An Introduction to the Privacy Toolkit

Privacy and freedom of expression are fundamental human rights. People sharing personal data with your organization trust in your ability to handle their information with care.

Good privacy practices are not just a good idea – it’s the law and it’s mandatory for your organization to do business. You have the responsibility to ensure that data is accurate, used appropriately, and kept secure.

While the world of privacy can seem daunting, we are here to help. The Privacy Toolkit will establish your organization’s current threshold in privacy and security and help guide you to where you need to be!

ryerson university - HPE logos

The Privacy Toolkit is a joint initiative between Hewlett Packard Enterprise and Privacy by Design Centre of Excellence at Ryerson University.

What to expect

What to expect

Through The Privacy Toolkit, you will:

  • Complete a self-assessment of your current environment.
  • Map how data flows within your organization.
  • Learn practical guidance and procedures on how to ensure your organization is dealing with sensitive customer data in a safe and appropriate manner.

Why Do You Need to Care About Privacy?

People everywhere increasingly rely on information technology (IT) to manage their daily lives. They also expect their personal information to be protected. As an organization, you have the duty to ensure you responsibly manage the personal information you collect. Here are four reasons you need to take action today.

  1. Regulation: There is Canadian privacy legislation (the Personal Information Protection and Electronic Documents Act or PIPEDA 1) that sets out the ground rules for how businesses subject to the law must handle personal information in the course of commercial activities.
  2. External Stakeholder Demand: Your auditor or insurance company (and even your investors and customers) may ask you about how your business deals with privacy.
  3. Risk: One of your peers or competitors was hacked or involved in a privacy investigation by the regulator.
  4. First Mover Advantage: Dealing with privacy early is good for your business. By showing your leadership in this space, it will put you ahead of your competition

Why Embedding Privacy is Good for Your Business

Your business is accountable for the way you handle information. You need to have appropriate privacy and security practices that protect individuals from social, financial and physical harm that may come from the mismanagement of their personal information. At the same time, the organization needs to ensure that you are still able to achieve your business goals. A number of companies have been building programs where privacy is built into core business processes. This is called Privacy by Design and will be the basis for the toolkit.

What is Privacy by Design? In this video, Dr. Ann Cavoukian, global privacy expert and creator of Privacy by Design, will walk you through the framework.

Watch video

The 7 Foundational Principles of Privacy by Design

These are the principles that should anchor anything your business does when personal information is involved. They aspire to go beyond compliance and reactive approaches to privacy and security risks. Good privacy doesn’t just happen by itself – it requires proactive and continuous goal-setting at the earliest stages.

  • 1 Proactive not Reactive, Preventative not Remedial

    Take action to anticipate and prevent privacy invasive events before they happen. The aim is to prevent the breaches from occurring. Leadership / senior management play an integral role in the formation, execution and measurement of an easy to follow privacy program.

    2 Privacy as the Default Setting

    Deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. No action should be required on the part of the individual user to protect their privacy – it should be built into the system, automatically – by default.

    3 Privacy Embedded into Design

    This is about making privacy an integral part of the culture of the business, whether it involves governance, business processes and technologies.

    4 Full Functionality - Positive-Sum, not Zero-Sum

    The essence of this principle is that multiple, legitimate business interests must and can coexist with privacy. Privacy should not be viewed as a barrier to business objectives.

  • 5 End-to-End Security - Full Lifecycle Protection

    Information security is the key to privacy. Whether at rest, in motion, in use, or at point of disposal, personal information must be protected from unauthorized access.

    6 Visibility and Transparency – Keep it Open

    A strong privacy program inspires trust in an organization. Taking action to help customers/clients understand how you protect their privacy by being open about your practices is a major first step.

    7 Respect for the User – Keep it User-Centric

    The privacy interests of the end-user, customer or citizen are paramount. Always consider user-friendly approaches.

The Privacy Toolkit Steps

It's time to get started on your journey through The Privacy Toolkit. Follow steps 1 to 5, answering the questions with your organization in mind.

Step 1 - Establishing your Baseline Step 2 - Company Assessment Step 3 - Privacy Toolkit Checklist Step 4 - Data Map Step 5 - Continual Improvement

The below figure is the Privacy and Security Maturity Scale. It represents the stages a company will go through on their privacy and security journey. Think about where your organization falls on this scale. This will help you assess where you are starting out and where you want to be in your approach to privacy and security. You should use this scale to chart and then track your progress.

Note that while we hope this is a continual journey forward, you should continually visit and readdress where your organization is on the Privacy and Matrutiy Scale. In certain cases, events can cause companies to backslide (such as a change in management or personnel).

Click Here to Download the Matrix


Social Media Policy Template

This template will help draft and produce social media policies that can be applied to organizations of all sizes.

Find out more

Educating Employees

Training employees on privacy is essential in every organization that handles personal information.

Find out more

Sample Privacy Clause for Code of Conduct Agreement

It is common for new employees to sign a code of conduct agreement when they begin work. This template can be downloaded as a PDF and includes fillable text fields so that you can customize it for your organization.

Find out more

Glossary of Definitions and Terms

Refer to this glossary to understand the terms that are used in the Toolkit.

Find out more

Checklist Resources

Click here to see the full list of recommended resources from the Checklist.

Find out more

About us

The Privacy Toolkit is a joint initiative between Hewlett Packard Enterprise and Privacy by Design Centre of Excellence at Ryerson University. Knowing that Canada is a land of small and medium businesses, HPE and Ryerson wanted to focus on creating a suite of resources to help raise education levels around privacy and security issues.

This toolkit was created by industry leaders and is available to you free of charge.

Hewlett Packard Enterprise

People everywhere increasingly rely on information technology to manage their daily lives. They also expect their personal information to be protected.

Hewlett Packard Enterprise understands the importance of privacy to the consumers and organizations. Our privacy strategy is based on providing transparency and choice for HPE customers worldwide. We create a chain of accountability for data privacy and security throughout our business and apply Privacy by Design in the product development process.

Our Privacy Office works with government agencies, lawmakers, regulators, nongovernmental organizations, and industry groups to encourage a more unified and robust approach to privacy regulation worldwide. While some variation by country is inevitable, we support more global interoperability of privacy regulations.

Find out more

Privacy by Design Centre of Excellence

The Privacy by Design Centre of Excellence at Ryerson University a one-stop shop for all things associated with embedding privacy and security into the design of one’s operations, be they tech-related code, data architecture, IT, or involving policy, compliance or legal matters. Proactively identifying the potential risks and then embedding privacy-protective measures directly into your operations, right from the outset, can prevent the privacy harms from arising.

The Privacy by Design Centre of Excellence is led by Dr. Ann Cavoukian, the Distinguished Expert-in-Residence for Privacy and Data Analytics. Dr. Cavoukian is the creator of Privacy by Design's 7 Foundational Principles framework which has been included in the upcoming E.U. General Data Protection Regulation.

Dr. Ann Cavoukian is recognized as one of the world’s leading privacy experts. Appointed as the Information and Privacy Commissioner of Ontario, Canada in 1997, Dr. Cavoukian served an unprecedented three terms as Commissioner. During that time, she elevated the Office of the Information and Privacy Commissioner from a novice regulatory body to a first-class agency, known around the world for its cutting edge innovation and leadership.

Find out more


We’d like to acknowledge the many organizations who helped in the development of The Privacy Toolkit:

  • Organizers and attendees of the 2017 Privacy and Access Council of Canada Congress
  • Todd Crystal, Spencomp Solutions Inc.
  • Alex Bichuch, IPConnectX Corp.
  • Contact us

    Need more assistance?

    Speak with one of our experts about protecting your enterprise today.

    Let's talk


    Let us know what you think about the Toolkit.


    1. The Privacy Toolkit acknowledges there is a variety of Privacy and Security legislation across Canada; however for the purposes of this Toolkit we are limiting the referencing to PIPEDA.