Canadians worry that personal information databases are not secure and are being combined with other commercial databases from financial institutions, department stores, insurance companies and other commercial organizations without their knowledge and consent. This is a fear shared in all developed countries.
Driven by the explosive growth of the Internet, it is a concern which is not easily contained or dealt with inside political boundaries. The legislative response of country, province and state governments in all major markets represents a potential legal and public relations minefield for business.
As of Jan. 1, 2004, all businesses engaged in commercial activities in Canada became obligated to comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) unless privacy legislation in the province in which they do business had been designated as “substantially similar” to PIPEDA.
If your organization conducts business across Canada and elsewhere, it is vital that your organization become familiar with its obligations under the privacy legislation of each political jurisdiction in which it is deemed to conduct business.
PIPEDA imposes obligations on organizations to protect the personal information collected and used by them. The Act applies to all paper-based and electronic files containing personal information on any identifiable person, including employees, business associates and customers.
So what is “personal information?” Under PIPEDA, personal information includes any information about an identifiable individual other than an individual’s business title, address or telephone number. Examples of personal information include an individual’s: name, age, weight, height, race, ethnic origin and marital status, income, purchases and spending habits, home address and phone number, medical records, and other related personal health information.
If you are conducting any form of business in Canada, then chances are your organization is subject to PIPEDA. The Act extends well beyond merely collecting personal information.
It also applies to surveys, employee records, credit checks, computer passwords, video surveillance, and cross-border commercial transactions, to name a few.
If you have not yet determined how privacy legislation may affect your business, I urge you to seek professional advice immediately. Failure to comply could result in the Privacy Commissioner or the Federal Court sanctioning your organization.
These sanctions range from requiring compliance to substantial fines and penalties. In addition to formal sanctions, your organization may subject to public humiliation in the media for its improper use of personal information.
While non-compliance with PIPEDA can be damaging to your business and its reputation, there are many benefits associated with open and obvious compliance. Take for example the e-commerce industry.
In today’s market place, e-commerce has become not just a way of conducting business, but a necessity for survival. Contrary to popular belief, the vast majority of Canadian Internet users have shared personal information on Web sites.
However, according to a study conducted by Ipsos-Reed, only 42% of Canadian adults have ever made a purchase online, and of those who have not, rate privacy concerns as
the main barrier to doing so.
What does it take to comply? Generally speaking, privacy legislation requires the following:
Information Audit Conduct an audit of your organization to determine: what personal information your organization holds; how it is collected; what security measures are in place to ensure its safekeeping; and what the business purposes are for collecting it.
Prepare a Consent Form Prepare a standard consent form which can be signed by an individual when your organization collects their personal information.
Implement Internal Procedures Establish internal policies and educate your employees to ensure compliance with your organization’s obligations under PIPEDA.
Privacy of personal information is of great importance in Canadian society. Organizations which promote the privacy rights of customers and clients will undoubtedly earn their customers’ trust, loyalty and business. If your organization has not yet put in place the necessary procedures and policies to comply with its obligations under PIPEDA, you should contact your legal advisor. This issue is not going to go away any time soon, and it will indeed be one of the “issues of the century.”