July 15, 2008
Your business and the privacy act
By Robert Kennaley
McLauchlin & Associates
The Personal Information and Electronic Documents Act, or PIPEDA, is a relatively new private sector privacy law in Canada. It sets the ground rules for, among other things, how businesses may collect, use or disclose personal information in the course of commercial activities. It is intended to balance the individual’s right to privacy with the need of organizations to collect, use or disclose personal information for legitimate business purposes.
The Act is federal legislation. It applies to personal information collected, used or disclosed in the course of commercial activities by all private sector organizations. That is, except those who operate under “substantially similar” provincial legislation. At present, such similar legislation is in place in Quebec, British Columbia, Alberta and, in relation to health care matters, Ontario.
The Act does not always apply in relation to the personal information of employees. Unless you are contracting with a federally regulated industry, such as banking, telecommunications or broadcasting for example, it is unlikely that you will be subject to the Act as to employee information.
PIPEDA states that the knowledge and consent of the individual is required for the collection, use or disclosure of personal information relating to that individual. Disclosure may only be for purposes that a reasonable person would consider appropriate in the circumstances. An exception is that an organization may disclose personal information without knowledge or consent for the purpose of collecting a debt owed by the individual to the organization.
Personal information about non-employees, collected in the course of non-federally regulated business, will be subject to PIPEDA. Most Landscape Ontario and CNLA members will accordingly be subject to its provisions. Information collected in relation to individuals, such as clients, contractors, subcontractors, suppliers, consultants and municipal inspectors, will accordingly be caught by the Act. Personal information can include, for example, the person’s name, address, phone number, e-mail address, likeness and property (as shown in photographs, for example). Financial information is also, of course, considered personal. This might include accounts held, accounts owing, assets, etc.
As will be discussed below, it is important for businesses in Ontario to establish and implement proper policies to manage and secure the personal information they come into contact with in the course of their operations. It is suggested that, at the same time, it would be prudent to implement such policies in relation to employee information as well. This is because, while PIPEDA may not apply, other provincial legislation (such as the Privacy Act) as well as common law principles, may nonetheless apply in this regard.
Practically speaking, PIPEDA incorporates ten “fair information principles” that create a code of conduct which businesses are expected to follow in relation to personal information. The extent to which these principles will apply to any particular business will, of course, vary depending on the nature of the business in question:
Our discussion of PIPEDA will continue next month.
Robert Kennaley practices construction law in Toronto and Simcoe. He speaks and writes regularly across North America. He can be reached for comment at 416- 368-2522, or at kennaley@mclauchlin.ca. This material is for information purposes and is not intended to provide legal advice in relation to any particular fact situation. Readers who have concerns about any particular circumstance are encouraged to seek independent legal advice in that regard.
McLauchlin & Associates
The Personal Information and Electronic Documents Act, or PIPEDA, is a relatively new private sector privacy law in Canada. It sets the ground rules for, among other things, how businesses may collect, use or disclose personal information in the course of commercial activities. It is intended to balance the individual’s right to privacy with the need of organizations to collect, use or disclose personal information for legitimate business purposes.
The Act is federal legislation. It applies to personal information collected, used or disclosed in the course of commercial activities by all private sector organizations. That is, except those who operate under “substantially similar” provincial legislation. At present, such similar legislation is in place in Quebec, British Columbia, Alberta and, in relation to health care matters, Ontario.
The Act does not always apply in relation to the personal information of employees. Unless you are contracting with a federally regulated industry, such as banking, telecommunications or broadcasting for example, it is unlikely that you will be subject to the Act as to employee information.
PIPEDA states that the knowledge and consent of the individual is required for the collection, use or disclosure of personal information relating to that individual. Disclosure may only be for purposes that a reasonable person would consider appropriate in the circumstances. An exception is that an organization may disclose personal information without knowledge or consent for the purpose of collecting a debt owed by the individual to the organization.
Personal information about non-employees, collected in the course of non-federally regulated business, will be subject to PIPEDA. Most Landscape Ontario and CNLA members will accordingly be subject to its provisions. Information collected in relation to individuals, such as clients, contractors, subcontractors, suppliers, consultants and municipal inspectors, will accordingly be caught by the Act. Personal information can include, for example, the person’s name, address, phone number, e-mail address, likeness and property (as shown in photographs, for example). Financial information is also, of course, considered personal. This might include accounts held, accounts owing, assets, etc.
As will be discussed below, it is important for businesses in Ontario to establish and implement proper policies to manage and secure the personal information they come into contact with in the course of their operations. It is suggested that, at the same time, it would be prudent to implement such policies in relation to employee information as well. This is because, while PIPEDA may not apply, other provincial legislation (such as the Privacy Act) as well as common law principles, may nonetheless apply in this regard.
Practically speaking, PIPEDA incorporates ten “fair information principles” that create a code of conduct which businesses are expected to follow in relation to personal information. The extent to which these principles will apply to any particular business will, of course, vary depending on the nature of the business in question:
- Accountability: Businesses should appoint a specific individual to develop and implement personal information policies and practices, and conduct complaint investigations.
- Identifying purposes: When collecting personal information, businesses should identify why it is needed and how it will be used, as specifically as possible (such as opening an account, verifying creditworthiness, or sending out an association newsletter).
- Consent: Businesses should inform individuals in a meaningful way of their intentions to collect personal information, should obtain the individuals’ consent to that collection, and should obtain a further consent if a new use is planned. The more sensitive the information, the more formal and expressed the consent should be. In some circumstances, the consent may be presumed from the circumstances of how and why the information is being provided. Thus, for example, if your subcontractor provides you with a quote, it might be presumed that the price will be shared with the owner as part of a tendering process.
- Limit collection: Businesses should be discriminating in the amount and type of information they collect, limiting such collection to that required for the stated purposes set out in the business’s policies,
- Limit use, disclosure and retention: Guidelines and procedures should be in place for retaining and destroying personal information, such as minimum and maximum periods that take legal requirements into consideration.
- Accuracy: Information that may potentially be shared with a third party should be accurate and current to avoid complaints and instill customer confidence in your organization,
- Appropriate safeguards: You must develop and implement a security policy that safeguards the information from unauthorized access, disclosure, copying, use or modification, regardless of the format in which it is held and ensure your employees are aware of the importance of confidentiality.
- Openness: Businesses should inform their customers and employees that they have policies and practices for the management of personal information and ensure that their employees are familiar with the procedures, including how to direct inquiries to the appropriate accountable individual in the company.
- Access: Individuals should be provided with access to all personal information held about them by a business, on request. This is subject to being absolutely sure of the identity of the person making the request.
- Recourse: Businesses should develop simple and easily accessible complaint procedures, notifying individuals of the outcome of investigations clearly and promptly. Inform them of other avenues of recourse and take appropriate measures to correct the mishandling of information.
Our discussion of PIPEDA will continue next month.
Robert Kennaley practices construction law in Toronto and Simcoe. He speaks and writes regularly across North America. He can be reached for comment at 416- 368-2522, or at kennaley@mclauchlin.ca. This material is for information purposes and is not intended to provide legal advice in relation to any particular fact situation. Readers who have concerns about any particular circumstance are encouraged to seek independent legal advice in that regard.