Ten tips for avoiding complaints to the OPC

April 2013

1. Post contact info for your Privacy Officer on your website

Every organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) is specifically required to designate an individual who is accountable for its compliance with the Act (often called a Privacy Officer), and to make the identity of the Privacy Officer known on request. Contact information for this individual should be prominently posted on your website, and your customer service representatives need to know this information or how to direct customers to it.  

More info in our “Getting Accountability Right with a Privacy Management Program” document.

2. Train staff about privacy

Put basic information on privacy protection responsibilities (and the designated privacy officer contact info) in tools and training for staff, especially customer service representatives and staff designing new customer products or forms, or new record keeping systems.

More info in our “Getting Accountability Right with a Privacy Management Program” document.

3. Take responsibility for employee actions

Sometimes employees disregard policies related to privacy (deliberately or by accident).  Organizations must be aware that employee error is not an excuse for PIPEDA violations; it is not enough to just have privacy sensitive policies.  To meet your PIPEDA responsibilities you need safeguards to reinforce these policies, which may include: staff training/retraining, consequences for not following procedures, limits on employees’ access to personal information where they don’t need access, and/or safeguards against mass copying of information to portable devices (if warranted).

More info in our “Getting Accountability Right with a Privacy Management Program” document.

4. Limit collection of personal information

PIPEDA requires businesses to ask for the least amount of personal information to meet the purpose of providing the product or service and to clearly tell customers why they are collecting it.  You may ask for information that goes beyond the purpose of providing the product or service if you make it clearly optional; or you may ask for consent to use information for secondary purposes, such as marketing, if you make it optional.

More info in our “Getting Accountability Right with a Privacy Management Program” document and our “Privacy and Online Behavioural Advertising” guidelines.

5. Make SINs optional

Make it clear (on all forms and with staff training) that customers don’t have to provide a Social Insurance Number to access products or services (unless there is a legal requirement to collect the SIN).  A SIN is not required to do a credit check. 

More info in our “Best Practices for the use of Social Insurance Numbers in the private sector” fact sheet.

6. Driver’s licenses – you can look, but don’t record

If you need to validate an individual’s address or identity, it is generally acceptable to examine a driver’s license, but you should not photocopy or record the driver’s license number, except in rare circumstances.  This number is sensitive and valuable to those who intend to commit identity crimes.

More information on Driver’s licences page.

7. Tell customers about video surveillance

Even if you are not retaining the footage, video surveillance constitutes collection of personal information, so you should only use it if you have a real need to do so.  You should also post clearly visible signs to let people know that video surveillance is being used, and to give contact information for complaints or questions about surveillance.

More info in our “Guidelines on Overt Video Surveillance in the Private Sector” document.

8. Protect personal information

If you decide to collect personal information, you should use safeguards proportional to the sensitivity of the information. For example, be particularly careful with health and financial information, or information that would facilitate identity theft.  As well, avoid collecting and keeping any personal information if you don’t need to (e.g. check someone’s identification, but do not keep a copy), but if you do keep it, lock it up.  Encrypt any laptops, hard drives, mobile devices and USB keys that may contain personal information. 

More info in our “Securing Personal Information: A Self Assessment Tool for Organizations” resource.

9. Respond to access requests

Your customers (and, if you are a “federal work, undertaking or business” your employees or applicants for employment with your organizationFootnote 1) are entitled to access any information you have that is related to them as an identifiable individual - within 30 days and at little or no cost.  This includes written information, and video and audio records.  When responding to access requests, you should protect the personal information of third parties and know there are some exceptions to the right of access.

More info in our “Accessing Personal Information under PIPEDA – What businesses need to know” fact sheet.

10. Be up front about your collection and use of personal information

If you are not able to specifically explain why you need a particular piece of personal information, you increase the chances of your customers being wary of your practices.

Lastly, feel free to call us at 1-800-282-1376. The OPC is mandated to balance the protection of privacy with the legitimate needs of businesses – we’re here to help.  You can also check the Resources section of our website for useful guidance. As a starting point, check our Guide for Businesses and Organizations.

Footnote 1

For information on whether your organization is a federal work, undertaking or business, see our fact sheet: Application of the Personal Information Protection and Electronic Documents Act to Employee Records.

Return to footnote 1

 

Date modified: