Français | Contact Us | Help | Search | Canada Site | ||||||
Home | Site Map | What's New | About Us | Registration |
Privacy for Business FAQs | ||||||||||||||||
|
FAQsAbout PIPEDA:
How PIPEDA will affect collection of personal information:
How PIPEDA will affect your business practices:
How to implement a privacy policy program:
About PIPEDA:What are my obligations under the Personal Information Protection and Electronic Documents Act? The PIPEDA establishes a set of ten principles that organizations must follow when collecting, using and disclosing personal information in the course of commercial activity. The Principles are as follows:
For more information on your obligations as a business owner/manager please see the Privacy Commissioner of Canada Guide for Business. Does PIPEDA apply to my business? The PIPEDA governs "organizations," a term that includes persons, associations, partnerships and trade unions. The term "persons" includes corporations as well as individuals. Organizations are generally subject to the Act to the extent that they collect, use or disclose of personal information in the course of commercial activity. In this regard, even small businesses must establish a privacy program. Because the nature, size and complexity of operations varies from one organization to another, a privacy compliance regime should be tailored to meet the needs of the individual business. In fact, the PIPEDA is flexible and allows organizations to tailor its principles to their own activities and to the nature of the information in their custody. Organizations not engaged in commercial activity are not covered by the Act. However, those engaged in the selling, leasing or bartering of donor, membership or other fundraising lists are engaged in commercial activity and are covered by the Act. Does PIPEDA apply to only to e-commerce or on-line business? PIPEDA applies to traditional, paper-based business activities as well as on-line activities and e-commerce transactions. All businesses must comply with the legislation. Any organization collecting, using or disclosing personal information in the course of commercial activity is subject to the Act. What is personal information? How do I know if information is sensitive? The PIPEDA sets a number of rules to which organizations must adhere when collecting, using or disclosing personal information in the course of commercial activity. PIPEDA defines personal information as "information about an identifiable individual" that includes any personal information, recorded or not, in any form, including digital or paper format. For example, the following would be considered personal information:
Under PIPEDA, personal information does not include the name, business title, business address, business telephone of any employee, i.e. information on a business card. The legislation also protects personal information of a sensitive nature, which may include health or medical history, racial or ethnic origin, political opinions, religious beliefs, trade union membership and sexual orientation. Which applies to my business - federal or provincial legislation? What if my organization operates in several provinces? On January 1, 2004, the PIPEDA will apply to organizations across the Canadian marketplace. In provinces or territories where a privacy law has been deemed substantially similar to the PIPEDA, organizations will be subject to the provincial privacy law as opposed to the PIPEDA. However, should any personal information cross a border as part of a commercial transaction in which your organization is involved, you will be expected to abide by the PIPEDA. A business could ensure that it is compliant with either law by complying with the higher standard. Only Quebec has provincial legislation at this time. Alberta and BC have both introduced bills for first reading. For more information, see the following Canadian Privacy Commissioner Web sites:
Canada - www.privcom.gc.ca
"The best practice we can recommend is that any business operating in more than one jurisdiction should meet the highest standard that doesn't impair their business operations." Does PIPEDA apply to information collected prior to January 1, 2004? Personal information that your company has collected during the course of its commercial activities is subject to the Act. Since it has already been collected, you don't need to recollect it. However, in order to continue to use or disclose this information, you now require consent. For example, some organizations have informed all their customers what they do with their information, to whom it is disclosed and given customers the option to object to these ongoing uses or disclosures. What other countries have similar legislation? Member countries of the European Union (EU) have comprehensive privacy laws. Non-European countries that have recently enacted data protection legislation applicable to its private sector include Hong Kong, New Zealand and Taiwan. The United States currently does not have federal legislation protecting personal information in the marketplace. To find out more about international privacy laws and Commissions, visit the International Access and Privacy Laws and Commissions (Department of Justice Canada). How PIPEDA will affect collection of personal information:What are the different forms of consent? How do I get consent from an individual? The PIPEDA requires knowledge and consent by an individual for the collection, use or disclosure of his or her personal information in the course of commercial activity. An organization is expected to inform its clients of the purpose for which their information is being collected. This information must be provided in a manner that can be reasonably understood by the clients. It must also obtain their consent prior to disclosing their personal information to a third party or using it for a different purpose. The form of consent sought by organizations may vary, depending on the sensitivity of the information. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can be given in different ways, for example: a form, a check-off box, orally, etc. What is a purpose statement? An organization should inform individuals why it is collecting information about them; for example, opening an account, verifying creditworthiness or processing a subscription. The Act states that "the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes." How much information should I collect from an individual? Personal information should not be collected indiscriminately. You should limit the amount and type of the information gathered to what is necessary for the identified purposes. By reducing the amount of information gathered, you can lower the cost of collecting, storing, retaining and ultimately archiving data. Collecting less information also reduces the risk of inappropriate uses and disclosures. Do I have to retain information and for how long? How do I "destroy" information? Organizations may retain personal information only for as long as they require for the purpose it was collected. They should also ensure that it is securely disposed of when no longer required. For more information on how to safeguard information, please see the Canadian e-Business Initiative's Online E-Security and Privacy Guide. How PIPEDA will affect your business practices:What is safeguarding? What sort of security do I need? PIPEDA dictates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. It is your responsibility to protect personal information from loss or theft and to safeguard it from unauthorized access, disclosure, copying, use or modification. Personal information should be protected regardless of the format in which it is held. Security safeguards can be the following:
The following factors should be considered in selecting appropriate safeguards:
For more information on how to safeguard information, please see the Canadian e-Business Initiative's Online E-Security and Privacy Guide. How will the legislation impact any international transactions I may engage in? As of January 1, 2004, the PIPEDA will apply to all collections, uses or disclosures of personal information that take place across an international or interprovincial border, in the course of commercial activity. Organizations will be required to apply the principles of the PIPEDA to these transactions. Certain countries or regions have implemented privacy laws that impose privacy protection rules on international trade. For example, the European Union Data Protection Directive, which applies to all EU member countries, allows personal data to be transferred only to those third countries that provide an adequate level of privacy protection. However, the European Commision has recognized Canada's PIPEDA as providing adequate protection for the transfer of personal information from the EU to Canada. This allows for the continued flow of personal information between the European Union (EU) and Canada. Can I outsource the processing of personal information to an outside company? The PIPEDA states that organizations are responsible for personal information that has been transferred to a third party for processing. The organization is responsible for using contractual or other means to ensure that a comparable level of privacy protection will be provided while the information is being processed by the third party. Does PIPEDA affect employee privacy and human resources? Under PIPEDA, personal information does not include the name, business title, business address, or business telephone of any employee, i.e. information on a business card. However, the PIPEDA does protect the personal information of employees of federally-regulated organizations. How to implement a privacy policy program:How do I begin implementing changes to my business in order to comply? First, designate responsibility of a privacy policy program to someone in your organization. For more information, see "Who in my organization is responsible?". Your organization should take inventory of all personal information handling practices, including ongoing activities and new initiatives. A checklist may help to create the inventory by asking questions such as: What personal information is collected? Why is it collected? How is it collected? What is it used for? Where is it kept? Who has access? What security measures are used? To whom is it disclosed? When is it disposed of? After the inventory, develop privacy policies and procedures that address the ten privacy principles. This is a continuous, evolving process that encompasses several steps:
For more information on how to safeguard information, please see the Canadian e-Business Initiative's Online E-Security and Privacy Guide. Who in my organization is responsible? The PIPEDA requires that the responsibility for information privacy be assigned to someone, stating that: "An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles." For small businesses, that person would often be the owner/manager because they understand how the business works, and its systems and processes. It may be beneficial to have the owner/manager, or another responsible individual, determine whether the systems that store personal information have the capacity to track and record who has access to that information, for what purpose and under what conditions. In addition, the responsible individual should determine whether personal information has been disclosed to third parties for processing and how such third parties are contractually or otherwise obligated to protect privacy. The responsible person should ensure that:
Any organization with interprovincial or international operations may find it necessary to have privacy officers for each jurisdiction. In such cases, it will be important to determine how to facilitate centralized planning and compliance. In any event, the privacy officer should have sufficient authority or access to sufficient authority, to resolve privacy issues. To promote openness and access, it is important to communicate the name and title of the privacy official, both internally and externally, for example, in published materials such as privacy brochures and on Web sites. What does my frontline staff need to know? Ensure employees are aware of their privacy responsibilities and are able to answer an individual's questions about the purpose of the information that is being collected. Employees should also be informed of your privacy policies and practices. They should also be able to provide individuals with the contact information of the person who is responsible for compliance with the PIPEDA within your organization. How should my organization deal with complaints? Your organization should develop simple and easily accessible complaint procedures. Inform complainants of avenues of recourse. They include your organization's own complaint procedures and those of the Privacy Commissioner of Canada. Be sure to investigate all complaints received and take appropriate measures to correct information handling practices and policies, if the complaint is found to be justified.
How well your organization handles an individual's complaint may help preserve or restore the individual's confidence in your organization. Who complains to the Privacy Commissioner? Complaints are confidential and can come from any source - a competitor, a client or an employee. Individuals will have the right to complain about any aspect of an organization's compliance with the provisions relating to the protection of personal information, and all complaints are investigated. What can the Privacy Commissioner do? What are the potential consequences for non-compliance? The Commissioner will have general powers to receive and investigate complaints, and to attempt dispute resolution. All complaints must be investigated. A complaint may be disposed of in one of the following three ways:
The Privacy Commissioner may make public any information relating to the personal information management practices of an organization if the Commissioner considers that it is in the public interest to do so. |
Created: 2003-09-03 Updated: 2003-09-26 |
Top of Page |
Important Notices |