2023-24 Survey of Canadian businesses on privacy-related issues

Executive summary

Prepared for the Office of the Privacy Commissioner of Canada

Supplier Name: Phoenix SPI
Contract Number: CW2334458
Award Date: 2023-10-18
Contract Value: $72,252.20 (including applicable tax)
Delivery Date: 2024-03-06

Registration Number: POR 073-23

For more information, please contact: publications@priv.gc.ca

Ce rapport est aussi disponible en français.

2023-24 Survey of Canadian businesses on privacy-related issues
Executive Summary

Prepared for the Office of the Privacy Commissioner of Canada
Supplier name: Phoenix Strategic Perspectives Inc.
March 2024

This public opinion research report presents the results of a telephone survey conducted by Phoenix SPI on behalf of the Office of the Privacy Commissioner of Canada. The research study was conducted with 800 representatives of Canadian businesses between November 21 and December 21, 2023.

This publication may be reproduced for non-commercial purposes only. Prior written permission must be obtained from the Office of the Privacy Commissioner of Canada. For more information on this report, please contact the Office of the Privacy Commissioner of Canada at: publications@priv.gc.ca or at:

Office of the Privacy Commissioner of Canada
30, Victoria Street
Gatineau, Quebec
K1A 1H3

Catalogue Number: IP54-96/2024E-PDF

International Standard Book Number (ISBN): 978-0-660-71662-6

Related publications (POR registration number: POR 073-23):
Catalogue number (Final report, French) IP54-96/2024F-PDF
ISBN: 978-0-660-71663-3

Aussi offert en français sous le titre : « Sondage de 2023-2024 mené auprès des entreprises canadiennes concernant les enjeux liés à la protection des renseignements personnels »

Executive Summary

The Office of the Privacy Commissioner of Canada (OPC) commissioned Phoenix Strategic Perspectives (Phoenix SPI) to conduct quantitative research with Canadian businesses on privacy-related issues.

Purpose, objectives, and use of findings

To address its information needs, the OPC conducts surveys with businesses every two years to inform and guide outreach efforts. The objectives of this research were to collect data on the type of privacy policies and practices businesses have in place; on businesses’ compliance with the law; and on businesses’ awareness and approaches to privacy protection. The findings will be used to help the OPC provide guidance to both individuals and organizations on privacy issues; and enhance its outreach efforts with small businesses, which can be an effective way to achieve positive change for privacy protection.

Methodology

A 15-minute telephone survey was administered to 800 companies across Canada from November 21 to December 21, 2023. The target respondents were senior decision makers with responsibility and knowledge of their company’s privacy and security practices. Businesses were divided by size for sampling purposes: small (1-19 employees); medium (20-99 employees); and large (100+ employees). The results were weighted by size, sector and region using Statistics Canada data to ensure that they reflect the actual distribution of businesses in Canada. Based on a sample of this size, the results can be considered accurate to within ±3.5%, 19 times out of 20.

Key Findings

Most Canadian companies are aware of their responsibilities under Canada’s privacy laws and have taken steps to ensure they comply with these laws.

• Eighty-eight percent of business representatives said their company is at least moderately aware of its privacy-related responsibilities, including close to half (47%) that are highly aware of these responsibilities. Since 2019, the proportion of companies highly aware of their privacy-related responsibilities has steadily declined, from 57% in 2019, to 52% in 2022, to 47% this year.
• Three-quarters (76%) of business representatives said their company has taken steps to ensure it complies with Canada’s privacy laws. Compliance has not changed in any significant way since 2019, and it remains higher than the baseline of 66% reported in 2017. The likelihood of taking steps to ensure compliance increased with company size, from 75% of small businesses to 94% of large businesses.
• Ninety-three percent of companies that have taken steps to comply with Canada’s privacy laws found it moderately or extremely easy to bring their personal information handling practices into compliance. The proportion of companies that found it very easy to comply has increased significantly this year, from 35% in 2022 to 56% in 2023.
• Underscoring the ease with which companies were able to comply with Canada’s privacy laws, few challenges with respect to compliance were identified: lack of knowledge (6%) or understanding of privacy laws (6%), difficulty integrating privacy measures with existing systems/processes (5%), lack of internal resources or a dedicated privacy team (4%), lack of technical skills (2%), and the financial cost of compliance (2%).

Awareness of the OPC’s information and tools for businesses has increased significantly, but only one in four have used these resources to comply with privacy obligations.

• Four in 10 (41%; up from 33% in 2022) surveyed business representatives are aware that the OPC has information and tools to help companies comply with their privacy obligations. Self-reported use of these resources has increased this year, from 17% in 2013 to 26% in 2023, but use continues to fall short of awareness due, at least in part, to lack of need, which was mentioned by 31% of those knew of the OPC’s resources but who said their company had not used them.

Half or more of Canadian businesses have implemented most of the privacy practices measured in the survey. Implementation is virtually unchanged since 2022, when a decline was reported across all measures. In addition to fulfilling their privacy-related responsibilities, many companies also reported using measures to safeguard personal information.

• Half or more of business representatives said their company has implemented the following privacy practices: designated a privacy officer (56%); put in place procedures for dealing with customer complaints about the handling of personal information (53%) as well as for responding to customer requests for access to their personal information (50%); and developed internal policies for staff that address privacy obligations (50%). Exactly one-third (33%) said their business regularly provides staff with privacy training and education. The likelihood of having implemented these practices increased with business size and was highest among large companies for nearly all measures.
• New this year, respondents were asked about security measures used to safeguard customer and employee information. Approximately eight in 10 business representatives said their company requires passwords to access accounts (83%) and controls employee access to electronic files (79%). Roughly half reported that their company uses multi-factor authentication (53%) and encrypts stored data (49%), while exactly one-third (33%) encrypt communications.

Many companies have a privacy policy in place, but over time, fewer companies report having one. Most companies that have a privacy policy use plain language to explain their practices with respect customers’ personal information.

• Just over half (55%) of the business representatives surveyed said their company has a privacy policy. Over time, the proportion of companies with a privacy policy has declined, from a high of 65% in 2019, to 59% in 2022, to 55% this year. The likelihood of having a privacy policy is higher among larger businesses. Nearly nine in 10 (87%) large businesses have such a policy, compared to two-thirds (67%) of medium-sized businesses and approximately half (53%) of small businesses.
• When looking at whether companies have plain language disclosures in their privacy policies, the 2023 results are generally consistent with previous years. Most privacy policies explain in plain language the following: the purpose for which personal information is collected, used, and disclosed (85%); which personal information is being collected (81%); and the methods by which the company collects, uses, and discloses this information (80%). In addition, many said their company’s policy explains with which parties the information collected will be shared (70%) and how it will be disposed (62%), while just over half (55%) said their policy explains the risks of harm in the event of a data breach. The one noteworthy change over time has been the proportion of companies that disclose, in plain language, for how long customers’ personal information is kept. This increased from 57% in 2022 to 67% in 2023.
• Business representatives who said their company has a privacy policy were also asked whether their company communicates with customers about different aspects of its privacy practices. The most significant year-over-year change includes a decline in the proportion of companies that explain how customers can file a formal privacy complaint (from 60% in 2022 to 49% in 2023), that make privacy information easily accessible (from 70% in 2022 to 60% in 2023), and that explain how customers can request access to personal information (from 69% in 2022 to 59% this year).

Few companies have experienced a data breach, but half are prepared to respond to a breach involving personal information.

• Ninety-three percent of companies reportedly have not experienced a privacy breach. The incidence of reported data breaches has been consistent for the last decade (4% in 2013, 2019, and 2022 and 6% in 2023).
• More than eight in 10 (84%) respondents said their company is at least somewhat prepared to respond to a data breach involving personal information, including close to half (46%) who said their company is highly prepared for such an event.

Contract Value

The contract value was $72,252.20 (including applicable tax).

Statement of Political Neutrality

I hereby certify as a Senior Officer of Phoenix Strategic Perspectives that the deliverables fully comply with the Government of Canada political neutrality requirements outlined in the Communications Policy of the Government of Canada and Procedures for Planning and Contracting Public Opinion Research. Specifically, the deliverables do not contain any reference to electoral voting intentions, political party preferences, standings with the electorate, or ratings of the performance of a political party or its leader.