Privacy Management Program
For a number of years, the Airport Authority has had comprehensive policies and protocols aimed at complying with the applicable laws relating to private information belonging to our employees, our passengers and our business partners. As a private federal organization, the Airport Authority is subject to federal privacy legislation, specifically the Personal Information Protection & Electronic Documents Act. We care strongly about upholding privacy laws—this is in keeping with our corporate values of trust and accountability. Privacy matters are overseen by the Airport Authority’s Vice President Legal, General Counsel & Corporate Secretary, in her capacity as Privacy Officer, as well as a Privacy Committee comprised of the Privacy Officer, Vice President Human Resources and Supply Management, Vice President Operations and Maintenance and Vice President Information Technology and Chief Digital Officer.
Throughout 2016, we focused on building on the existing strong foundation to develop an expanded framework for our Privacy Management Program, with the goal of making it even more robust and comprehensive. Some of the elements of the expanded Privacy Management Program are as follows:
- Cyber Security/Privacy Team—recognizing that privacy and cyber security go hand in hand, we have put together a cross-departmental team (Legal, IT, Operations/Security, Communications, HR) to respond to privacy breaches, to be supported by external legal counsel.
- Expanded Policies—we are developing a new Privacy Breach Policy and reviewing and updating our existing privacy policies.
- Data Mapping—in order to understand the information life cycle for each type of personal information that we collect, we are applying a data mapping approach to proactively answer questions about the personal data we are charged with safeguarding.
- Incident Response Plan—in the event of a privacy breach, we would immediately engage the Cyber Security/Privacy Team to contain the breach, evaluate the risks of the breach with reference to our applicable data mapping, notify appropriate individuals and if necessary the Canadian Privacy Commissioner and affected customers or employees and mitigate the immediate breach.
- Training and Testing—we are developing privacy and cyber awareness training and expect to begin rolling it out in 2017. The training will include a video module element so that new employees can receive the customized training at the beginning of their employment and others can refresh their training annually or as otherwise required. We will also be implementing regular testing of the program and our protocols.