Beginning on January 1, 2004, the federal Personal Information Protection and Electronic Documents Act, commonly referred to as PIPEDA, will apply to the collection, use and disclosure of personal information in the course of any private sector commercial activity in Ontario. PIPEDA will also apply to commercial transactions undertaken by entities which are not, by their nature, profit- oriented (for example, the selling, bartering or leasing of donor membership lists by charities or not-for-profit organizations).
Although businesses will need to review their information management practices to ensure that they comply with PIPEDA, ensuring compliance with PIPEDA will likely not be burdensome (except for businesses that deal with personal information as a business asset). Nonetheless, if a business does not follow the requirements of the legislation, it may suffer adverse publicity and/or incur legal liability.
PIPEDA already applies to federal works, undertakings or businesses - this includes entities such as banks, airlines, interprovincial transport companies and telecommunications companies. It also applies to all transactions which involve the disclosure of personal information across provincial or international borders for consideration (such as the sale of membership lists), whether the parties to the transaction are federally-regulated or not.
Personal information is defined in PIPEDA as "information about an identifiable individual"; this broad definition includes information such as race, age and financial information. However, the definition of personal information specifically excludes the name, title, business address and business telephone number of an employee of an organization, so the use of this information is not subject to the requirements of the Act. PIPEDA will also not apply to certain specified publicly-available information (including, for example, information contained in a telephone book).
Exceptions to the Application of PIPEDA
There are several exceptions to the application of PIPEDA for non-federally regulated entities. The major exception is that PIPEDA will not apply to an employer's collection, use and disclosure of personal information of its own employees. In addition, the Act will not apply to commercial activity in a province if that province has legislation which the federal government deems to be 'substantially similar' to PIPEDA. In Quebec, comprehensive private sector privacy legislation is already in force. In Ontario, draft legislation has not yet been introduced by the new provincial government and it appears extremely unlikely that such legislation will be in place by January 1, 2004. British Columbia and Alberta have each introduced legislation imposing standards which are, in most respects, no more onerous than the standards under PIPEDA. The British Columbia Personal Information Protection Act will come into effect on January 1, 2004. The Alberta bill is also expected to be in force by January 1, 2004. The federal cabinet has not yet addressed whether any provincial legislation is 'substantially similar' within the meaning of PIPEDA.
Fair Information Practices under PIPEDA
PIPEDA is based upon ten principles of fair information practices, forming ground rules for the collection, use and disclosure of personal information. The fundamental premise of PIPEDA is that an organization can collect, use and disclose personal information as long as its purpose is reasonable in the context of the organization's business and the organization has obtained the informed consent of the individual to whom the information relates. Informed consent can be obtained formally or it can be implied from the circumstances, except where the information is sensitive, such as the financial or medical records of an individual. While previously collected information does not need to be re-collected, consent is required to continue to use or disclose that information after January 1, 2004.
Obligations under PIPEDA
January 1, 2004 will mark an important day for almost all commercial organizations in Ontario (and across Canada) that do not currently adhere to privacy principles in the collection, use or disclosure of personal information. PIPEDA will impose additional obligations upon organizations and every organization should be aware of the following requirements:
Drafting Policies and Procedures
• You will be required to implement practices: (i) to ensure that personal information is properly safeguarded; (ii) to ensure that information in your custody is kept accurate and up-to-date (if the organization is making decisions based on such information); (iii) to receive and respond to complaints and inquiries; and (iv) to train your staff about the organization's obligations.
Designating a Privacy Officer
Safeguarding Personal Information
• You will be required to protect personal information in your possession or control against loss, theft, unauthorized access, disclosure, copying, use and modification.
• Required safeguards include physical measures such as locking filing cabinets, organizational measures such as security clearances and technological measures such as encryption. More sensitive information such as financial and health information must be safeguarded by a higher level of protection.
Personal Information in the Control of a Third Party
• If you transfer personal information to a third party, you will need to ensure that the information is secure to avoid liability under PIPEDA. One way to protect yourself is by drafting appropriate protections into the contracts under which the information may be transferred, such as requiring the third party transferee to have in place similar privacy protection procedures and policies.
• You will be required to develop guidelines and to implement procedures with respect to the retention of personal information, including minimum and maximum retention periods. Personal information may only be kept for as long as it is required to satisfy the purpose for which it was collected.
Access to Personal Information
• You will be required to promptly respond to individuals' requests for access to their personal information. In most cases, PIPEDA imposes a thirty day maximum response time for meeting such requests.
• You will be required to ensure that individuals who are assigned the task of responding to access requests, as well as any other staff member who may receive such requests, are properly trained. You must develop policies and procedures to receive and respond to complaints or inquiries about your policies and practices relating to the handling of personal information.
The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.