2019-20 Survey of Canadian businesses on privacy-related issues

Executive summary

Prepared for the Office of the Privacy Commissioner of Canada

Supplier Name: Phoenix SPI
Contract Number: 2R008-190099-001_CY
Contract Value: $74,242.36 (including HST)
Award Date: 2019-07-30
Delivery Date: 2020-01-31

Registration Number: POR 037-19

For more information, please contact: publications@priv.gc.ca

Ce rapport est aussi disponible en français.

Prepared for the Office of the Privacy Commissioner of Canada
Supplier name: Phoenix Strategic Perspectives Inc.
January 2020

This public opinion research report presents the results of a telephone survey conducted by Phoenix SPI on behalf of the Office of the Privacy Commissioner of Canada. The survey was conducted with 1,003 Canadian businesses from November 29 to December 19, 2019.

This publication may be reproduced for non-commercial purposes only. Prior written permission must be obtained from the Office of the Privacy Commissioner of Canada. For more information on this report, please contact the Office of the Privacy Commissioner of Canada at: publications@priv.gc.ca or at:

Office of the Privacy Commissioner of Canada
30, Victoria Street
Gatineau, Quebec
K1A 1H3

Aussi offert en français sous le titre Sondage de 2019-2020 auprès des entreprises canadiennes concernant les enjeux liés à la protection des renseignements personnels.

Executive summary

The Office of the Privacy Commissioner of Canada (OPC) commissioned Phoenix Strategic Perspectives (Phoenix SPI) to conduct quantitative research with Canadian businesses on privacy-related issues.

Purpose, objectives and use of findings

To address its information needs, the OPC conducts surveys with businesses every two years to inform and guide outreach efforts. The objectives of this research were to collect data on the type of privacy policies and practices businesses have in place; on businesses’ compliance with the law; and on businesses’ awareness and approaches to privacy protection. The findings will be used to help the OPC provide guidance to both individuals and organizations on privacy issues; and enhance its outreach efforts with small businesses, which can be an effective way to achieve positive change for privacy protection.

Methodology

A 13-minute telephone survey was administered to 1,003 companies across Canada between November 29 and December 19, 2019. The target respondents were senior decision makers with responsibility and knowledge of their company’s privacy and security practices. Businesses were divided by size for sampling purposes: small (1 to 19 employees); medium (20 to 99 employees); and large (100 employees or more). The results were weighted by size, sector and region using Statistics Canada data to ensure that they reflect the actual distribution of businesses in Canada. Based on a sample of this size, the results can be considered accurate to within ±3.1%, 19 times out of 20.

Key findings

• When it comes to meaningful consent, at least one-third of Canadian businesses incorporate some of the guiding principles in their privacy practices.
  • Approximately half (51%) of the companies surveyed make their privacy information easily accessible to their customers.
  • Forty-five percent (45%) make it clear to customers whether the collection, use or disclosure of information is a condition of service.
  • About one-third each notify customers when making changes to their company’s privacy policy (36%) and obtain consent from customers when making changes to their company’s privacy practices (34%).
• Many companies have a privacy policy in place.
  • Roughly two-thirds (65%) of companies surveyed have a privacy policy in place.
  • Among the companies that have a privacy policy, many have a policy that explains in plain language how their company collects, uses and discloses customers’ information (84%), the purpose for which customers’ personal information is being collected (82%), what personal information is being collected (80%), and with which parties the collected personal information will be shared (70%).
  • Approximately one-third (36%) of companies that have a privacy policy notify customers when making changes to this policy.
• Half or more of Canadian businesses have implemented most of the privacy compliance practices measured in the survey.
  • Sixty-two percent (62%) of companies have designated someone to be responsible for privacy issues and the personal information that their company holds (up from 59% in 2017 and 57% when tracking began in 2011).
  • Six in 10 (60%) companies have procedures in place for responding to customer requests for access to their personal information (up from 47% in 2017).
  • More than half (58%) have procedures in place for dealing with complaints from customers who have concerns about how their information has been handled (up from 51% in 2017 and 48% in 2011 when tracking began).
  • Fifty-five percent (55%) have developed and documented internal policies for staff that address privacy obligations under the law (up from 50% in 2017).
  • Four in 10 (39%) regularly provide staff with privacy training and education.
• Most companies have not experienced a privacy breach.
  • More than 9 in 10 (95%) companies have not experienced a privacy breach.
  • Concern about data breaches is polarized. Three in 10 (30%) companies are extremely concerned about a data breach, whereas exactly one-third (33%) are not at all concerned about a data breach.
  • High concern about a data breach has fluctuated over time, from a low of 24% in 2013 to this year’s high of 37%.
• Many companies have a high level of awareness of their responsibilities under Canada’s privacy laws.
  • More than half of business representatives think their company is highly aware of its responsibilities under Canada’s privacy laws (scores of 6 or 7 on the 7-point scale), including 40% who say their company is extremely aware of these responsibilities.
  • More than 7 in 10 (77%) companies have taken steps to ensure they comply with Canada’s privacy laws. Forty-six percent (46%) of companies that have taken steps to comply say that compliance was moderately easy (scores of 3 to 5 on the 7-point scale), and 37% say compliance was easy (scores of 1 or 2 on the 7-point scale).
  • Slightly more than one-third (36%) of companies are aware that the OPC has information and tools to help companies comply with their privacy obligations. However, nearly two-thirds (63%) are not aware that the OPC has resources available to help companies comply with their privacy
• Company size continues to be the strongest predictor of a company’s privacy practices.
  • Large companies (i.e., companies with at least 100 employees) are more likely to have put in place a series of privacy practices, to have policies or procedures in place to assess privacy risks, and to have a privacy policy.

The contract value was $74,242.36 (including HST).