In Canada, consumers are becoming more aware of their privacy and are choosing to deal with companies that have established privacy policies and respect their privacy rights.
But privacy is not just good business – it’s the law.
All organizations that collect personal information must follow the rules established by the Personal Information Protection and Electronic Documents Act (PIPEDA), which is Canada’s federal private-sector privacy law.
See How Your Organization Complies With Privacy Law Regulations
Privacy starts with you. Take Blue-Pencil’s quick online Document Security Risk Assessment to discover your business’ biggest gaps that are putting your organization at risk for an information breach and fines of non-compliance.
More About Privacy Act Compliance
Who Oversees the Privacy Act?
Compliance with PIPEDA is overseen by a federal regulator known as the Office of the Privacy Commissioner of Canada. This office manages adherence with PIPEDA by conducting independent and impartial investigations into the personal information handling methods of businesses. The Privacy Commissioner of Canada can also initiate a complaint if there are reasonable grounds to address the matter.
Who Does the Privacy Act Apply To?
PIPEDA applies to all private-sector organizations that collect, use or disclose personal information during commercial activities. The law defines commercial activities as any business transaction, act or conduct intended to earn an economic profit. Conduct that is commercial in nature – such as the selling, bartering or leasing of donor, membership or other fundraising lists – also applies to the Act.
Federally regulated organizations, including telecommunication companies, banks, airlines, radio and television broadcasters and the like, must follow the PIPEDA. The Act also pertains to their employees’ personal data and how it is collected, used or disclosed within the organization.
What is Personal Information?
According to PIPEDA, personal information includes any factual information about an identifiable individual. This includes:
- Age, name, address, telephone number, ID numbers, income, spending habits, ethnic origin, DNA code, blood type, etc.
- Opinions, evaluations, comments, social status or disciplinary actions.
- Employee files, credit records, loan records, medical records, documentation of a dispute or intentions (for example: to change jobs, acquire goods or services, etc.)
How Do Businesses Ensure Compliance With Privacy Laws?
There are several requirements to comply with the PIPEDA:
- Businesses covered by this law must obtain consent when an individual’s personal information is collected, used or disclosed.
- Consumers have the right to access their personal information, question its accuracy and ensure it is up to date.
- Personal information can only be used for the initial purpose that it was collected for; otherwise, consent must be requested again.
- Personal information must remain secure and be protected from theft, unauthorized access or disclosure by adequate security safeguards.
What Happens When PIPEDA Is Breached?
When security measures fail to protect personal information and a complaint is made as a result of a breach, the organization in question has violated the PIPEDA. If an early resolution cannot be met, a formal investigation will determine the outcome. This may include federal court proceedings, public interest disclosures, audits, hefty fines and paying damages to the complainant.
The Bottom Line: There are great risks for businesses that do not protect their customers’ personal data.