Canadian Privacy Legislation affecting Businesses
Personal Information Protection and Electronic Documents Act (PIPEDA)
As of January 1 2004, virtually all businesses in Canada became subject to the Personal Information Protection and Electronic Documents Act. This legislation was previously in force for federally regulated companies such as banks. As of January 1 2004, it applies to all businesses. The legislation allows provinces to create their own legislation to apply instead of the federal version, so long as it is substantially similar. To date, Saskatchewan has not done so.
In passing this legislation, the Canadian government has recognized that it is all too easy now for businesses to gather large amounts of personal data on others. Much of it is being gathered by people without a legitimate need to know all of the information they are obtaining. Even if they have a legitmate use for it, the information needs to be safeguarded so that it is only collected with the informed consent of a person and cannot be used for other purposes. Unless the process is regulated, that data can be accessed inappropriately, released to or intercepted by someone without proper authorization, sold to marketers or worse yet, misused by identity thieves.
If your business gathers and records information about customers, employees or others, there are limits about what you can gather and how long you can keep it. It affects most businesses because almost everyone keeps name and address information about customers and employees. Most keep a lot more than that.
Reasonable Personal Information with Consent
Under PIPEDA, a business is generally only entitled to gather personal information with the consent of the person that it relates to. There are exceptions that will be mentioned below. In normal cases, if you operate a business, you can only ask people for personal information that is reasonable in relation to the type of business being conducted. For example, most businesses now are not entitled to ask customers for health insurance numbers simply as a means of identification unless they are practising in the health field and need the number for billing. A business may no longer ask for a customer's social insurance number unless there is a legitimate need for the number. However, if a credit check is required to grant credit to a customer, such as an application for credit to purchase a new vehicle, then it is fair and reasonable to ask a social insurance number because the number is required to perform a credit bureau search. If you don't need the SIN number for a legitimate purpose, then you are not permitted to gather it. If you obtained a person's consent to obtain information for a disclosed purpose, you cannot make use of it for other purposes.
What is Personal Information
The type of information that is covered by PIPEDA is personal data about people such as their name, address, birth date, personal identification numbers and information, credit records, loan records, income information, race, religion, etc.. These are just some obvious examples but of course, other information can be included as well. The privacy extends to information a business keeps about its employees as well as customers or others. In terms of employees, the information includes employee files, opinions, evaluations, comments or disciplinary actions. There are also some common sense exceptions for harmless information gathering. For example, you don't have to give up your christmas card list.
Retention and Security
A business may only retain personal information for a reasonable period of time, depending on the situation. There are no hard and fast guidelines. Acting in a "reasonable" manner is the most common test. A business must take steps to ensure that any personal information it retains is secure so that others cannot improperly access it.
Making a Demand
Under section 8 of the Act, a business must respond within 30 days to a person's written demand for what personal information it has about them. If it is shown that the information is incorrect, the business has an obligation then to correct its records. The business may even be obligated to help the person fill out the necessary forms to make the demand.
Charges for Responding to a Demand
Although the guidelines do not appear to be specified, it does appear in section 8 of the legislation that a business may impose a reasonable charge for supplying information to a person making a demand, but the business must indicate the approximate cost after the request is made. One cannot supply the information and then submit a bill after the fact.
Exceptions to Obligation to Disclose
In some cases, it would be unfair to require that a business release information to someone making a demand. For that reason, section 9 of the Act lists various exemptions from releasing the information such as where it is being gathered to investigate the breach of a law (i.e. law enforcement agencies), where it involves solicitor client privilege, where it was generated in the course of a formal dispute resolution process or where its disclosure could harm someone's life or security. Another exception is that a business may not in certain cases be obligated to disclose sales statistics or other confidential business information that relates to a customer making a demand. Section 9(3)(b) states that an organization is not required to give access to personal information where it would reveal confidential commercial information.
If you are a business operator responding to a demand, you should ensure that you are only giving personal information about the individual demanding it. By way of example, if a person makes a demand, you should not release personal information about their spouse as it is possible that they are no longer together or the person may otherwise object to its release. The spouse should be demanding that information themselves. You should also ensure that the person demanding the information is who they claim to be. Ask for appropriate identification before releasing anything. You also need to ensure that any personal information is kept secure so that it cannot be accessed by others. By way of example, you should not store personnel files in an unlocked drawer where employees can improperly access confidential information about other staff.
Sometimes people mistakenly refer to this type of legislation as "The Privacy Act". There is legislation by that name enacted by the government of Canada. However, it only regulates how and when federal government institutions can receive and release personal information. It does not affect how people and businesses deal with privacy issues.
For more information, you may wish to vist the website for the Privacy Commissioner of Canada. It contains more detailed information. The ultimate source of information is to read the Act itself. The link I am providing is an unofficial version, but likely easier to browse through.
Please contact me if I can be of any assistance to you.
Notice: The information on this website is general in
nature only. It relates to Saskatchewan, Canada and may not be
applicable in your jurisdiction. It does not constitute legal
advice to you and no solicitor client relationship will be established.
You should seek specific legal advice regarding your circumstances
from a lawyer entitled to practise law in your jurisdiction.
www.rickcarlson.com | Sun, 19 May 2019 14:19:28 CDT1