Melissa Lukings, Associate
In today’s digital age, the protection of personal information is of paramount importance. As a business owner is Ontario, you must be aware of your responsibilities under the Personal Information Protection and Electronic Documents Act (PIPEDA). The PIPEDA is a federal law that sets out the rules for how businesses collect, use, and disclose personal information. In this blog post, we will provide an overview of what the PIPEDA is, explain why it was implemented, break down it’s requirements for businesses, and clarify which businesses must comply with it.
What is the PIPEDA?
The PIPEDA, which came into effect on January 1, 2004, is Canada’s federal privacy law which governs the collection, use, and disclosure of personal information by private sector organizations. The implementation of the PIPEDA was driven by the need to adapt privacy laws to the digital era, enhance consumer trust, and facilitate international business transactions in an increasingly interconnected world. The primary goal of the PIPEDA is to strike a balance between protecting the privacy rights of individuals and allowing businesses to conduct their operations and provide service effectively in the digital age.
To whom does the PIPEDA apply?
The PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of conducting commercial activities in and/or across Canada. This means that most businesses operating in Ontario, whether large corporations or small startups, fall under the jurisdiction of the PIPEDA.
What my responsibilities as a business (or organization) under the PIPEDA?
There are ten fair information principles to protect personal information, which are set out in Schedule 1 of the PIPEDA. Those principles, and some examples of the fundamental responsibilities for each, are as follows:
- Accountability
- Appoint someone to be responsible for PIPEDA compliance.
- Protect all personal information that is held, including any personal information that is transferred to a third-party for processing.
- Develop and implement personal information policies and practices, and disseminate these policies and practices to all employees.
- Identifying Purposes
- Identify and document the purposes for collecting personal information, which will help determine which specific personal information must be collected to fulfill those purposes.
- Tell customers why the organization needs their personal information before and at the time of collection, either orally or in writing.
- Re-obtain customer consent if a new purpose is later identified.
- Consent
- Obtain meaningful consent for the collection, use, and disclosure of personal information.
- Ensure that customers understand the nature, purpose, and consequences of the collect, use, or disclosure of their personal information.
- Ensure that customers are aware that they can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, and that the customer is informed of the implications of withdrawal of their consent.
- Limiting Collection
- Collect only the personal information that is necessary to fulfill a legitimate and identified purpose.
- Identity the kind of personal information that will be collected in the accompanying information-handling policies and practices.
- Collect personal information only by fair and lawful means.
- Limiting Use, Disclosure, and Retention
- Keep personal information only as long as it is needed to fulfill the purposes for which it was collected.
- Know what personal information is being stored, where it is, and what is being done with it.
- Put guidelines and procedures in place for retaining and destroying personal information.
- Accuracy
- Minimize the risk of using incorrect information when making a decision about an individual or when disclosing information to third parties.
- Keep personal information as accurate, complete, and up to date as necessary, taking into account its use and the interests of the customer.
- Establish policies that govern which types of information need to be updated.
- Safeguards
- Develop and implement a security policy (for all employees) to protect all personal information against loss, theft, or any unauthorized access, disclosure, copying, use, or modification.
- Review the safeguards regularly to ensure that they are up to date and that any known vulnerabilities have been addressed through regular security audits or testing.
- Limit employee access and make sure that personal information that has no relevance to the transaction is either removed or blocked out when providing copies of information to others.
- Openness
- Inform customers and employees about the policies and practices for managing personal information.
- Make sure that the policies and practices for managing personal information are easily understandable and easily available.
- Ensure that the information being presented is consistent, regardless of the format.
- Individual Access
- When asked, advise customers about the personal information that is held about them and explain when it was obtained, how it is used and to whom it has been disclosed.
- Respond to a request for information as quickly as possible while also never disclosing personal information unless certain of the identity of the requestor and that person’s right of access.
- Give people access to their own information at minimal or no cost, or explain reasons for not providing access, if applicable.
- Challenging Compliance
- Ensure that staff members are aware of the policies and procedures for complaints and know who is responsible for handling any complaints.
- Handle complaints fairly to help preserve or restore the customer’s trust in your organization.
- Investigate all complaints that you receive and assign the matter to a person with the skills necessary to review the complaint fairly and impartially.
The PIPEDA plays a crucial role in safeguarding the privacy rights of individuals in Ontario and throughout Canada. As a business owner, it is essential to be aware of the PIPEDA’s requirements and ensure compliance in order to protect the personal information hat is entrusted to your organization. By following the principles outlined in the PIEPDA, you can not only meet your legal obligations but also build trust with your customers and clients, demonstrating your commitment to their privacy and data security.
If you would like more information or assistance with this type of issue, please reach out to Melissa Lukings or contact Lister Beaupré LLP directly by phone at 613-234-2500 or by email at info@listerlawyers.com.
Melissa Lukings
melissa@listerlawyers.com