Canadians worry that personal information databases are not secure and are being combined with other commercial databases from financial institutions, department stores, insurance companies and other commercial organizations without their knowledge and consent. This is a fear shared in all developed countries.
Driven by the explosive growth of the Internet, it is a concern which is not easily contained or dealt with inside political boundaries. The legislative response of country, province and state governments in all major markets represents a potential legal and public relations minefield for business.
As of Jan. 1, 2004, all businesses engaged in commercial activities in Canada became obligated to comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) unless privacy legislation in the province in which they do business had been designated as “substantially similar” to PIPEDA.
If your organization conducts business across Canada and elsewhere, it is vital that your organization become familiar with its obligations under the privacy legislation of each political jurisdiction in which it is deemed to conduct business.
PIPEDA imposes obligations on organizations to protect the personal information collected and used by them. The Act applies to all paper-based and electronic files containing personal information on any identifiable person, including employees, business associates and customers.
So what is “personal information?” Under PIPEDA, personal information includes any information about an identifiable individual other than an individual’s business title, address or telephone number. Examples of personal information include an individual’s: name, age, weight, height, race, ethnic origin and marital status, income, purchases and spending habits, home address and phone number, medical records, and other related personal health information.
If you are conducting any form of business in Canada, then chances are your organization is subject to PIPEDA. The Act extends well beyond merely collecting personal information.
It also applies to surveys, employee records, credit checks, computer passwords, video surveillance, and cross-border commercial transactions, to name a few.
If you have not yet determined how privacy legislation may affect your business, I urge you to seek professional advice immediately. Failure to comply could result in the Privacy Commissioner or the Federal Court sanctioning your organization.
These sanctions range from requiring compliance to substantial fines and penalties. In addition to formal sanctions, your organization may subject to public humiliation in the media for its improper use of personal information.
While non-compliance with PIPEDA can be damaging to your business and its reputation, there are many benefits associated with open and obvious compliance. Take for example the e-commerce industry.
In today’s market place, e-commerce has become not just a way of conducting business, but a necessity for survival. Contrary to popular belief, the vast majority of Canadian Internet users have shared personal information on Web sites.
However, according to a study conducted by Ipsos-Reed, only 42% of Canadian adults have ever made a purchase online, and of those who have not, rate privacy concerns as
the main barrier to doing so.
What does it take to comply? Generally speaking, privacy legislation requires the following:
Information Audit Conduct an audit of your organization to determine: what personal information your organization holds; how it is collected; what security measures are in place to ensure its safekeeping; and what the business purposes are for collecting it.
Publish a Privacy Policy Set out how your organization will collect, use and disclose personal information, as well as how you will comply with PIPEDA. Businesses conducting e-commerce should make their privacy policy readily accessible on their Web sites. In a CNEWS staff report, it was found that 55 % of Canadian Internet users said that a privacy policy posted on a Web site explaining a company’s intended use of personal information, was a factor considered by the user before using the site. In preparing your privacy policy, you should not commit to a level of privacy that your organization will not be able to comply with. Additionally, do not advise the public that it is your policy not to disclose personal information in any circumstances if you will, in fact, be disclosing personal information to certain third parties for legitimate business purposes.
Appoint a Privacy Officer Appoint someone internally to be responsible for your organization’s compliance with the privacy policy, as well as its obligations under PIPEDA. It is recommended that this person be given the authority to speak on the organization’s behalf on all matter related to PIPEDA compliance.
Prepare a Consent Form Prepare a standard consent form which can be signed by an individual when your organization collects their personal information.
Implement Internal Procedures Establish internal policies and educate your employees to ensure compliance with your organization’s obligations under PIPEDA.
Privacy of personal information is of great importance in Canadian society. Organizations which promote the privacy rights of customers and clients will undoubtedly earn their customers’ trust, loyalty and business. If your organization has not yet put in place the necessary procedures and policies to comply with its obligations under PIPEDA, you should contact your legal advisor. This issue is not going to go away any time soon, and it will indeed be one of the “issues of the century.”