Protecting privacy builds trust

Anne-Marie Hayden

I joined the Canadian Museums Association (CMA) in July 2019 following 18 years with the Office of the Privacy Commissioner of Canada (OPC). I am very pleased to have the opportunity to share some best practices in privacy protection with Muse readers, now that I have made this shift to the heritage sector.

At the OPC, I was responsible for communications. I readily admit that I was not in the compliance area, investigating complaints, nor was I in the legal area, determining jurisdiction or taking matters to court. However, given my team’s ambitious public education agenda, increasing awareness among individuals of their privacy rights and organizations of their privacy obligations, along the way I picked up a thing or two about privacy protection that I am more than happy to share.

There are many good reasons for making sure your museum manages privacy issues properly. First, there’s a good chance that you’re legally obligated to. Whether it be through the application of a private sector law or a public sector one, it’s likely that a privacy law applies to your operations.

Second, there’s the issue of trust. Museums are built on public trust. Part of building onto this platform of trust is ensuring that you are always doing the right thing when it comes to managing personal information. Just imagine how difficult it would be to rebuild the trust you have with your stakeholders if you mismanage a data breach. It can have a devastating effect on reputation.

Third, it’s the ethical thing to do. Plain and simple, people in today’s world recognize that they will provide you with a certain amount of personal information, but the expectation is that you treat that information respectfully, that you protect it, and that you only use it for the purposes that it was provided to you.

Building a privacy management framework need not be an impossible task and is scalable, depending on whether you are a large or a smaller organization.

If you just take a step back and start planning, and asking yourself some important questions at the outset, you’ll soon find yourself building privacy into your daily operational decisions. You’ll begin to use the concept of Privacy by Design — the idea of building privacy protections in at the outset. The protection of personal information will be the default and you’ll soon realize that doing privacy properly is a business enabler.

So, what do you need to get started?

First, you should determine what legislative landscape might apply to you. While the law isn’t everything when it comes to doing privacy properly, it is a key starting point. So, whether it be the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in most provinces and territories, one of the “substantially similar” provincial laws (for example, in Quebec, Alberta and British Columbia) or a public sector law like the federal Privacy Act, there’s a good chance there’s a law that contains the basic framework of what you need to do.

Once you know what legal framework applies to your organization, then spend a bit of time determining what personal information you collect — doing your personal information inventory. For example, day-to-day visitor-ship, membership, marketing and communications, special events, retail, educational programs, public consultations, and managing employees and volunteers.

After you determine the various business lines that might involve collecting personal information, then you should determine exactly what those fields of information are. For the most part, personal information is defined as any information about an identifiable individual. To be clear, this is a broad definition and, indeed, the courts and the privacy commissioners have interpreted this liberally. And different laws across Canada also define it differently.

You need to figure out what role consent plays in relation to how you handle personal information. If you are legally required to have someone’s consent (for example, in emailing them), do you have mechanisms in place to make sure you’ve captured that consent and that it’s truly meaningful?

Your privacy policy or statement tells people what you’re doing when it comes to the collection, use or disclosure of personal information. We’ve all seen less than ideal privacy notices — the ones that are written in incomprehensible legalese, in eight-point typeface, that run on for miles. But do those really help in obtaining meaningful consent?

In your privacy statement, in clear and direct language, you must describe the types of personal information you collect, who you share it with and you also need identify if there are any risks associated it. You also have to make people aware if the personal information you’ve collected might be stored in or accessed from another country.

Another important aspect of doing privacy properly is implementing appropriate safeguards. These might be technical or physical in nature. You’re expected to protect personal information using a reasonable system that takes into account the sensitivity of the information you have. One common rule of thumb is that all personal information should be encrypted and that you need to have processes in place to ensure that personal information can only be accessed by those who have a need to know.

Depending on the size of your organization and the amounts and types of personal information you collect, you need to appoint one or more individuals to be responsible for it and make privacy protection part of their work description. This person can help ensure that your museum:

  • Only collects the minimal amount of personal information
  • Always has a legitimate purpose for collecting personal information
  • Makes that information accessible to those who may request access to their own information
  • Keeps it secure and properly destroys the data when it has served its purpose

The idea in this report was to give you a sense of some of the privacy requirements that are not only necessary but expected by individuals, who care about their privacy now more than ever.

The good news is that, so far, museums do not appear to be on the radar of privacy regulators. Muse reached out to federal and provincial privacy commissioners’ offices in preparing this report. Most offices noted few to no complaints about museums’ privacy practices over the past several years. Where there were investigations, they were either in response to a privacy breach or related to an individual’s rights of access to their personal information.

It’s clear that museums play an increasingly important role in society — a society that is, more and more, running on data, including personal data, and that this brings about a wide range of benefits. In a world in which museums count on the trust engendered to them by the public, maintaining that trust is fundamental. Doing privacy protection well can help.

It’s a good idea to seek out the help of a privacy professional. My former employer, along with provincial and territorial colleagues, also offer some excellent guidance at The International Association of Privacy Professionals (, meanwhile, also has a wide variety of resources and it’s a great way of connecting with experts in the field. The IAPP also has an online privacy art gallery I encourage you to visit: M

Anne-Marie Hayden
Deputy Director, Public Affairs and Museum Advancement
Canadian Museums Association

This museological report has been made possible through funding from the Government of Canada. This report was also published in Muse Magazine, November/December issue, 2019.