Self-Assess Privacy Compliance

After conducting a privacy audit of your organization's personal information holdings  and privacy management practices, you must assess how your current environment measures up against the ten principles of privacy protection. You can then develop a plan to address any areas that do not comply with these principles.

Self-Assessment Questions

To determine your organization’s current level of compliance, review the ten principles of privacy protection and compare these standards to the results of your privacy audit.

To begin, consider these sample questions assessing the first three principles: accountability, purpose and consent. A negative response to any question identifies an area in need of improvement. To complete your self-assessment create similar assessment questions for the other seven principles.

Accountability

To find out if your organization is accountable for its information practices, ask questions like:

  1. Has your organization assigned a privacy officer?

  2. Has your organization developed and implemented the necessary policies and practices to meet its obligations for the proper handling of personal information?

  3. Does your organization use contracts or other means to ensure that any contractors providing services on your behalf provide privacy protection equal to or superior to your own?

  4. Has your organization developed and implemented a complaint process to handle complaints about personal information practices?

Purpose

To find out if your organization clearly identifies why personal information is collected, ask questions like:

  1. Does your organization identify why personal information is needed and how it will be used, taking into account both primary and secondary purposes?

  2. Does your organization inform individuals, either verbally or in writing, of the purposes for collecting their personal information before or at the time the information is collected?

  3. Before using personal information for a new purpose, does your organization inform individuals of the new purpose and obtain consent prior to its use?

Consent

To find out if your organization complies with the requirement to obtain consent for the collection, use and disclosure of personal information, ask questions like:

  1. Does your organization obtain consent from individuals whose personal information is collected, used or disclosed?

  2. When obtaining consent, does your organization inform individuals of the purposes for the collection, use or disclosure of their personal information in a manner that is clear and can be reasonably understood?

  3. Does your organization obtain individual consent before or at the time of collection, as well as when a new use is identified?

  4. Does your organization obtain consent without using deceptive means or false or misleading information about how the personal information will be used?

  5. Does your organization ensure that consent is not a condition for supplying a product or a service unless the collection, use or disclosure of the personal information is necessary to provide the product or service?

  6. When determining what form of consent to use (e.g. written, verbal, implied, opt-in or opt-out), does your organization consider both the sensitivity of the personal information and what a reasonable person would expect and consider appropriate?

  7. Does your organization permit individuals to withdraw consent to the collection, use or disclosure of their personal information (unless withdrawing consent would conflict with a legal obligation)? 

  8. After receiving a notice to withdraw consent, does your organization explain the likely consequences of withdrawing consent?