Staying Ahead of the Curve: The Growing Need for Privacy Management Programs

Across Canada, the privacy landscape is evolving, and Canadian organizations will need to adjust their risk management frameworks to ensure they stay up to date with changing statutory requirements. One of the most significant legislative changes is likely to be the requirement that all Canadian private sector organizations have a documented Privacy Management Program (PMP).

In Quebec, a legislated requirement for private sector organizations to have a documented PMP came into force in September 2023. Federally, Bill C‑27, the Digital Charter Implementation Act, has moved into committee stage. Bill C‑27 includes requirements that every private sector organization in Canada implement and maintain a documented PMP. Organizations will be required to share that documentation with the Office of the Privacy Commissioner of Canada (OPC) on request. It is likely that the OPC would look to review the PMP documents in the event of a privacy breach or complaint investigation. Bill C‑27 includes significant financial penalties for non-compliance. 

While this suggests a sea change in the privacy landscape, the reality is that PMPs have long been a staple of privacy guidance and expectations. The OPC, in collaboration with privacy commissioners from Alberta and British Columbia, has been formally recommending a PMP as a best practice since at least 2012. 

That guidance from the Commissioners explained how organizations can demonstrate accountability and reflected the long history of development of Canadian privacy legislation. The concept of a privacy management program was put forward as early as 1980 by the Organisation for Economic Co-operation and Development (OECD). The OECD’s early guidance was foundational to the development of Canadian privacy rules. 

With personal information becoming increasingly commoditized, governments around the world are looking to develop regulations to protect citizens’ information. A legislated PMP requirement would give governments a tool to demonstrate protection actions. 

Whether a statutory requirement or a best practice recommendation, a robust PMP helps ensure that an organization is demonstrating accountability for the protection of personal information in the organization’s control. A PMP identifies the unique privacy risks each organization faces and how that organization will manage its risks and meet its obligations under the applicable privacy legislation. It articulates the underlying laws and regulations governing the organization’s handling of personal information, describes the policies and procedures the organization follows to meet those obligations, and serves as a springboard for ongoing assessment, improvement and risk mitigation strategy. 

Mara Consulting offers a deep roster of experts who understand the evolving nature of privacy, and how to map PMP requirements to your organization. To learn more about our team, our practice and how we can help, check out mara​con​sult​ing​.ca.

Resources:

Office of the Privacy Commissioner of Canada (2012). Getting Accountability Right with a Privacy Management Program. priv​.gc​.ca/​m​e​d​i​a​/​2​1​0​2​/​g​l​_​a​c​c​_​2​0​1​2​0​4​_​e.pdf

Organization for Economic Cooperation and Development (1980). Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. https://​legalin​stru​ments​.oecd​.org/​e​n​/​i​n​s​t​r​u​m​e​n​t​s​/​O​E​C​D​-​L​E​G​A​L​-0188.