitates that you train your people,” she says.

“This is an active duty. Companies have to walk the talk when it comes to privacy ethics and that requires training employees. They cannot be expected to think through the nuances that come up in situations on the fly. They need guidance and rules so they can make sure they are in step with whatever decisions senior leadership has made.”

Levine says properly managing breaches, for example, is both a legal and ethical duty for organizations in Canada. 

“Breaches are going to happen — it’s just a reality,” she says. “People make mistakes. But the way an organization deals with a breach really distinguishes where its ethics are.”

Levine says boards need to ensure the organization has a privacy structure in place that enforces policies and procedures around key compliance issues, including: ensuring appropriate data protection; tracking, remediating and reporting breaches; mandatory training; auditing; risk analysis and reporting. 

She also says the board should insist on regular reporting to senior management or to a risk/audit committee. And it would be beneficial if at least one board member had cyber expertise, she adds. 

Levine points to a recent speech by Canada’s Privacy Commissioner Daniel Therrien in which he emphasized the importance of both public- and private-sector organizations establishing a culture of privacy.  

“Suffice it to say that my Office cannot deliver greater control over personal information and stronger privacy protection alone. Industry and federal institutions must be involved in the solution. CEOs and deputy ministers must be accountable for the privacy practices of their organizations,” he said.

Levine says, "good privacy practice is not just about being able to justify your policies or programs should they become the subject of a complaint or investigation by a privacy commissioner."

“Remember, maintaining stakeholder trust is a core component of any sustainable business model. And information is the core tool of every organization in today’s digital economy.  So ensuring that it has a strong reputation for ethical privacy practices is essential for any business that wants to survive and prosper.” 

To Read More Sara A. Levine, Q.C. Posts Click Here
Lawyer Directory
BridgePoint Financial Services (post to 5.31.19)Toronto Lawyers Association (post to 6.30.19)MKD International (post until Sept. 30/18)Feldstein Family Law (post until May 31/19)Greystones Health Fireman DayaJennifer Shuber (post until Jan. 31/19)Nerland Lindsey