Privacy protection for your client

There has been a lot of concern about the Insurance Council of British Columbia (ICBC) and the mishandling of policy documents. The rather simple mistake of client documents ending up in the public recycle bind rather then the shredder has been a big embarrassment.

The fine to the broker in question was only $1,000 but think of how that broker's clients are feeling? After working hard to develop strong relationships based on trust this broker has taken a big step backwards.

Does your business handle sensitive client data? When surveyed last year by the Office of the Privacy Commission of Canada almost 70% responded that yes, they collect personal information.

What can you do to reduce the risk of having a privacy breach? If one does happen, do you know how to react?

You should have privacy policies in place that cover who has access to sensitive data. These policies should discuss how the data is handled and how it is disposed of. Within the policy should include the process of how to inform other staff members of the procedures and what to do if there is a privacy breach.

Proper training for staff with audits to confirm the procedures are being followed is a method to help monitor the success of the program.

Have a privacy statement for your clients. This should include the following:

  • Outline what kind of personal information is required.
  • Declare whether this information will be shared.
  • Explain how it will be used.
  • Provide contact information in case of questions.

If there is a data breach then the advice of the Ontario Privacy Commission (OPC) is that your business:

  • Stop the breach–by either shutting down systems, or reclaiming documents. Appoint someone in your office to lead an investigation into how the breach happened, and how it can be prevented from happening again.
  • Assess the risks–the investigation should assess what kind of data was involved and how sensitive it is. Can it be used fraudulently?
  • Notifying consumers about the breach is a key step. The OPC recommends telling the affected consumers even if the breach poses a small risk to them. That notification should also include additional advice for clients about contacting credit reporting services or government office contact information.
  • If necessary, the OPC also advises that their office be notified, along with police or insurers.
  • Prevention–the investigation’s findings should lay the groundwork for a privacy plan, or help close any gaps in an existing plan. Any breach should prompt a privacy audit, a review of processes and employee training and of partner practices, according to the OPC.

Remember, the business is owner is responsible when a privacy breach occurs. It will be your business reputation that is on the line.