The Personal Information and Protection and Electronic Documents Act (Canada) (“PIPEDA”) is now here to govern the collection, use and disclosure of personal information by organizations in the course of a commercial activity. Personal information is defined as including information about an identifiable individual. However, personal information does not include the information that would appear on a business card: name, title, business address, and telephone number.
If an organization is collecting information about people in the course of a commercial activity, the organization is required to follow rules designed to protect the personal information.
Organizations governed by PIPEDA must comply with ten privacy principles:
1. Accountability: An organization is responsible for the personal information it collects. The organization must appoint an individual or individuals who must account for compliance with the ten privacy principles (the “privacy compliance officer(s)”). The name of the privacy compliance officer(s) must be accessible to customers and employees (as applicable).
2. Identifying Purpose: At or before the time of collection of the information, the organization must disclose the purpose for which the personal information is collected. The purpose for which the information is collected must be documented by the organization. Safeguards are required to ensure that the information is not collected for a purpose other than that disclosed.
3. Consent: The organization must obtain the informed consent of the individual prior to collecting, using or disclosing the personal information (except where inappropriate or exempted by law). In some circumstances consent may be implied. Consent can be withdrawn at any time.
4. Limiting Collection: The personal information must be collected by fair and lawful means, and such collection must be limited to what is necessary for the purposes identified by the organization.
5. Limiting Use, Disclosure and Retention: Except with the consent of the individual or as required by law, an organization may not use or disclose personal information for purposes other than those for which it was collected. Information used or disclosed for specifically exempted purposes may be used without such consent.
6. Accuracy: Personal information must be kept as accurate, complete and current as is necessary for the purposes for which it is to be used. Individuals should be informed as to how they can access and correct their personal information.
7. Safeguards: Security safeguards appropriate to the sensitivity of the information must be implemented. Information should be protected against theft, loss, unauthorized access, disclosure, copying, use or modification.
8. Openness: Specific information about an organization’s policies and practices relating to the management of personal information must be readily available to individuals.
9. Individual Access: Upon the request of any particular individual, the organization must inform that individual of the existence, use and disclosure of his or her personal information and the individual shall be given access to that information. The individual shall be given the ability to challenge the accuracy of the information and to require you to correct it.
10. Challenging Compliance: An individual must be able to address a challenge concerning compliance with the privacy principles to the privacy compliance officer(s). Procedures must be implemented to receive and respond to complaints, inquiries or suggestions about the organization’s policies and practices concerning personal information.
There are potentially serious implications for an organization’s failure to comply with PIPEDA. The foregoing article represents only a cursory sketch of PIPEDA. If you are an organization or an individual who is affected by PIPEDA, you should seek counsel for further information.