PIPEDA is an acronym for the “Personal Information Protection and Electronic Documents Act”. It is federal privacy legislation that establishes rules with respect to the collection, use and disclosure of personal information.

From 2001 to 2004, PIPEDA only applied to federally-regulated business (i.e. banks, airlines, telecommunications and transportation companies) and to businesses that collect, use or disclose personal information across provincial and national borders (i.e. credit reporting agencies or “mailing list” exchanges).

Since January 1, 2004, PIPEDA has applied to every Ontario business or organization which collects, uses or discloses personal information in the course of a commercial activity, which means that even small businesses must establish a privacy program. PIPEDA defines a commercial activity as “… any particular transaction, action or conduct or any regular course of conduct that is of a commercial character”. It specifically includes the selling, bartering or leasing of donor, membership or other fundraising lists.

PIPEDA not only applies to traditional business activities, but to e-commerce transactions and on-line business activities as well. While this private sector privacy legislation has now been in force for more than 7 years, many businesses and organizations still have not heard of PIPEDA, let alone complied with the requirements of this legislation.

What is “personal information”?

“Personal Information” is currently defined as “ … information about an identifiable individual, but does not include the name, title, or business address or telephone number of any employee of an organization”. This includes any factual or subjective information, recorded or not, in any form including digital or paper format. For example, information that relates to an individual’s personal characteristics (i.e. gender, age, marital status, unlisted home address, unlisted home telephone number, income), health (i.e. health history, health conditions, health services received), activities and views (i.e. religion, politics, opinions expressed, opinion or evaluation of an individual, social status or disciplinary actions), intentions (i.e. to acquire goods or services, or change jobs), ID numbers and credit or loan records are all personal information.

Proposed amendments to PIPEDA, which have been introduced before the House of Commons (known as Bill C-29) and are currently proceeding through the legislative process, will separate business information and personal information by providing for a definition of “business contact information” which will include a person’s business email address (as well as other information typically found on a business card which is currently included in the definition of personal information), and where used in the business context will not have the protection of PIPEDA.

Companies are generally not protected by privacy legislation, only individuals. However, an individual’s personal information may be so inextricably linked to his or her company (a small business owner/operator, for example), that information about the company constitutes personal information about the individual. Also, some personal information that is otherwise publicly available is not protected.

Pipeda’s governing principles

PIPEDA’s requirements stem from 10 basic principles, developed by the Canadian Standards Association, which are set out in the legislation. They articulate guidelines for the collection, storage, use and disclosure of personal information.

The principles are:

Accountability—The organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the legislation’s privacy principles.

Identifying Purpose—The purposes for which personal information is collected must be identified by the organization at or before the time the information is collected.

Consent—The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

Limiting Collection—The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.

Information shall be collected by fair and lawful means.

Limiting Use, Disclosure and Retention—Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Accuracy—Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Safeguards—Personal information shall be protected by security safeguards, appropriate to the sensitivity of the information.

Openness—The organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Individual Access—Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging Compliance—An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

Putting these principles into action

There is no standard privacy policy “template” because of the varying nature of each organization’s businesses and practices. Each organization should examine carefully how to apply the privacy principles in light of its own business activities. Here are some suggestions on how to proceed.

Select a Chief Privacy Officer (CPO)

The CPO’s role is to oversee the organization’s personal information handling practices. The CPO is responsible for every aspect of the personal information handling practices for the organization and to ensure its practice is in compliance with the 10 principles of PIPEDA. The CPO must oversee the development of the privacy policy and procedure. This will include the design and co-ordination of an internal audit to determine whether the organization’s personal information practice is in compliance with PIPEDA. The CPO handles the implementation of the privacy policy and procedure once it is in place. Any request for access to or correction of personal information, or any complaint is to be handled by the CPO. The CPO should be a person with a measure of seniority and responsibility within the organization. For small businesses, the CPO would often be the owner/manager because they understand how the business works.

Conduct an internal audit of the organization

Below is a list of suggested questions that should be asked when conducting an internal audit. This list is by no means exhaustive and depending on the nature of your organization’s commercial activities, will prompt further questions:

what personal information is collected?

-for what purposes do we collect the personal information?

-how is the information collected?

-how is consent of the individual obtained (or is it implied)?

-what do we do with the personal information?

-how do we store and safeguard the personal information?

-to whom and under what conditions do we disclose the personal information?

-how do we dispose of the personal information and when do we do so?

Develop a privacy policy

An external privacy policy must be developed, based on the 10 governing principles outlined above, and made available to all customers. Customers can be informed of the organization’s privacy policy through a mail-out pamphlet or brochure. If your organization has a web site, a link to the policy should be clearly displayed on your home page as well as on pages which request personal information or provide a link for sending a message. Web accessible organizations should also develop a web site privacy policy to address personal information that is collected through the web site.

Additionally, it would be advisable to develop a further internal privacy policy to deal with specifics of collection, storage and handling of personal information within the organization and to set out proper procedures for requests for access.

Review agreements with service providers

PIPEDA states that organizations are responsible for personal information that has been transferred to a third party for processing. Organizations should therefore review all agreements with their third party service providers who handle or access the personal information collected by or on behalf of the organization to ensure that those persons provide a comparable level of privacy protection in the handling of such information. 

Ensure consent of the individual is obtained

The organization must obtain an individual’s consent when it collects, uses or discloses the individual’s personal information. This consent must be an informed consent in order to be valid. Proposed amendments to PIPEDA will clarify what constitutes valid consent. Such consent would only be valid if it is reasonable to expect the individual understands the nature, purpose and consequences of the collection, use or disclosure to which they are consenting. An organization should inform individuals why it is collecting information about them.

The individual has a right to access personal information held by the organization and to challenge its accuracy. Personal information can only be used for the purposes for which it was collected. If the organization is subsequently going to use it for another purpose, consent must be obtained again for the new purpose. However, consent in some instances may be implied to reasonable purposes and sometimes consent is not required (i.e. in an emergency).

For personal information already collected, organizations are not required to recollect it. However, it is subject to PIPEDA and in order to continue to use or disclose the personal information, consent is required. Organizations can inform its customers what it does with the previously collected information, to whom it is/was disclosed, and give customers the opportunity to object to the continued use or disclosure.

Ensure security of personal information

All security policies including physical measures, technical/electronic tools and organizational controls should be tested and evaluated, and changed or implemented where required.

Train your staff

Support staff has a key role in ensuring that personal information is kept confidential. Staff should be trained to ensure compliance with privacy policies, including the management and protection of the privacy of personal information, and how to handle access and correction requests.

Consequences of non-compliance

The federal Privacy Commissioner is responsible for ensuring compliance with PIPEDA and will become involved if a complaint is not resolved between the individual and the business organization. The consequences of an organization’s failure to comply with PIPEDA not only mean substantial public embarrassment and harmful business disruption, but can also include an audit of your organization’s information management policies by the Privacy Commissioner, an award of damages by the courts and/or fines of up to $100,000.

The proposed amendments to PIPEDA include new breach notification requirements where organizations will be required to report material breaches of security safeguards (which includes a failure to establish those safeguards) to the Privacy Commissioner and to notify certain individuals of breaches that pose a threat of significant harm to them. “Significant harm” would include bodily harm, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

PIPEDA will continue to apply until Ontario enacts its own privacy legislation, which must be deemed substantially similar by the federal Cabinet to the federal legislation. British Columbia, Alberta and Quebec are the only provinces with laws recognized as substantially similar to PIPEDA. Ontario has passed a law similar to PIPEDA but it only applies to matters related to health care.

If your organization operates in other provinces in addition to Ontario, you will need to determine if a privacy law has been deemed substantially similar to PIPEDA in those provinces. If so, your organization will be subject to that provincial privacy law as opposed to PIPEDA. If, however, any personal information crosses a border as part of the commercial transaction involving your organization, compliance with PIPEDA is required. 

*The comments in this article are made in respect of Ontario businesses and organizations. The content of this article is intended to provide general information for the reader and is not intended as advice or an opinion to be relied upon in relation to any particular circumstance. For specific applications of PIPEDA or other provincial privacy legislation deemed substantially similar to PIPEDA to your business or organization, the reader should seek professional advice.

Jennifer Searle practices in the areas of corporate and commercial law as well as estate planning and administration with McLean & Kerr LLP. In her corporate and commercial law practice she acts for Canadian and foreign businesses as well as individuals. She assists clients in the areas of business start-ups and reorganizations, financings, share and asset acquisitions and sales, commercial agreements and in the development and preparation of privacy policies.