1.
|
Designate a privacy officer or a privacy team who are specifically responsible
for privacy strategy and policy. |
2.
|
Take an inventory of personal information collection practices:
- What type of information do you collect? How sensitive is it?
- What are the sources?
- Why is it collected?
- How is it used?
- Where is it stored?
- Who can see it?
- How is it disposed of?
- What security measures are in place throughout?
|
3.
|
Conduct an objective self-assessment - put your customer's hat on - what
would you think of your practices? How would you expect your personal information
to be treated? |
4.
|
Develop your privacy policy in consultation with all key stakeholders.
Ensure your policy meets legislative requirements at a minimum, but go beyond
compliance to best practice whenever possible. When in doubt, ask: 'What
would our customer think?' |
5.
|
Develop supporting procedures and systems, including changes to forms.
Procedures should cover consent, inquiries, individual access, complaint
handling and security measures. Take this opportunity to streamline your
processes and eliminate duplication of effort and information. |
6.
|
Enable and implement all of the technical security and privacy safeguards
that exist in your information systems, especially for sensitive information. |
7.
|
Ensure that all contracts with third parties that access or process personal
information adequately address privacy issues. |
8.
|
Communicate to and train staff, contractors and volunteers on your privacy
policies and practices and on security awareness. |
9.
|
Provide information on your policies and practices to customers, subscribers
and donors (e.g. brochures, posters, websites, forms). |
10.
|
Follow up on a regular basis (at least annually) to ensure compliance
with your privacy policy, revise as necessary. |
