Prepared for the Office of the Privacy Commissioner of Canada
Supplier Name: Phoenix SPI
Contract Number: 2R008-190099-001_CY
Contract Value: $74,242.36 (including HST)
Award Date: 2019-07-30
Delivery Date: 2020-01-31
Registration Number: POR 037-19
Prepared for the Office of the Privacy Commissioner of Canada
January 2020
This public opinion research report presents the results of a telephone survey conducted by Phoenix SPI on behalf of the Office of the Privacy Commissioner of Canada. The survey was conducted with 1,003 Canadian businesses from November 29 to December 19, 2019.
This publication may be reproduced for non-commercial purposes only. Prior written permission must be obtained from the Office of the Privacy Commissioner of Canada. For more information on this report, please contact the Office of the Privacy Commissioner of Canada at: publications@priv.gc.ca or at:
Office of the Privacy Commissioner of Canada
30, Victoria Street
Gatineau, Quebec
K1A 1H3
Purpose and research objectives
1. Use and storage of customer information
4. Awareness and impact of federal privacy law
2. Statement of political neutrality
The Office of the Privacy Commissioner of Canada (OPC) commissioned Phoenix Strategic Perspectives (Phoenix SPI) to conduct quantitative research with Canadian businesses on privacy-related issues.
To address its information needs, the OPC conducts surveys with businesses every two years to inform and guide outreach efforts. The objectives of this research were to collect data on the type of privacy policies and practices businesses have in place; on businesses’ compliance with the law; and on businesses’ awareness and approaches to privacy protection. The findings will be used to help the OPC provide guidance to both individuals and organizations on privacy issues; and enhance its outreach efforts with small businesses, which can be an effective way to achieve positive change for privacy protection.
A 13-minute telephone survey was administered to 1,003 companies across Canada between November 29 and December 19, 2019. The target respondents were senior decision makers with responsibility and knowledge of their company’s privacy and security practices. Businesses were divided by size for sampling purposes: small (1 to 19 employees); medium (20 to 99 employees); and large (100 employees or more). The results were weighted by size, sector and region using Statistics Canada data to ensure that they reflect the actual distribution of businesses in Canada. Based on a sample of this size, the results can be considered accurate to within ±3.1%, 19 times out of 20.
Phoenix Strategic Perspectives (Phoenix SPI) was commissioned by the Office of the Privacy Commissioner of Canada (OPC) to conduct public opinion research with Canadian businesses on privacy-related issues.
The Privacy Commissioner of Canada is an advocate for the privacy rights of Canadians, with the powers to investigate complaints and conduct audits under two federal laws, publish information about personal information-handling practices in the public and private sectors, and conduct research into privacy issues. Mandated by Parliament to act as an ombudsman and guardian of privacy in Canada, the Commissioner is responsible for enforcing the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta, and British Columbia each has its own law covering the private sector. However, even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.
Given its mandate, the OPC needs to understand the extent to which businesses are familiar with privacy issues; what type of privacy policies and practices businesses have in place; businesses’ compliance with the law; and businesses’ awareness and approaches to privacy protection. To address its information needs, the OPC conducts surveys with businesses every two years to inform and guide outreach efforts with businesses. The findings will be used to help the Office: 1) provide guidance to both individuals and organizations on privacy issues; and 2) enhance its outreach efforts with small businesses, which can be an effective way to achieve positive change for privacy protection.
A telephone survey was administered to 1,003 companies across Canada. Businesses were divided by size for sampling purposes. Interviewing was conducted by Phoenix SPI’s subcontractor, Elemental Data Collection Inc. (EDCI), using Computer Aided Telephone Interviewing (CATI) technology. The results were weighted by size, sector and region using Statistics Canada data to ensure that they reflect the actual distribution of businesses in Canada. Based on a sample of this size, the results can be considered accurate to within ±3.1%, 19 times out of 20.
The following specifications applied to the survey:
The table below presents information about the final call dispositions for this survey, as well as the associated response rate.Footnote 1
Total | |
---|---|
Total numbers attempted | 10,047 |
Out-of-scope - Invalid | 1,288 |
Unresolved (U) | 3,974 |
No answer/Answering machine
|
3,974 |
In-scope - Non-responding (IS) | 3,756 |
Language barrier
|
47 |
Incapable of completing (ill/deceased)
|
138 |
Callback (respondent not available)
|
1,717 |
Refusal
|
1,744 |
Termination
|
110 |
In-scope - Responding units (R) | 1,029 |
Completed interview
|
1,003 |
Not eligible (not-for-profit)
|
26 |
Response rate | 11.8% |
This section discusses how Canadian businesses use and store the personal information they collect from customers.
Nearly two-thirds of companies (63%) use the information they collect about their customers to provide services. Slightly less than one-third (30%) use this information to build profiles to personalize services for their customers. Ten percent or fewer use this information for other purposes: for marketing (10%), for accounting/billing/invoicing (7%), and for communicating or contacting customers (3%).
Answers | 2019 | 2013 |
---|---|---|
Providing service | 63% | 68% |
Building customer profiles to personalize service | 30% | 31% |
Marketing | 10% | 17% |
For accounting/billing/invoicing purposes | 7% | 14% |
For communication/contact purposes | 3% | 3% |
Some other purpose | 2% | 5% |
Don’t know | 11% | 8% |
Base in 2019: n=1,003; all respondents. |
This question was previously asked of Canadian businesses in 2013. As was the case in 2013, providing service and building customer profiles were the most frequently mentioned uses of customers’ personal information.
More than 4 in 10 business representatives (45%) say their company makes clear to customers whether the collection, use or disclosure of information is a condition of service. In contrast, 40% say their company does not do this, while the remainder feel this does not apply to their company (9%) or do not know whether their company has such a practice (7%).
Answers | % of respondents |
---|---|
Yes, it is made clear whether this is a condition of service | 45% |
No, it is not made clear whether this is a condition of service | 40% |
Does not apply/do not know | 16% |
Base: n=1,003; all respondents. [DK/NR: 7%]. |
Companies in Ontario (51%) are more likely than companies in the Prairies (27%) to make it clear to customers whether the collection, use or disclosure of information is a condition of service. In addition, self-employed individuals (33%) are less likely than medium (53%) and large (48%) companies to make this information clear to customers.
While Canadian businesses use a variety of methods to store customers’ personal information, storing information on-site electronically is by far the most common method. The clear majority of business representatives (72%) say their company stores information about their customers on-site electronically. Following this, approximately half (49%) say their business stores customers’ personal information on-site on paper, and one in four (25%) store information electronically with a third party.
Answers | 2019 | 2017 |
---|---|---|
Stored on-site electronically | 72% | 73% |
Stored on-site on paper | 49% | 56% |
Stored electronically with a third party | 21% | 18% |
Base in 2019: n=1,003; all respondents; DK/NR=1%. |
Companies located in Quebec (78%) are more likely to store customers’ personal information on-site electronically than companies based in Ontario, including those specifically located in the Greater Toronto Area (GTA) (67% and 65% respectively, who say they store customer information on-site electronically). The likelihood of storing customer information on-site electronically generally increased with company size, from 64% of the self-employed to 81% of large companies (i.e., companies with 100 or more employees).
Compared to 2017, fewer companies are storing customer information on-site on paper. In 2017, 56% of companies surveyed stored information on-site on paper; in 2019, 49% of companies store information in this way. Use of electronic storage, whether on site or via a third party, has not changed in any significant way.
This section identifies the procedures and policies companies have in place to protect the personal information they collect about their customers.
Before exploring company privacy practices, business representatives were asked what level of importance their company attributes to protecting customers’ personal information. Most Canadian businesses attribute significant importance to protecting their customers’ privacy. Four in five business representatives say their company considers the protection of customers’ personal information to be of high importance (scores of 6 and 7), with 69% saying it is an extremely important corporate objective. At the other end of the spectrum, very few companies (5%) indicated clearly that protecting customers’ personal information is not an important corporate objective.
Importance | 2019 (n=1,003) |
---|---|
Extremely important corporate objective (7) | 69% |
6 | 12% |
5 | 7% |
4 | 4% |
3 | 1% |
2 | 1% |
This is not important (1) | 5% |
Base: n=1,003; all respondents; [DK/NR=1%]. |
Companies that only sell to consumers (77%) are significantly more likely to attribute extreme importance to protecting their customers’ personal information than companies that sell to other businesses (63%) or to both businesses and consumers (66%). The likelihood of attributing extreme importance to this as a corporate objective was highest among large companies (83% compared to 62% to 74% of small and medium-sized companies).
Over time, the importance companies attribute to protecting customers’ personal information has increased significantly, from 62% in 2011 to 81% in 2019.
Level of importance | 2011 (n=1,006) |
2013 (n=1,006) |
2015 (n=1,016) |
2017 (n=1,014) |
2019 (n=1,003) |
---|---|---|---|---|---|
High importance (6-7) | 62% | 70% | 67% | 68% | 81% |
Moderate importance (3-5) | 26% | 20% | 21% | 19% | 12% |
Low importance (1-2) | 12% | 9% | 11% | 9% | 6% |
Approximately two-thirds of business representatives (65%) say their company has a privacy policy. Conversely, 32% of Canadian businesses do not have a privacy policy (the remainder – 3% – do not know whether their company has such a policy).
Answers | % of respondents |
---|---|
Yes, my company has a privacy policy | 65% |
No, my company does not have a privacy policy | 32% |
Don’t know | 3% |
Base: n=1,003; all respondents |
Respondents who are self-employed (44%) are least likely to have a privacy policy and companies employing 100 or more staff (83%) are most likely to have one. Moreover, companies based in Quebec (48%) are less likely than companies in Ontario (75%; 73% in the Greater Toronto Area), British Columbia (71%), and Alberta (64%) to have such a policy.
Among the companies that do have a privacy policy (n=717), many have a policy that explains in plain language how their company collects, uses and discloses customers’ information (84%), the purpose for which customers’ personal information is being collected (82%), and what personal information is being collected (80%). In addition, 7 in 10 of these companies have a privacy policy that explains plainly which parties the collected personal information will be shared with (70%). Among the companies with a privacy policy, only 52% say their company’s policy explains the risk of harm in the event of a breach.
Questions | 2019 | 2017 |
---|---|---|
How personal information is collected, used, or disclosed? | 84% | N/A |
For what purposes it is being collected, used or disclosed? | 82% | 95% |
What personal information is being collected? | 80% | 92% |
With which parties it will be shared? | 70% | 75% |
Risk of harm in event of a breach? | 52% | 52% |
Base: n=717; all companies with privacy policies |
Compared to 2017, fewer companies say their privacy policy explains in plain language to customers for what purpose their information is being collected, used or disclosed (82% compared to 95% in 2017), what personal information is being collected (80% compared to 92%), and with which parties their information will be shared (70% compared to 75%).
Approximately one-third (36%) of companies that have a privacy policy notify customers when making changes to this policy. Exactly half (50%) do not. The remainder – 14% – do not know whether their company makes such a disclosure to customers or feel this does not apply to their company.
Answers | % of respondents |
---|---|
Yes, my company notifies customers when making changes to our privacy policy | 36% |
No, my company does not notify customers when making changes to our privacy policy | 50% |
Does not apply/do not know | 14% |
Base: n=717; all companies with privacy policies. [DK/NR: 7%]. |
Approxiately half (51%) of companies surveyed make their privacy information easily accessible to customers and roughly one-third (34%) say they obtain consent from customers when making changes to their company’s privacy practices.
Questions | Yes | No | Does not apply/ do not know |
---|---|---|---|
Obtain consent from customers when making changes to your company’s privacy practices | 34% | 52% | 14% |
Make privacy information easily accessible to your customers | 51% | 38% | 11% |
Base: n=1,003; all respondents. [DK/NR: 4%] |
Respondents who are self-employed (businesses with one employee) are significantly more likely than larger companies to say they do not obtain consent from customers when making changes to coporate privacy practices nor make privacy information easily aaccessbile to customers.
Business representatives were asked whether their company had put in place a series of privacy practices. These included:
Half or more of Canadian businesses surveyed have implemented the following privacy compliance practices: having a designated privacy officer (62%); having procedures in place for responding to customer requests for access to their personal information (60%); having procedures in place for dealing with customer complaints about the handling of their personal information (58%); and having internal policies for staff that address privacy obligations (55%). Approximately four in 10 (39%) say their business regularly provides staff with privacy training and education.
Questions | % of respondents |
---|---|
Have you designated someone in your company to be responsible for privacy issues and personal information that your company holds? | 62% |
Does your company have procedures in place for responding to customer requests for access to their personal information? | 60% |
Does your company have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly? | 58% |
Has your business developed and documented internal policies for staff that address your privacy obligations under the law? | 55% |
Does your organization regularly provide staff wih privacy training and education? | 39% |
Base: n=1,003; all respondents [DK/NR=3% to 6%] |
Companies in Quebec are generally less likely to have implemented these privacy compliance practices. In addition, the likelihood of having implemented these practices increased with business size and was highest among large companies.
Across all measures, compliance has improved over time.
Questions | 2019 | 2017 | 2015 | 2013 | 2011 |
---|---|---|---|---|---|
Have you designated someone in your company to be responsible for privacy issues and personal information that your company holds? | 62% | 59% | 57% | 58% | 57% |
Does your company have procedures in place for responding to customer requests for access to their personal information? | 60% | 47% | N/A | N/A | N/A |
Does your company have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly? | 58% | 51% | 50% | 51% | 48% |
Has your business developed and documented internal policies for staff that address your privacy obligations under the law? | 55% | 50% | 50% | 51% | N/A |
Does your organization regularly provide staff wih privacy training and education? | 39% | 37% | 32% | 34% | N/A |
Base: n=1,003; all respondents [DK/NR=3% to 6%] |
This section examines how Canadian business manage privacy risks, include data breaches.
Just under 2 in 5 business representatives (38%) say their company has policies or procedures in place to assess privacy risks related to the business. Approximately half (51%) do not have such a policies or procedures. The rest (11%) do not know whether their company has policies or procedures to assess privacy risks.
Answers | % of respondents |
---|---|
Yes, my company has a risk assessment policy | 38% |
No, my company does not have a risk assessment policy | 51% |
Don’t know | 11% |
Base: 1,003; all respondents. |
The likelihood of having policies or procedures in place to assess privacy risks increased with business size and was highest among large companies.
Since tracking of this measure began in 2013, the number of companies that have policies or procedures in place to assess privacy risks has increased 10 percentage points. While 28% of companies surveyed in 2013 had such policies and procedures in place to assess privacy risks, that proportion increased to 37% in 2017, and is virtually unchanged at 38% in 2019.
Most business representatives (95%) say their company has not experienced a breach where the personal information of their customers was compromised. Consistent with previous data, very few (4%) say their company has experienced a privacy breach.Footnote 2
Answers | % of respondents |
---|---|
Yes, my company has experienced a breach | 4% |
No, my company has not experienced a breach | 95% |
Base: n=1,003; all respondents. [DK/NR: 1%] |
The smaller the company is in size, the more likely the company is to have not experienced a privacy breach.
Of the companies that have experienced a privacy breach (n=38), almost half notified individuals who were affected by the breach. Following this, companies report addressing the breach by following proper procedures or implementing a security system or enhancing existing security systems.
Business representatives were asked to rate their level of concern about a data breach, where the personal information of their customers is compromised. Three in 10 (30%) say they are extremely concerned about a data breach, whereas exactly one-third (33%) say they are not at all concerned about a data breach.
Before being asked this question, interviewers provided the following information:
Data breaches can be caused by criminal activity, theft, hacking, or employee error such as misplacing a laptop or portable device.
Level of concern | % of respondents |
---|---|
Extremely concerned (7) | 30% |
6 | 7% |
5 | 7% |
4 | 7% |
3 | 5% |
2 | 10% |
Not at all concerned (1) | 33% |
Base: n=1,003; all respondents [DK/NR=1%]. |
With 45% of business representatives from Quebec-based companies selecting the highest score of seven on the scale, companies located in Quebec are the most likely to be extremely concerned about a data breach.
High concern about a data breach has fluctuated over time, from a low of 24% in 2013 to this year’s high of 37%.
Level of concern | 2011 (n=1,006) |
2013 (n=1,006) |
2015 (n=1,016) |
2017 (n=1,014) |
2019 (n=1,003) |
---|---|---|---|---|---|
Highly concerned (6-7) | 32% | 24% | 32% | 28% | 37% |
Somewhat concerned (3-5) | 23% | 23% | 23% | 20% | 19% |
Not concerned (1-2) | 43% | 50% | 44% | 50% | 43% |
Base: n=1,003; all respondents [DK/NR=1%]. |
This section examines findings regarding companies’ awareness of their responsibilities under privacy laws. Questions in this section were prefaced with the following description of Canada’s privacy laws:
The federal government’s privacy law, the Personal Information Protection and Electronic Documents Act or PIPEDA, sets out rules that govern how businesses engaged in commercial activities should protect personal information. In Alberta, BC and Quebec, the private sector is governed by provincial laws, which are considered to be similar to the federal law.
More than half of business representatives think their company is highly aware of its responsibilities under Canada’s privacy laws (scores of six or seven), including 40% who say their company is extremely aware of these responsibilities. One-third (33%) rate their company as moderately aware of its privacy responsibilities (scores of three to five). Few (9%) rate their company’s awareness as low (scores of one to two).
Level of awareness | % of respondents |
---|---|
Extremely aware (7) | 40% |
6 | 17% |
5 | 19% |
4 | 9% |
3 | 5% |
2 | 2% |
Not at all aware (1) | 7% |
Base: n=1,003; all respondents [DK/NR=1%]. |
Companies based in Quebec (50%) and Ontario (43%) are more likely than companies in the Prairies (23%) and British Columbia (30%) to be extremely aware of their responsibilities under Canada’s privacy laws.
The proportion of business representatives who say their company is highly awareness of its responsibilities under Canada’s privacy laws has increased significantly this year, from 44% in 2017 to 57% in 2019.
Level of awareness | 2011 (n=1,006) |
2013 (n=1,016) |
2015 (n=1,016) |
2017 (n=1,014) |
2019 (n=1,003) |
---|---|---|---|---|---|
Highly aware (6-7) | 31% | 45% | 43% | 44% | 57% |
Moderately aware (3-5) | 47% | 42% | 39% | 38% | 33% |
Not aware (1-2) | 19% | 12% | 17% | 14% | 9% |
Base: n=1,003; all respondents [DK/NR=1%]. |
More than three-quarters of business representatives (77%) say their company has taken steps to ensure it complies with Canada’s privacy laws. This represents a significant increase since 2017, when 66% of companies had taken steps to ensure compliance.
Answers | % of respondents |
---|---|
Yes, my company has taken steps to ensure compliance | 77% |
No, my company has not taken steps to ensure compliance | 16% |
Don’t know | 7% |
Base: n=1,003; all respondents. |
Companies in Alberta (86%) and Ontario (84%) were more likely than those in the Prairies (64%) and Quebec (68%) to have taken steps to ensure compliance. In addition, respondents who are self-employed are most likely to have not taken steps to ensure that their company complies with Canada’s privacy laws.
Level of difficulty | % of respondents |
---|---|
Extremely difficult (7) | 3% |
6 | 3% |
5 | 10% |
4 | 38% |
3 | 7% |
2 | 10% |
Extremely easy (1) | 27% |
Base: n=797; companies that have taken steps to ensure compliance. [DK/NR=3%]. |
Roughly nine in 10 (92%) companies that have taken steps to comply with Canada’s privacy laws (n=797) did not find it difficult to bring their personal information handling practices into compliance.
The proportion of companies that find it very easy to bring personal information handling practices into compliance with Canada’s privacy laws has steadily increased over time, from 28% in 2011 to this year’s high of 37%.
Level of difficulty | 2011 (n=1,006) |
2013 (n=1,006) |
2017 (n=719) |
2019 (n=719) |
---|---|---|---|---|
Extremely easy (1-2) | 28% | 31% | 33% | 37% |
Moderately easy (3-5) | 61% | 56% | 56% | 55% |
Extremely difficult (6-7) | 4% | 6% | 8% | 6% |
Question differed in 2015. Data for 2015 is not represented in graph. Base: n=797; companies that have taken steps to ensure compliance. [DK/NR=3%]. |
Slightly more than one-third (36%) of companies are aware that the OPC has information and tools to help companies comply with their privacy obligations. Conversely, nearly two-thirds (63%) say they are not aware of OPC’s. Awareness of OPC’s resources for business has declined this year from the high of 44% recorded in 2017.
Answers | % of respondents |
---|---|
Yes, I am aware of OPC’s resources | 36% |
No, I am not aware of OPC’s resources | 63% |
Base: n=1,003 all respondents. [DK/NR: 1%]. |
Companies based in Quebec (25%) are less likely than those in Atlantic Canada (50%) or Ontario (43%) to be aware that the Office of the Privacy Commissioner of Canada has information and tools available to companies to help them comply with their privacy obligations. The likelihood of being aware of these resources was higher among medium (48%) and large (49%) companies than among smaller companies.
The following tables present the characteristics of Canadian businesses included in the survey sample (using weighted data).
Customer type | Percent |
---|---|
Sells directly to consumers | 32% |
Sells directly to other businesses/organizations | 26% |
Sells directly to consumers and other businesses/organizations | 41% |
Other | <1% |
Region | Percent |
---|---|
Atlantic Canada | 6% |
Quebec | 21% |
Manitoba and Saskatchewan | 7% |
Alberta | 16% |
British Columbia | 14% |
Ontario (excluding the Greater Toronto Area) | 16% |
Greater Toronto Area | 21% |
Business size | Percent |
---|---|
1 employee (self-employed) | 15% |
2-4 employees | 24% |
5-9 employees | 22% |
10-19 employees | 25% |
20-99 employees | 10% |
100+ employees | 4% |
Don’t know/No response | 2% |
Revenues | Percent |
---|---|
Less than $100,000 | 15% |
$100,000 to just under $250,000 | 9% |
$250,000 to just under $500,000 | 10% |
$500,000 to just under $1,000,000 | 10% |
$1,000,000 to just under $5,000,000 | 18% |
$5,000,000 to just under $10,000,000 | 4% |
$10,000,000 to just under $20,000,000 | 2% |
More than $20 million | 1% |
Don’t know / no response | 31% |
Hello/bonjour, my name is [Interviewer’s name]. Would you prefer to continue in English or French? / Préférez-vous continuer en anglais ou en français?
I’m calling on behalf of Phoenix SPI, a public opinion research company. We’re conducting a survey for the Privacy Commissioner of Canada to better understand the needs and practices of businesses across the country in relation to Canada’s privacy laws.
May I speak to the person in your company who is the most familiar with the types of personal information collected about your customers, and how this information is stored and used. This may be your company’s Privacy Officer if you have one.
This survey should take no more than 15 minutes to complete. Participation is voluntary and completely confidential, and your answers will remain anonymous.
May I continue?
1. Which of the following best describes your company? [READ LIST, ACCEPT ONE RESPONSE]
* INTERVIEWER NOTE: IF ASKED ABOUT RESPONSE OPTION (1) “CONSUMERS”, SAY: This refers to an individual not a business or organization.
2. Approximately how many employees work for your company in Canada? Please include part-time employees as full-time equivalents. [DO NOT READ LIST]
I’d like to begin by asking you about the personal information held by your company about your customers.
INTERVIEWER NOTE: If asked what is meant by “personal information”, say: By personal information, I mean things like a customer’s name, email address, opinions, purchase history, or financial information, such as their credit card.
3. What does your business do with the personal information that it collects about your customers? Do you use it for...? [READ LIST. ACCEPT ALL THAT APPLY] T-2013
* IF ASKED WHAT IS MEANT BY USING PERSONAL INFORMATION TO PROVIDE A SERVICE, SAY: An example of this would be the collection of a credit card number from a customer to complete a purchase, or the collection of an email address to send an invoice.
4. In which of the following ways does your company store personal information on your customers? Is the information…? [READ LIST. ACCEPT ALL THAT APPLY] T2017 – MODIFIED
[VOLUNTEERED] Company does not collect personal information about customers
5. What importance does your company attribute to protecting your customers’ personal information? Please use a scale from 1 to 7, where 1 means that this is not an important corporate objective at all, and 7 means it is an extremely important objective. T2017
The federal government’s privacy law, the Personal Information and Protection and Electronic Documents Act or PIPEDA (PRONOUNCED PIP-EE-DAH) sets out rules that govern how businesses engaged in commercial activities should protect personal information. In Alberta, BC and Quebec, the private sector is governed by provincial laws, which are considered to be similar to the federal law. T2017
6. How would you rate your company’s awareness of its responsibilities under Canada’s privacy laws? Please use a scale from 1 to 7, where 1 is not at all aware, and 7 is extremely aware. T2017
7. Has your company taken steps to ensure that it complies with Canada’s privacy laws? T2017
[IF Q7 = “YES”]
8. How difficult has it been for your company to bring your personal information handling practices into compliance with Canada’s privacy laws? Please use a scale from 1 to 7, where 1 is extremely easy, and 7 is extremely difficult. MODIFIED-T2017
[ALL]
9. Are you aware that the Office of the Privacy Commissioner of Canada, or the OPC, has information and tools available to companies to help them comply with their privacy obligations? MODIFIED-T2017
INTERVIEWER NOTE: If asked about the OPC/how to reach the OPC, please share the website: priv.gc.ca.
Now I’d like to ask you about you company’s privacy practices.
10. Have you designated someone in your company to be responsible for privacy issues and personal information that your company holds? T2017
11. Has your business developed and documented internal policies for staff that address your privacy obligations under the law? T2017
Yes No [VOLUNTEERED] Don’t know12. Does your organization regularly provide staff with privacy training and education? T2017
13. Does your company have procedures in place for responding to customer requests for access to their personal information? T2017
14. Does your company have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly? T2017
15. Does your company have a privacy policy?
16. Does your privacy policy explain in plain language...? [READ LIST] T2017
RESPONSE OPTIONS:
[ALL]
Still thinking about your company’s collection and use of customers’ personal information …
17. Does your company do any of the following? [READ LIST] NEW-2019
RESPONSE OPTIONS:
18. Does your company have any policies or procedures in place to assess privacy risks related to your business? This includes assessing privacy risks associated with the development or use of new products, services, or technologies. T2017
Data breaches can be caused by criminal activity, theft, hacking, or employee error such as misplacing a laptop or other portable device. T2017
19. How concerned are you about a data breach, where the personal information of your customers is compromised? Please use a scale of 1 to 7, where 1 is not at all concerned, and 7 is extremely concerned. T2017
20. Does your company ensure that it keeps records of all data breaches involving your customers’ personal information? NEW-2019
[IF Q20 ≠ “DOES NOT APPLY”]
21. Has your company ever experienced a breach where the personal information of your customers was compromised? T2011
[IF Q21 = YES]
22. What did your company do to address this situation? [DO NOT READ LIST. ACCEPT MULTIPLE RESPONSES] T2011
These last questions are for statistical purposes only, and all answers are confidential.
23. In what industry or sector do you operate? If your company is active in more than one sector, please identify the main sector. [DO NOT READ LIST. ACCEPT ONE RESPONSE]
24. What is your own position within the organization? [DO NOT READ LIST. ACCEPT ONE RESPONSE]
25. In which of the following categories would your company’s 2018 revenues fall? [READ LIST. ACCEPT ONE RESPONSE]
This concludes the survey.
Thank you for your time and feedback, it is much appreciated.
I hereby certify, as a Senior Officer of Phoenix Strategic Perspectives, that the deliverables fully comply with the Government of Canada political neutrality requirements outlined in the Policy on Communications and Federal Identity of the Government of Canada and Procedures for Planning and Contracting Public Opinion Research. Specifically, the deliverables do not contain any reference to electoral voting intentions, political party preferences, standings with the electorate, or ratings of the performance of a political party or its leader.
(Original signed by)
Alethea Woods, President
Phoenix Strategic Perspectives