Effective January 1, 2001, the Personal Information Protection And Electronic Documents Act (The "Federal Act") applies to the federally-regulated private sector and to cross-border commercial flows of information. Effective January 1, 2004, the Federal Act will apply to all commercial transactions in provinces without similar legislation.
The Ontario Government has issued a Consultation Paper concerning Ontario’s Proposed Privacy Act (The "Ontario Act"). If the Ontario government passes the Ontario Act, as described in the Consultation Paper, prior to January 1, 2004, the Act will apply to more than commercial entities and more than commercial activities. It would apply to all organizations that collect, use or disclose personal information in Ontario ("organization(s)") and all activities, except government organizations covered by public sector legislation, the federally-regulated private sector and cross-border commercial flows of information. It would apply to all personal information collected before and after the effective date of the Act and to all personal information used or disclosed after the effective date of the Act, subject to a proposed one-year transition period.
The Ontario Act would be based on the same Canadian Standards Association Model Code for The Protection of Personal Information that forms the substance of Schedule 1 to the Federal Act ("Schedule 1"), and would be similar to the Federal Act. The following provisions from the Federal Act and Schedule 1 provide a brief overview.
Purpose of the Federal Act
In an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. [Federal Act, section 3]
Application of the Federal Act
The Federal Act applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities; or is about an employee of a federally-regulated organization that it collects, uses or discloses in connection with the operation of its commercial activities. [Federal Act, section 4(1)]
What is an "organization"?
"Organization" includes an association, a partnership, a corporation, and a trade union. [Federal Act, section 2(1)]
What is "personal information"?
"Personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee. [Federal Act, section 2(1)]
Compliance with the Federal Act
Every organization must comply with the following principles with respect to its collection, use and disclosure of personal information, including personal information collected prior the effective dates of the Federal Act.
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance. [Schedule 1, section 4.1]
Principle 2—Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. [Schedule 1, section 4.2]
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. [Schedule 1, section 4.3]
Principle 4—Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. [Schedule 1, section 4.4]
Principle 5—Limiting Use, Disclosure and Retention
Personal Information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. [Schedule 1, section 4.5]
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. [Schedule 1, section 4.6]
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. [Schedule 1, section 4.7]
An organization shall make readily available to individuals specific information about its policies and practices related to the management of personal information. [Schedule 1, section 4.8]
Principle 9—Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. [Schedule 1, section 4.9]
Principle 10—Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above Principles to the designated individuals or individuals accountable for the organization’s compliance. [Schedule 1, section 4.10]
Steps to Compliance
Step 1—Due Diligence
Document the organization’s personal information holdings and personal information handling practices and procedures.
Step 2—Privacy Code
Prepare one or more Privacy Codes to ensure that the organization is protecting the personal information of its customers and employees and to ensure that the organization is complying with the Federal Act and/or the Ontario Act. The Privacy Code(s) should describe the organization’s practices and procedures concerning:
- the accountability of the organization and its staff for personal information;
- the limitation of the organization’s collection, use and retention of personal information to identified purposes;
- the requirement to obtain the consent of an individual to the collection, use and disclosure of the individual’s personal information;
- the transfer by the organization of personal information to third parties;
- the accuracy and currency of the organization’s personal information holdings;
- the physical, technological and organizational security measures to safeguard the organization’s personal information holdings;
- the response by the organization to requests by individuals for access to their personal information; and
- the response by the organization to third party complaints relating to the organization’s personal information practices and procedures.
Step 3—Web Site
Step 4—Privacy Impact Assessments
Prepare privacy impact assessments for new projects, products, services, practices, databases, and delivery systems involving personal information to:
- understand what impact the proposed initiative may have on the personal privacy of customers, employees and others and how privacy laws may be complied with;
- address the commercial and legal privacy issues raised by the proposed initiative.
How can Aird & Berlis LLP Help?
Many of the compliance requirements of the new Federal Act and/or the Ontario Act should be met by entering into privacy agreements with third parties and include privacy provisions in third-party and employee agreements. A member of Aird & Berlis LLP could identify and draft the required agreements and provisions.
New projects, products and services, and acquisitions and other combinations will raise privacy compliance issues. Again, our firm could provide advice on privacy issues raised for all such initiatives.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.