First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Privacy Compliance and Management

CASL enforcement: Recent trend

It can be relatively difficult to read the tea leaves in the CRTC’s approach to CASL enforcement, because there is little public record of those enforcement activities. This was noted by the Standing Committee on Industry, Science and Technology, in its statutory review of the Act. However, what signs do exist suggest that enforcement activities are accelerating. In 2016 and 2017, the CRTC announced only one undertaking in a CASL proceeding. By contrast, in the first quarter of 2018, there have already been two.

 

, , , ,

Overarching limit on the collection, use and disclosure of personal information

A key takeaway for organizations is that it is not enough to comply with other provisions in PIPEDA, for example, obtaining meaningful consent. Organizations must still show that their purposes for collecting, using or disclosing personal information are those that a reasonable person would consider appropriate in the circumstances.

 

, , , ,

Is there an ROI for investing in cyber or information security?

IS ROI on cyber really as high as it may seem at first glance? At some point, it may be better to consider cyber risk as a “cost of doing business”. If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

 

, , , , , ,

What is an internal control, really?

What is a control, at an abstract level: what is it supposed to achieve, and how is it supposed to operate within an organization?

 

, , ,

Working together works: Ontario Securities Commission approves reduced sanction for insider tipper who cooperated with investigation

The OSC recently approved a settlement agreement in which the respondent admitted to providing material non-public information to a third party. The order in Re Hutchinson, which did not include an administrative penalty or disgorgement of profits, was held to be in the public interest given the respondent’s cooperation and other mitigating factors.

 

, , , , , , , , , , , , , ,

514-BILLETS gets billed by the CRTC for CASL violations

This case reminds organizations that CASL applies to any form of CEM, even text messages, used to promote products and services, and that the CRTC is actively monitoring and responding to complaints involving different types of CEMs.

 

, , , , , , , , , ,

An idea to help drive effective risk management

We want all decision-makers to consider all the potential consequences of their decision (in fact, all the potential consequences for each option on the table) before making an informed and intelligent judgment. What if the quality of decision-making was a significant factor in assessing performance? Thus affecting compensation and career progression. This idea could help drive effective risk management.

 

, , , , , , , ,

Guidance on recording of customer telephone calls updated

The Office of the Privacy Commissioner of Canada recently updated its information and guidance on recording of customer telephone calls to bring it up to date, make it web-friendly and responsive for user feedback.

 

, , , , , , , , ,

10 top ways to be a wildly effective compliance officer

Competition law

To be wildly effective, compliance officers should have a positive working relationship with the other functions in the business, especially Legal, Audit and Human Resources.

 

, , , ,

It’s official: Mandatory data breach notification coming on November 1, 2018

The coming into force of mandatory breach notification and record-keeping requirements on November 1, 2018 should be viewed by organizations as an effort to align Canadian legal and regulatory requirements with those in the United States and Europe (especially with the General Data Protection Regulations – or GDPR – coming into force in May 2018).

 

, , , , , ,

Rejected job applicants obtain disclosure of application records under privacy law

PIPA governs how private organizations handle personal information and creates rules regarding its collection, use, and disclosure. Section 23(1)(a) of PIPA gives individuals the right to access their personal information that is under the control of an organization.

 

, , , , ,

A step-by-step guide to creating a cybersecurity plan

The first step is easily accomplished by reviewing a few definitions. The second step is trickier. The third step may involve a lot of work, but you can start with six straightforward steps.

 

, , , , , , , , , , , , ,

Privacy damages awarded for commercial use of a person’s image in a public setting

Organizations which use images for commercial purposes would be wise to seek the consent of all persons appearing in such images, even where the images are made in a public setting.

 

, , , , , ,

Artificial intelligence: The year in review

The regulatory landscape impacting AI continues to evolve both domestically and abroad. As we begin the new year, we pause to reflect on some of 2017’s most notable developments in AI and prepare for new trends to watch out for in 2018.

 

, , , , ,

Whistleblower protection: Employers need to create a speak-up environment

It is incumbent on Canadian employers to take whatever steps they can to implement systems that would allow whistleblowers to step forward without fear, and speak-up without punishment.

 

, , , , , , , , ,

Previous Posts