PRIVACY IN ONTARIO'S BUSINESSES
In 1995, the European Union directed its member states to conduct business only with countries that had adequate privacy protections in place. In response to this directive, the Canadian Federal Government set about enacting privacy legislation to govern the private sector in Canada. Specifically, the federal legislation was intended to regulate the collection, use and disclosure of personal information across the country and thereby promote and enforce a “unified privacy principle” across Canada.
In January of 2001 the Personal Information Protection and Electronic Documents Act (PIPEDA) became law for federally regulated organizations. At that time, the legislation anticipated that PIPEDA would also apply to provincially regulated organizations and businesses, that failed to enact provincial legislation in the spirit of PIPEDA before January 1st, 2004. As Ontario has been unable enact such legislation, the federal legislation, PIPEDA, became law in Ontario effective January 1, 2004.
The Federal Government promotes this piece of legislation as a law that provides advantages to Canadian business. Specifically, Industry Canada notes the following:
“Privacy is a deeply-rooted, strongly-held public value. PIPEDA was enacted to alleviate
consumer concerns about privacy and to allow Canada’s business community to compete
in the global digital economy. Organizations able to demonstrate their respect for, and
protection of, personal information will gain a cutting edge on the competition. Complying with PIPEDA will build trust in the digital marketplace and create opportunities for Canadian businesses.” 1
However, today many businesses are unsure as to the concrete effects PIPEDA will have on their business and the costs that will be associated with implementing such legislation. Questions such as: What does this piece of legislation mean to me? and How will I implement its requirements into my day to day activities ? are common questions from today’s business owners and employers. It is these questions that this article seeks to answer.
When does PIPEDA apply?
The Application of PIPEDA is, at first blush, quite broad. Specifically, section 4 of the Act states that it applies in the following circumstances:
4. (1) This Part applies to every organization in respect of personal information that
(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
(2) This Part does not apply to
(a) any government institution to which the Privacy Act applies;
(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or
(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.
When analysing this section some important points become apparent for employers and business owners. First of all the Act only applies to personal information that is collected, used or disclosed in conjunction with “commercial activity”. Thus, it appears that if personal information is obtained for a purpose that is not related to any commercial enterprise it is not protected under PIPEDA.
In order to understand the application of PIPEDA, one also needs to understand what is and what is not a “commercial activity”. Commercial Activity has been defined as “ any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. As this definition is quite broad, many of the day to day activities that you engage in to run your business will constitute commercial activity. For example, obtaining a customer’s phone number or address for delivery of a product is the collection of personal information for use in a commercial activity and will be covered under the Act. Similarly, obtaining financial information for financing, requesting a Social Insurance Number or Driver’s License number for identification purposes or maintaining addresses for customer mailing lists are likewise covered. In essence, many of your daily transactions with customers and clients need to be protected according to the requirements of PIPEDA.
The final definition that we need to examine in order to understand the scope of this legislation is that which defines what information constitutes “personal information”. The Act defines personal information as: “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” Therefore, personal information constitutes any information you may have about a customer including their address, phone number, identification number, martial status, banking or financial information, credit rating, employment status etc. However, it is important to note that the Act refers to an “identifiable individual” which therefore suggests that information about a corporate entity that is a customer will not be covered. Also, for federally regulated employers it is worth noting that an employee’s name, title, business address or telephone number is not considered personal information but that an employee’s email address is not specifically excluded.
How do I apply PIPEDA?
After you have come to a determination regarding what information in your company would be covered by PIPEDA, you then have to understand what to do with that information. In a nutshell, what PIPEDA requires is for businesses to get an individual’s consent when they collect, use or disclose that individual’s personal information.
PIPEDA is based on “the ten principles” of privacy. If, as an employer or business owner, you understand these ten principles you will be able to apply PIPEDA with relative ease. These ten principles are:
2. Identifying the purpose for which the information is collected
3. Consent of the individual for the collection, use or disclosure of the information
4. Limiting collection
5. Limiting use, disclosure, and retention
9. Individual Access
10. Challenging Compliance
The ten principles as articulated above basically mean that a business must have a specific reason to take in personal information, it must then use that personal information with the individual’s consent for the matters which it was collected and it must have a system in place which protects that information and allows individuals access to such information in order to ensure the personal information within your control is accurate and up to date.
In order to achieve these objectives it is suggested that businesses perform what has been referred to as “a mini privacy audit” of their information system. Suggestions on how to implement such audit include the following:
3. Monitor your Data Flow. It is advised that business assess what personal information they collect and how it is used and is circulated. For example, do you provide personal information to a bank in order to obtain financing? Is personal information provided to builders or sub-contractors in order to complete a designated home? Basically you need to look at how the personal information is circulated within your business even if it is circulated internally. By mapping out that flow you will be able to identify your vulnerabilities and assess what you need to improve in order to conform to PIPEDA.
4. Look at your Contracts. As the new law requires that privacy is protected when data leaves your business in your agreements, you must ensure that the other parties who receive or process personal information provide the same protection that you do and will not disclose this personal information to others. Similarly, you have to ensure that a given client knows what her personal information will be used for.
5. Ensure Consent. When you collect personal information from the client or buyer ensure that you have their consent to both retain that information and to provide it to other third parties who may require the information in order to get your job done. Although PIPEDA anticipates that some consent may be implied, a general practice of securing consent in every case will avoid the risk of contravening the act.
6. Ensure Security Systems are in Place. Security is very important and you should make sure personal information is secure by keeping it physically and, where applicable, electronically protected. Check existing fire walls on your computer system for vulnerability and check your internal paper systems to ensure that personal information is protected.
7. Support Staff Training. It is important that all members of your business are aware of their obligations under PIPEDA and know how your business complies with such obligations. As such, it is suggested that you take time to train your staff on the principles of PIPEDA and in any changes you may be implementing.
8. Ensure Access. You should establish procedures to allow individuals to access their personal information with relative ease and to correct or update information when appropriate. You should also consider in which circumstances you will be able to permit a person’s personal information to be removed from your business and establish guidelines on how such requests will be dealt with.
What happens if I don’t follow PIPEDA?
The above list may seem daunting. Many small businesses may ask itself: What happens if I don’t do all this? Because the Act is in its infancy stage in Ontario, its not yet exactly clear how hard a line the government will take with respect to compliance. However, it is important to keep in mind that there is a Privacy Commissioner who may assess a business’s practices under PIPEDA at any time. The Commissioner will also respond to any complaints levied against an organization by a member of the general public. Specifically, section 28 of the Act outlines offences for obstructing the Privacy Commissioner’s investigation, failing to retain information subject to an individual’s access request, or disciplining an employee for whistle-blowing and contains penalties of $10,000 to $100,000 per incident. Although a privacy officer can award financial penalties against a company for failure to comply with PIPEDA, the officer may also simply request that an organization alter a given practice in order to become compliant.
However, PIPEDA also affords a complainant the opportunity to complain to the Trial Division of the Federal Court. Specifically, Section 16 of the Act states that:
16. The Court may, in addition to any other remedies it may give,
(a) order an organization to correct its practices in order to comply with sections 5 to 10;
(b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a); and
(c) award damages to the complainant, including damages for any humiliation that the complainant has suffered.
What else does PIPEDA apply to?
What is often overlooked is that PIPEDA applies not just to the collection of personal information for the completion of a given project,( for example the collection of financial information, mortgage information, deed information etc.), it also applies to your business if you engage in the activity of selling, bartering or leasing of customer, doner, membership or fundraising lists. Specifically, the Canadian Marketing Association, with PIPEDA in mind, has begun to update its regulating guidelines with a clause about making it easier for customers to opt out of mailing lists. This shows the need to think about PIPEDA not just in the completion of an actual project, but if your organization uses any personal information at all for marketing and advertising purposes.
As stated above, the Act seems not to apply to employee information and files that are collected, retained or disclosed by provincially regulated employers. However, there has been some disagreement among commentators and scholars regarding what an employer should do with employee information since PIPEDA has taken effect. Since there have been no decisions in this area to date, many are ensure if some of the uses that employee information is put to could constitute “commercial activity”. For example, if you where to use an employee’s resume or credentials to market your business and draw customers, that activity would likely constitute “commercial activity” and therefore be protected under PIPEDA. Similarly, the maintenance of employee information for insurance reasons or maintaining group benefit plans may be seen be commercial activity.
Since this area is unclear, what is often to recommended to employers is that they may want to include employee information in their privacy policies. Not only will it protect you in the future from what may be an unforseen circumstance, it also lets employees know that their personal information deserves as much protection as customer’s information. Furthermore, the current rumour is that if the provincial government introduces its own legislation to replace PIPEDA, such legislation will include the protection of employee information.
What is PHIPA?
There is another “twist” in this new privacy regime that will soon effect those institutions that engage in the collection and use of personal health information. As you may be aware, the original draft privacy legislation that was released by the Conservative government in 2002 as a proposed alternative to PIPEDA was designed to cover the health sector and the business and not-for-profit sectors. This legislation never even received first reading and as such PIPEDA became effective as of January 1st, 2004.
However, the provincial government now plans to implement, as early as the summer of 2004, a piece of legislation called the Health Information Protection Act (HIPA) that will specifically regulate the collection, use and disclosure of personal health information.
The substantial rules under HIPA are found in Schedule A which has been titled the Personal Health Information Protection Act (PHIPA). This piece of legislation will apply to “health information custodians” and is in many ways based around the same principles as PIPEDA. Health information custodians include health care practitioners; hospitals; boards of health; community health and mental programs ; long -term care facilities; laboratories; ambulance services; and the Minister of Health and Long-Term Care. Thus any employers engaged in these activities will need to follow the law s as articulated by PHIPA.
The above requirements may seem daunting, especially since business owners and operators are faced with, for what may be the very first time, legislation that speaks in terms of general principles rather than in specific statutory requirements. Moreover, as the development of PIPEDA and PHIPA in this province is relatively new , there are very few concrete decisions regarding when explicit consent is needed to disclose information or when the Privacy Commissioner will find that an organization has contravened the statutes. As such, it is a learning process for all of us alike.
If you have any questions about the application of PIPEDA or PHIPA and instituting the principles into your organization, you should consult a lawyer who specializes in this field. After all, PIPEDA has now entered into our business and as such all the personal information we have obtained must be protected.
1. Industry Canada - http:\\privacyforbusiness.ic.gc.ca