6-Oct-2003
The new federal privacy law, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), has wide ranging implications for the handling of personal information. Thankfully, PIPEDA is relatively user friendly and is supported by detailed guidelines to help organizations determine how to comply with the legislation. In case you have not had the opportunity to consider how PIPEDA impacts your organization, this Client Update is intended to provide you with an overview of the legislation and to help you prepare for PIPEDA.
Who is covered by PIPEDA? Federally regulated businesses such as airlines, railways, and banks have been subject to PIPEDA since January 1, 2001. As of January 1, 2004, it will also apply to all provincially regulated businesses engaging in commercial activities that collect, use or disclose personal information, unless "substantially similar" provincial legislation has been enacted. Currently, none of the Atlantic Provinces has enacted "substantially similar" legislation and we are not aware of any proposals to do so.
What personal information is protected? PIPEDA defines personal information broadly to include information about an identifiable individual (such as age, race, religion, financial information, social insurance number), excluding only the name, title, business address and business telephone number of an employee of an organization. Information gathered prior to PIPEDA becoming law is also subject to PIPEDA.
What activities are subject to PIPEDA? PIPEDA applies to all "commercial activity" using personal information which includes any transaction or conduct of a commercial character. Exceptions to the applicability of PIPEDA are limited to matters such as journalistic, artistic and literary endeavours, investigations of contract breaches or contravention of the law, and emergencies. In addition, the Privacy Commissioner of Canada has indicated that PIPEDA should not apply to personal employee information of provincially regulated employees where such information is not being used in a commercial activity. In contrast, the sale of an employee's personal information to a third party would likely be subject to PIPEDA.
How can your organization comply? Organizations must follow certain principles that form the rules for collecting, using and disclosing personal information. The key principles can be summarized as follows:
You must establish privacy policies and practices for the collection, use and disclosure of personal information. You must designate a staff member to deal with privacy issues, respond to complaints and be accountable for compliance with PIPEDA. Individuals can challenge the accuracy and completeness of their personal information, and an organization must respond within a reasonable time and at minimal or no cost.
As a general rule, personal information can only be collected and used with informed consent. The intended purposes for collecting the information must be clearly identified and new purposes require further consent. The purposes cannot be stated in an open-ended manner to allow a wide variety of unspecified uses. Implied consent or the use of "opting out" (negative options) will only be permitted for low sensitivity information. Consent may be withdrawn at any time. There are limited occasions such as emergency or legal compulsion where disclosure without consent is permitted.
Personal information can only be used, disclosed and retained for the stated purposes for which it was collected and for which consent was given. Information that is no longer required to fulfill the stated purposes should be destroyed, erased, or made anonymous.
You must develop and implement policies to protect personal information with security safeguards appropriate to the sensitivity of the information, including physical and technological measures, to prevent loss, theft and unauthorized access and use.
What are the penalties for noncompliance? The Privacy Commissioner may investigate complaints of misuse of personal information, mediate and refer breaches to a judge. A court may award compensation to a person who has suffered an infringement of privacy, and PIPEDA specifically allows monetary awards for humiliation. It is also an offence punishable by a fine of up to a $100,000 to obstruct the Privacy Commissioner in any investigation or audit, to destroy or discard an individual's personal information that has been requested by that individual, or to demote, dismiss, disadvantage or harass any employee who attempts to comply in good faith with PIPEDA or who reports a violation of PIPEDA.
Where can your organization obtain further assistance?
The Guide for Businesses and Organizations to Canada's Personal Information Protection and Electronic Documents Act is available on the Privacy Commissioner of Canada's website at http://www.privcom.gc.ca/information/guide_e.asp. This is a fairly straightforward guide to the basic principles of PIPEDA and it provides any organization with a starting point to work towards compliance.
We would be pleased to discuss PIPEDA with you or your organization. We encourage you to contact your lawyer at Stewart McKelvey Stirling Scales or any of the lawyers listed below with any questions you may have about the contents of this Client Update.
Client Updates are distributed to our clients and other members of the business community on a variety of current legal developments which we believe may be of interest and importance to our readers. These Client Updates do not constitute specific legal advice and may not address specific aspects of a legal development relevant to readers' circumstances. We encourage you to contact us to discuss your particular situation. The names and contact information for lawyers in your area are found on this page.
