The Personal Information Protection and Electronic Documents Act (“PIPEDA”, or “PIPED” Act) was first introduced into the Canadian House of Commons in October 1998 as Bill C-54 and re-introduced as Bill C-6 in October 1999 at the opening of the new Parliamentary session. The Senate passed the bill with two amendments pertaining to personal health information and Parliament approved the amendments and the Act received Royal Assent on April 13, 2000. Any organization operating in Canada must comply with this act or, if it exists, the provincial equivalent (such as FIPPA in Ontario).
» January 1, 2001: the law was applied to federal works, undertakings or businesses, such as banks, telecommunications companies, airlines, railways and inter-provincial trucking companies (and to the employee records in those organizations). Personal information disclosed across borders for consideration (e.g., the sale or lease of lists) was also protected.
Many companies have been PIPEDA compliant unconsciously as part of their common sense or business ethics, but with the legislation now officially enacted (as of January 1, 2004) every organization in Canada must comply immediately. Breaches of PIPEDA and /or non-compliance penalties/fines range up to $100,000 depending upon the severity of the breach or non-compliance. However, this legislation was created with a firm desire to balance the necessity of business (not stifle it) to collect and use personal information with the necessity of privacy for all Canadians and their personal information. Publishing a reassuring (and accurate!) statement/policy detailing your privacy practices will show customers that you respect them and they in turn will respect you!
The Act has come into force in three stages:
» January 1, 2002: the law was applied to personal health information collected, used or disclosed by organizations described under phase one of the law.
» January 1, 2004: the law was applied to every organization that collects, uses or discloses personal information in the course of any commercial activity within any province, whether or not the organization is a federally-regulated business or not.
PIPEDA principles were developed by businesses, consumer organizations, government, and others including the Canadian Standards Association into a national standard for personal information protection based on 10 principles. These principles are the foundation of PIPEDA.
10 basic privacy principles include:
1. Accountability - an organization is responsible for the personal information under its control and who has access to this information. Each organization should designate an officer responsible for all PII (Personally Identifiable Information) procedures within the organization and to act as contact person for questions or issues regarding PII. Additionally, reasonable steps should be taken to ensure that partners, affiliates, and other associated 3rd parties are also in compliance with the principles of PIPEDA.
2. Identifying purpose(s) - an organization must state why any collected information is being used and for what purpose this information will or may be used.
3. Consent - knowledge and consent of an individual are required for the collection, use or disclosure of any personal information, including automated methods like cookies. A policy of implied consent is not recommended even when full details of PII use or disclosure is included.
4. Limiting collection - collection (of information) is limited to just what is necessary for the purposes originally identified by the organization.
5. Limiting use, disclosure and retention - no personal information shall be used or disclosed for any reason other than that for which it was collected except with the consent of the individual or as required by law. The information shall only be kept as long as is necessary for the fulfilment of those purposes and be promptly destroyed once no longer required for those purpose(s) originally stated.
6. Accuracy - all personal information collected should be as accurate, complete and up to date as is necessary to complete the purpose(s) identified and accessible in entirety to the individual (for any corrections / updates) immediately upon request.
7. Safeguards - Personal information is to be protected by security safeguards appropriate to the sensitivity of the information collected and as such all current and reasonable methods, equipment, and procedures should be fully in place and employed as to ensure the safety of any personally identifiable information for which the organization is responsible.
8. Openness - The organization must make available to any individual specific information about their policies and practices relating to the management of personal information. This includes designating a Privacy Officer within each organization (preferably in an executive position) responsible for all issues related to personal information collection and use as well as any contact with clients regarding such. A privacy policy (or some similar reference to the collection, use, disclosure, retention, and deletion procedures for all information collected, used, transmitted, stored or deleted by an organization) must be posted visibly on any website operated by the organization, (at the least) referenced to in every place where Personally Identifiable Information (PII) is collected, and include the contact information of their designated internal Privacy Officer.
9. Individual access - upon request any individual shall be informed of the existence, use and disclosure of his/her personal information and given immediate access to that information in its entirety.
10. Challenging Compliance - any individual shall be able to address a challenge concerning PIPEDA compliance to both the company and the Privacy Commissioner and should receive a response from the company within 30 days. It is also recommended that a Privacy Policy include contact information for the Privacy Commissioner of Canada or a link to the www.privcom.gc.ca website.
|
© 2009 goIT.ca