Information on PIPEDA, the Canadian Privacy Legislation that came into effect January 2004 to ensure proper use of confidential user information and proper gathering techniques, addressing modern day issues and technology.

As you should be well aware, security of personal information is integral to the relationships that businesses build with their customers, employees and other businesses. Canada has taken a step in the right direction to insure those goals by introducing federal legislation to protect personal information as it is collected, disclosed and utilized. It is also a step to hold accountable companies that misuse or mishandle personal information. This article will offer a brief look into the new Canadian legislation affectionately known as PIPEDA (or Bill C-6 Personal Information Protection and Electronic Documents Act with amendment to the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act).

For our purposes PIPEDA brings the protection of personal information into the private sector. PIPEDA effects eMarketing in the areas of e-commerce and the ease of communicating personal information over the Internet as well as maintaining a level of standards that are acceptable for trade within the EU. It aims to ensure that personal information regarding customers as well as employees is well protected regardless of whether it is stored in a filing cabinet (using locked drawers) or a hard drive (using passwords and encryption on sensitive files). It also aims to give people control over how their personal information is used and with whom it is shared.

The legislation mandates that over the next three years the provinces should create privacy legislation that is harmonious with PIPEDA yet corresponds to the intricacies of provincial business legislation. This will obviously create more policies that businesses will need to adapt to, but will doubtlessly create more protections for individuals as well as avenues to seek resolutions if there are violations.

So how does PIPEDA affect your business?

Here are the points that stick out:

There must be an individual or individuals appointed as the privacy “point-person(s)” who will be accountable for the organization’s practices and management of personal information. The name or title of this party must be made available upon request as well as a means and procedure of contacting them with regards to inquiries or complaints.

Your business must create policies, that your staff is aware of, regarding personal information collection and security. A copy of these policies must be available to people whose information you have collected. You’ll notice that privacy and security policies have already become commonplace on websites and newsletters.

A system must be put in place to make sure customer information is secure, accurate, and gathered with consent. The reason for collection and use must be disclosed to individuals and not used beyond the stated purpose. If you intend on sharing this information with related organizations (subsidiaries for example), permission must be granted by the person whose information you have gathered.

If information is shared, the security responsibility extends into how third parties use personal information that is being “processed”. This means if you’re working with a third party, make sure you have a contract regulating the specific use that you have agreed to as well as contractual agreement regarding their compliance with privacy legislation.

The purpose of information collection must be identified, and only information needed to achieve those goals can be collected. Information can only be held for the length of time needed to fulfill the purposes indicated. After which the information must be eliminated or “made anonymous”. If the organization wants to use the information for any purpose other than why it was collected they must receive consent from the individuals. Also, there must be a means for an individual to see the personal information held about them (with some legal and medical exceptions), for accuracy and security purposes. Information must be accurate and sufficiently up-to-date to ensure that decisions made regarding the individual are accurate but only need to be accurate enough to fulfill the purpose for which the data was collected.

An organization can not require an individual to consent to collection of personal information in excess of what is reasonably needed to supply a product or service. “Consent can not be gained through deception.” Information can be used for purposes that an individual would reasonably expect, such as billing, renewal, and updates regarding services etc, but cannot be stretched too far without gaining specific consent.

Consent can be given by signed application; a checkbox can be used to ask for consent (making negative option a possible grey area), orally, and at the time of use of a service or product. Notice that all of these actions occur before the use of the information, therefore, this is not a case where it is “easier to ask forgiveness than permission.” There are some exceptions to these consent rules such as journalistic and artistic exemptions as well as waiting “one hundred years after the record containing the information was created”, or “twenty years after the death of the individual whom the information is about.” For our purposes it might just make more sense to ask permission up front.

An individual can withdraw consent at any time, with reasonable notice. At which point the organization must cease using the information (such as email address) and inform the individual of the results of their withdrawal.

Here’s a big one. The legislation allows a Government Commissioner to conduct an audit into the collection and management of personal information if there are grounds to believe that the organization is in violation of sections of the legislation. Information about companies in violation can then be made public if is thought to serve the public good. This in itself is a good reason to comply with personal privacy regulations. It also makes good ethical sense. If individuals feel like their information has been misused you’re likely to feel their bite, but if they experience straight forward policies and a sense of respect and security for their information you can count on their business. Remember, in a referral intense business environment, a happy customer is likely to become two happy customers and so on.