Effective 1st January 2004, new federal privacy legislation — the Personal Information Protection and Electronic Documents Act, or PIPEDA — applies to every commercial activity in Canada that collects, uses or discloses personal information. PIPEDA has been in force since Jan. 1, 2001, although it initially only applied to the intraprovincial or international sale of personal information as well as to federal works, undertakings or businesses such as banks, grain elevators, airports, and television broadcasters.
On Jan. 1st 2004, PIPEDA will cover every business in Canada that manages personal information unless provinces have enacted “substantially similar” provincial legislation.
Personal information is defined as any information about an identifiable individual. Unlike public sector privacy laws, such as Manitoba’s Freedom of Information and Protection of Privacy Act, or FIPPA, that regulate only recorded information, PIPEDA applies broadly to recorded and unrecorded personal information. As a result, personal information will include your name, age, health information, purchasing habits, video image, opinion, ethnic origin, e-mail messages and financial history.
PIPEDA defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character. Therefore, every business activity — including non-profit groups that engage in fundraising efforts — that involves personal information will be affected by PIPEDA.
Businesses that want to collect, use or disclose personal information will have to obtain consent, except in some very limited circumstances where exemptions will apply. If businesses want information that was initially collected before PIPEDA applied to their activities, then they’ll have to make sure they have received consent. In some situations, this will force them to re-contact clients to obtain their consent for future uses and disclosures.
Businesses can only use or disclose personal information for the identified purposes for which consent was obtained when the information was first collected. Even where consent has been obtained, businesses must limit their collection, use and disclosure of information to purposes that a reasonable person would consider appropriate in the circumstances.
Once personal information has been collected, businesses must protect personal information with security safeguards appropriate to the sensitivity of the information. Sensitive personal information, such as health and financial data, will have to be protected using heightened physical, organizational and electronic safeguards. Similarly to current access to information rights to government records, PIPEDA provides people with access rights to see what personal information a business holds about them and rights to correct any errors or omissions to that information.
The Office of the Privacy Commissioner of Canada is responsible for ensuring PIPEDA is respected and to assist where privacy rights have been violated. The Privacy Commissioner responds to complaints, conducts investigations, issues findings and may publicize the identity of businesses that don’t comply with PIPEDA’s obligations. After the Privacy Commissioner has addressed a complaint, the Federal Court of Canada can then charge a business up to $100,000 and order it to pay for compensation for any humiliation suffered as a result of a privacy violation.
NEXT SUBJECT > < PREVIOUS SUBJECT