An Overview of the Personal Information Protection and Electronic Documents Act for Businesses and Organizations

PDF Version

---

Notes:

A message from the Office of the Privacy Commissioner of Canada

Canadian businesses need to be fully aware of how the private sector privacy law, the Personal Information Protection and Electronic Documents Act - or PIPEDA - affects their business. This Power Point presentation can be downloaded and used by organizations to help sensitize them to privacy issues and concerns, and to help them comply with the Act. This presentation also explains why implementing good privacy practices simply makes good business sense.

---

---

---

Notes:

As business owners, managers and employees, we are all concerned that our businesses, as well as the ones that we work with, are well managed, competitive and profitable. Since January 2004, we also have to be concerned about protecting the privacy of our customers. This is because, since January 1, all businesses in Canada that collect, use and disclose personal information have to comply with either the Personal Information Protection and Electronic Documents Act (PIPEDA), legislation implemented by the federal government to protect the privacy of Canadians in the private sector, or with a substantially similar provincial law.

PIPEDA sets out ground rules for how private-sector organizations may collect, use and disclose personal information in the course of their commercial activities.

There are some businesses that may already be familiar with PIPEDA because they are already engaged in activities covered by the Act - such as sharing information across borders, for example.

But for those of us who aren't yet familiar with it, there's no time like the present - because it's the business environment in which we are now all operating.

PIPEDA is good news for Canadians and for businesses, and hopefully this presentation will allay any fears or concerns you may have about its recent implementation.

---

---

Notes:

Privacy is often called "the right to be let alone". That's a good enough definition, as far as it goes. It reflects people's instinctive reaction to being monitored or scrutinized or bothered. That's what "invasion of privacy" means to many people.

But there's another kind of privacy invasion that's less obvious, and that's the collection, use and disclosure of information about us without our knowledge or consent.

That's why the Office of the Privacy Commissioner of Canada defines privacy as the right to control access to one's person and information about oneself.

This definition is useful for understanding how our privacy is becoming threatened.

After all, our privacy used to be protected by default. As long as information about us was in paper records scattered over a lot of locations, someone would have had to go to a lot of trouble to invade our privacy. Unless you were famous or important, or "notorious", your privacy was pretty safe.

But those barriers of time, distance and cost are gone. With developments in computing technologies, databases, surveillance technologies, biometric identification and genetic testing, a stranger with access to a computer and an Internet connection can compile a detailed file on our whole lives in a matter of minutes.

This scenario exemplifies at a broad level why we need to be concerned about protecting our privacy.

---

---

Notes:

Our privacy is sometimes called "the right from which all our freedoms flow".

You can't have freedom of speech, association, or thought, for example, in a society where your every move is watched, your every activity known, and your every preference monitored.

Privacy is an innate need. When you go home at night, you probably close the blinds. It's not that you're trying to hide something. You just instinctively need your privacy, your freedom from being observed.

In Canada we have the right to anonymity as we go about our business. That is why we, as individuals, businesses and as a society, must be prepared to go to considerable lengths to ensure that our privacy and the privacy of our clients and customers is respected in our commercial activities. Which brings us to PIPEDA, because one of the ways that Canadians have responded to the challenge of privacy protection is to legislate to protect privacy.

---

---

Notes:

Adhering to good privacy practices simply makes good business sense.

If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or will give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of frustration and resentment. And they'll look for competitors who do respect their privacy.

Protecting privacy is a key element of good customer relations and that makes it a key element of competitive advantage.

---

---

Notes:

PIPEDA is new legislation implemented by the federal government to protect the privacy of Canadians in the private sector. The Act sets out ground rules for the collection, use and disclosure of personal information. The Act reflects the realities of the business world, rather than some abstract Ottawa thinking. It's based on the Canadian Standards Association's Model Code for the Protection of Personal Information. That Code, which is actually incorporated into the legislation, came out of a collaborative effort by representatives of government, consumers, and business groups. These groups met and discussed the development of a code as a way of enhancing the business environment.

Canada is actually the first country in the world to have private sector privacy legislation that is based on a collaboratively-developed national standard. These groups recognized that good privacy is good business, and that protecting their customers' rights and treating their personal information with respect gave them a competitive advantage. The Act ensures that an organizations' legitimate need for personal information can be balanced with the privacy rights of individuals. Where there is oversight, the Office of the Privacy Commissioner of Canada is there to help businesses. The Commissioner's role is to be an ombudsman, not an enforcer. The Commissioner is interested in finding solutions to privacy problems, not in finding someone to blame for them.

So what is PIPEDA all about then and what will you have to do to implement it? Basically it means that an organization that wants to collect, use, or disclose personal information about people needs their consent, except in a few specific and limited circumstances.

• It can use or disclose people's personal information only for the purpose for which they gave consent.
• Even with consent, the organization has to limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
• Individuals have the right to see the personal information that an organization holds about them, and to correct any inaccuracies.
• There's oversight, through the Commissioner and the Office, to ensure that the law is respected, and redress if people's rights are violated.

A common misconception to be aware of is that some people believe that PIPEDA applies only to Web sites, e-commerce or businesses operating on the Internet. This is simply not the case. The Act applies to all businesses whether they conduct their business electronically or not.

---

---

Notes:

Since January 1, 2001, PIPEDA has applied to all personal information that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. Those are primarily banks, airlines, telecommunications companies, broadcasters, and interprovincial or international transportation companies. It has also applied to the personal information of employees in those organizations. And it has also applied to personal information held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or national boundaries.

Beginning on January 1, 2004, PIPEDA applies right across the board - to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance. Where a "substantially similar" provincial law does not apply.

The Minister of Industry expects to that provincial or territorial legislation should incorporate the ten principles of the Schedule 1 of PIPEDA, provide for an independent and effective oversight and redress mechanism with powers to investigate; and restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate.

British Columbia, Alberta and Quebec are the only provinces that have legislation deemed substantially similar.

The result will be that the principles of PIPEDA are part of the business environment throughout Canada.

---

---

Notes:

Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

• age, name, ID numbers, income, ethnic origin, or blood type;
• opinions, evaluations, comments, social status, or disciplinary actions; and
• employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

Personal information does not include the name, title, business address or telephone number of an employee of an organization.

---

---

Notes:

The application of the Act expanded in 2004 to commercial activities that normally fall under provincial jurisdiction. But it didn't extend to employment in those activities. The only place PIPEDA applies to employment is in federal works, undertakings, or businesses.

This means that if you are operating a federal work, undertaking or business - PIPEDA applies to your employment practices.

But for the rest of businesses, it does not.

It's a good idea for businesses and organizations to review their privacy practices in employment anyway, because it's very likely that provincial privacy laws will apply to employment.

---

---

Notes:

This brings us to a few steps that businesses can take to become compliant with the Act.

First, review your privacy practices. You should consider applying this practice to your employment practices also. Because it's very likely that provincial privacy laws will apply to employment.

Second, appoint an individual to have overall responsibility for privacy throughout your organization. In large organizations, the Chief Privacy Officer fills this role, but for most businesses, it would be reasonable to have an individual fulfil this role as a part-time responsibility. This would assure that your privacy responsibilities and issues are addressed.

Third, familiarize yourselves with the role of the Office of the Privacy Commissioner of Canada. They can help you understand what you can do to comply with the Act.

---

---

Notes:

You should probably know a little bit more about the Office of the Privacy Commissioner of Canada. To begin with, the Privacy Commissioner is an independent Officer of Parliament.

The first major aspect of the Commissioner's mandate is oversight. That includes investigating and adjudicating complaints under PIPEDA and the Privacy Act, which is a similar law that has applied to the federal public sector for the last twenty years.

In an oversight role, the Commissioner acts as an ombudsman. She uses negotiation and persuasion to find solutions. It's not about blaming or punishing organizations. The Commissioner has full investigative powers, and if it's necessary in an investigation, can order the production of documents, enter premises, and compel testimony. But in twenty years of the Privacy Act, the Commissioner has never had to use those powers. The Office of the Privacy Commissioner has always been able to get voluntary cooperation. That's been the case so far with PIPEDA as well, and the Office is confident that it will continue to be the case.

If the Commissioner concludes at the end of an investigation that an organization is violating privacy, the Commissioner recommends how the problem can be fixed.

The Commissioner doesn't have order-making powers, but does have a number of means to ensure that privacy rights are respected and that his recommendations are not ignored.

For example, if an organization won't comply, the Commissioner has the sanction of being able to make the problem known publicly and then rely on public opinion to move things forward.

Or the Commissioner can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.

The second major aspect of the Privacy Commissioner's mandate is public education - to raise awareness among Canadians about their rights, and organizations their obligations, under federal privacy laws.

---

---

Notes:

PIPEDA came about because the government recognized that the lifeblood of modern business is personal information.

Businesses depend on personal information, to stay in touch with their customers, seek out new customers, and find out what the market is looking for and what it will bear. And they want information about their employees, so that they can administer benefits and ensure a safe and productive workplace.

Getting and using that personal information in ways that don't offend privacy, as we have seen - that's the challenge for modern businesses. The proper treatment of personal information is key - it helps to maintain a business' image, gains and retains the trust of customers, assures that there is accurate information for marketing purposes and ultimately gives the business a competitive advantage in the market place.

We can see, that good privacy is, in the end, good business. And that may be the most important implication of Canada's privacy law.

For more information you can contact the Office of the Privacy Commissioner of Canada at 1-800-282-1376 or visit their Web site at www.priv.gc.ca.