Complying with the Personal Information Protection and Electronic Documents Act
In Canada, we are protected by two federal privacy laws. The Privacy Act covers the personal information-handling practices of the federal government and the Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's new private sector privacy law, which came fully into effect on January 1, 2004. The Office of the Privacy Commissioner of Canada is here to help provide information and guidance to businesses across Canada as they gear up for the implementation of PIPEDA.
Good privacy is good business
In an increasingly competitive marketplace, businesses rely on personal information to identify and stay in touch with their customers. They use it to seek out new customers who might be interested in their products. They want to find out what the market is looking for and what it will bear. And they want information about their employees, so that they can administer benefits and ensure a safe and productive workplace.
Obtaining and using that personal information in ways that don't offend the fundamental human right of privacy is the challenge for modern businesses.
Respecting and protecting privacy is a key element of good customer relations — and that makes it a key element of competitive advantage. Your customers want privacy, your employees need it and your competitors are going to provide it.
It's not an abstract legal concept. It's simple consideration, respect and courtesy — the essence of a good relationship with your customers and employees. Showing respect for privacy is part of showing respect for your customer, and respecting your customer is the cornerstone of a strong customer relationship.
PIPEDA in brief
PIPEDA sets out ground rules for how private sector organizations can collect, use or disclose personal information in the course of commercial activities. It balances an individual's right to privacy with the need of organizations to collect, use or disclose personal information for legitimate business purposes.
PIPEDA has been coming into effect in stages. As of January 2001, the Act has applied to personal information about customers or employees in the federally-regulated sector in the course of commercial activities. It also applies to information sold across provincial and territorial boundaries. As of January 2002, the Act has also applied to personal health information collected, used or disclosed by these organizations.
Since January 1, 2004, PIPEDA applies right across the board — to all personal information collected, used or disclosed in the course of commercial activities by all private sector organizations, except provinces which have, by then, enacted legislation that is deemed to be substantially similar to the federal law. To date, Quebec, British-Columbia, Alberta, and, in matters relating to health care, Ontario, New Brunswick and Newfoundland and Labrador, have promulgated legislation deemed substantially similar to the federal law.
Although the application of the Act expanded in 2004 to commercial activities that normally fall under provincial jurisdiction, it does not extend to employment in those activities. The only place PIPEDA applies to employment is in federal works, undertakings, or businesses. This means that if you are operating a federal work, undertaking or business — PIPEDA applies to your employment practices. But for the rest of businesses, it does not. It's a good idea for businesses and organizations to review their privacy practices in employment anyway, because it's very likely that provincial privacy laws will apply to employment.
The basic outline of PIPEDA looks like this:
- If your business wants to collect, use or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
- You can use or disclose people's personal information only for the purpose for which they gave consent.
- Even with consent, you have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.
- Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.
- There's oversight, through the Privacy Commissioner of Canada, to ensure that the law is respected, and redress if people's rights are violated.
Your responsibilities under PIPEDA
PIPEDA reflects the realities of the business world. It's based on the Canadian Standards Association's Model Code for the Protection of Personal Information, which is incorporated into the legislation. The Code came out of a collaborative effort by representatives of government, consumers and business groups, and lists 10 principles of fair information practices, which are summarized as follows:
- Accountability: Appoint an individual (or individuals) to be responsible for your organization's compliance; protect all personal information held by your organization or transferred to third party for processing; and develop and implement personal information policies and practices.
- Identifying purposes: Your organization must identify the reasons for collecting personal information before or at the time of collection. Before or when any personal information is collected, identify why it is needed and how it will be used; document why the information is collected; inform the individual from whom the information is collected why it is needed; identify any new purpose for the information and obtain the individual's consent before using it.
- Consent: Inform the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data; obtain the individual's consent before or at the time of collection, as well as when a new use is identified.
- Limiting collection: Do not collect personal information indiscriminately; do not deceive or mislead individuals about the reasons for collecting personal information.
- Limiting use, disclosure, and retention: Use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act; keep personal information only as long as necessary to satisfy the purposes; put guidelines and procedures in place for retaining and destroying personal information; keep personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress; destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement.
- Accuracy: Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties.
- Safeguards: Protect personal information against loss or theft; safeguard the information from unauthorized access, disclosure, copying, use or modification; protect personal information regardless of the format in which it is held.
- Openness: Inform your customers, clients and employees that you have policies and practices for the management of personal information; makethese policies and practices understandable and easily available.
- Individual access: When requested, inform individuals if you have any personal information about them; explain how it is or has been used and provide a list of any organizations to which it has been disclosed; give individuals access to their information; correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient; provide a copy of the information requested, or reasons for not providing access, subject to exception set out in Section 9 of the Act; an organization should note any disagreement on the file and advise third parties where appropriate.
- Provide recourse: Develop simple and easily accessible complaint procedures; inform complainants of avenues or recourse. These include your organization's own complaint procedures, those of industry associations, regulatory bodies and the Privacy Commissioner of Canada; investigate all complaints received; take appropriate measures to correct information handling practices and policies.
Individuals who feel their privacy rights have been infringed upon can complain to the Privacy Commissioner of Canada. The Commissioner's role is that of an ombudsman, trying to find solutions to privacy problems, resolving complaints through negotiation and persuasion, and using mediation and conciliation if appropriate.
What is personal information?
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
Personal information does not include the name, title, business address or telephone number of an employee of an organization.
What is not covered by the Act?
- The collection, use or disclosure of personal information by federal government organizations listed under the Privacy Act
- Provincial or territorial governments and agents of the crown in right of a province
- An employee's name, title, business address or telephone number
- An individual's collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
- An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
For more information
We recognize that gearing up to protect privacy isn't easy. It takes time, attention and resources. But part of our job is to help you with it.
For more information to help your business prepare for the implementation of PIPEDA, contact the Office of the Privacy Commissioner of Canada at 1-800-282-1376 and request a copy of our Guide for Businesses and Organizations: Your Privacy Responsibilities free of charge This Guide also includes a Privacy Questionnaire with some common sense questions you can use to help you get started.
For this and other useful information, such as the Commissioner's findings under PIPEDA, you can also visit our Web site at www.priv.gc.ca or you can write to us at:The Office of the Privacy Commissioner of Canada
30 Victoria Street
Phone: (819) 994-5444
Fax: (819) 994-5424
TTY: (819) 994-6591