Information
on PIPEDA, the Canadian Privacy Legislation that came into
effect January 2004 to ensure proper use of confidential
user information and proper gathering techniques, addressing
modern day issues and technology.
As
you should be well aware, security of personal information
is integral to the relationships that businesses build with
their customers, employees and other businesses. Canada
has taken a step in the right direction to insure those
goals by introducing federal legislation to protect personal
information as it is collected, disclosed and utilized.
It is also a step to hold accountable companies that misuse
or mishandle personal information. This article will offer
a brief look into the new Canadian legislation affectionately
known as PIPEDA (or Bill C-6 Personal Information Protection
and Electronic Documents Act with amendment to the Canada
Evidence Act, the Statutory Instruments Act and the Statute
Revision Act).
For our purposes
PIPEDA brings the protection of personal information into
the private sector. PIPEDA effects eMarketing in the areas
of e-commerce and the ease of communicating personal information
over the Internet as well as maintaining a level of standards
that are acceptable for trade within the EU. It aims to
ensure that personal information regarding customers as
well as employees is well protected regardless of whether
it is stored in a filing cabinet (using locked drawers)
or a hard drive (using passwords and encryption on sensitive
files). It also aims to give people control over how their
personal information is used and with whom it is shared.
The legislation mandates
that over the next three years the provinces should create
privacy legislation that is harmonious with PIPEDA yet corresponds
to the intricacies of provincial business legislation. This
will obviously create more policies that businesses will
need to adapt to, but will doubtlessly create more protections
for individuals as well as avenues to seek resolutions if
there are violations.
So how does PIPEDA
affect your business?
Here are the points
that stick out:
There must be an
individual or individuals appointed as the privacy “point-person(s)”
who will be accountable for the organization’s practices
and management of personal information. The name or title
of this party must be made available upon request as well
as a means and procedure of contacting them with regards
to inquiries or complaints.
Your business must
create policies, that your staff is aware of, regarding
personal information collection and security. A copy of
these policies must be available to people whose information
you have collected. You’ll notice that privacy and
security policies have already become commonplace on websites
and newsletters.
A system must be
put in place to make sure customer information is secure,
accurate, and gathered with consent. The reason for collection
and use must be disclosed to individuals and not used beyond
the stated purpose. If you intend on sharing this information
with related organizations (subsidiaries for example), permission
must be granted by the person whose information you have
gathered.
If information is
shared, the security responsibility extends into how third
parties use personal information that is being “processed”.
This means if you’re working with a third party, make
sure you have a contract regulating the specific use that
you have agreed to as well as contractual agreement regarding
their compliance with privacy legislation.
The purpose of information
collection must be identified, and only information needed
to achieve those goals can be collected. Information can
only be held for the length of time needed to fulfill the
purposes indicated. After which the information must be
eliminated or “made anonymous”. If the organization
wants to use the information for any purpose other than
why it was collected they must receive consent from the
individuals. Also, there must be a means for an individual
to see the personal information held about them (with some
legal and medical exceptions), for accuracy and security
purposes. Information must be accurate and sufficiently
up-to-date to ensure that decisions made regarding the individual
are accurate but only need to be accurate enough to fulfill
the purpose for which the data was collected.
An organization can
not require an individual to consent to collection of personal
information in excess of what is reasonably needed to supply
a product or service. “Consent can not be gained through
deception.” Information can be used for purposes that
an individual would reasonably expect, such as billing,
renewal, and updates regarding services etc, but cannot
be stretched too far without gaining specific consent.
Consent can be given
by signed application; a checkbox can be used to ask for
consent (making negative option a possible grey area), orally,
and at the time of use of a service or product. Notice that
all of these actions occur before the use of the information,
therefore, this is not a case where it is “easier
to ask forgiveness than permission.” There are some
exceptions to these consent rules such as journalistic and
artistic exemptions as well as waiting “one hundred
years after the record containing the information was created”,
or “twenty years after the death of the individual
whom the information is about.” For our purposes it
might just make more sense to ask permission up front.
An individual can
withdraw consent at any time, with reasonable notice. At
which point the organization must cease using the information
(such as email address) and inform the individual of the
results of their withdrawal.
Here’s a big
one. The legislation allows a Government Commissioner to
conduct an audit into the collection and management of personal
information if there are grounds to believe that the organization
is in violation of sections of the legislation. Information
about companies in violation can then be made public if
is thought to serve the public good. This in itself is a
good reason to comply with personal privacy regulations.
It also makes good ethical sense. If individuals feel like
their information has been misused you’re likely to
feel their bite, but if they experience straight forward
policies and a sense of respect and security for their information
you can count on their business. Remember, in a referral
intense business environment, a happy customer is likely
to become two happy customers and so on.