The Privacy Toolkit
Guidance for Small & Medium Businesses

Educating Employees

Training employees on privacy is essential in every organization that handles personal information. Providing privacy training to your employees, which may be required by privacy laws, will help achieve the following:

  • Prevent privacy breaches: Having employees trained on privacy is one of the most effective methods of preventing privacy breaches. Contrary to popular belief, most privacy breaches are caused by employees, not external hackers.
  • Improve customer service: Employees who are aware of their organization's privacy practices are better equipped to deal with questions from the public and to minimize potential customer frustration.
  • Reinforce corporate culture and values: Providing training on privacy reinforces core values and demonstrates your organization's commitment to sound business practices.
Getting started

In order to determine the best training strategy for your business, you must first know what types of personal information are being collected, disclosed and retained. Only then can employees be classified by the skill level required by their responsibilities. To facilitate and organize the training staff sessions dealing with information risk, it is useful to group employees based on their information access and authorization levels.

What Is Personal Information?

Personal information is defined as information about an identifiable individual but generally does not include business contact information. Personal information includes names, birth dates, addresses and credit card numbers.

Sensitive information requires additional special care due to its importance for the individual. This information might include financial or health information.

Employee Awareness

Employee Awareness Levels: What Each Employee Should Know

  • Basic: Employees who do not deal with personal information but require a basic understanding of privacy concepts

  • Familiar: Employees who handle personal information as part of their duties, such as order processing and customer service

  • Expert: Employees who require a more thorough knowledge of the business's privacy policy, practices and compliance obligations. These employees often have a supervisory role in departments that handle personal information. Privacy officers would also fit into this category

    • Basic Awareness

    All employees should, at a minimum, have a basic understanding of privacy concepts. Employees who do not usually deal with personal information may find that, from time to time, they do come into contact with personal information and, thus, should be aware of basic privacy concepts. The possibility that some employees might come into contact with personal information may be remote in some organizations. In these circumstances, organizations may wish to assess whether privacy training is warranted for these employees.

    Every employee should be aware of the following basic privacy concepts:

  • What privacy is and the definition of personal information
  • Why maintaining privacy is critical for the business
  • What personal information is collected and what it is used for
  • What the privacy laws dictate
  • What privacy policy the business follows
  • Who the privacy officer is and how to contact this individual
    • Familiar Awareness

    Every employee requiring a familiar level of awareness also needs to know the business's privacy practices and procedures, such as:

  • How to direct customers to the company's written privacy policy
  • How customers can access their personal information
  • How to protect personal information, especially when using a wireless or portable device that may contain personal information
  • How to direct complaints and concerns to a designated privacy official
  • How to get consent before or at the time personal information is collected
  • The purpose for which the personal information is being collected
  • A deeper understanding of the 10 privacy principles
  • the situations that require referral to a privacy expert, such as an unusual access request or a potential data breach
    • Expert Awareness

    Expert employees are required to demonstrate a thorough knowledge of the company's privacy policy and procedures as well as the privacy legislation.

    They must demonstrate:

  • A familiarity with the company's data breach procedures
  • An abilty to educate new employees on the firm's privacy practices
  • An understanding of the protections needed when disclosing personal information to a third party

    • ©2015 CPA Canada. Excerpts from The Canadian Privacy and Data Security Toolkit are reproduced here for your use with the permission of the Chartered Professional Accountants of Canada. It should not be copied or distributed in any form without permission of the Chartered Professional Accountants of Canada.