The New Privacy Laws
On January 1, 2004, Canadians became subject to the rights, privileges and responsibilities of the new privacy laws. The federal legislation, named the Personal Information Protection and Electronic Documents Act (commonly referred to as “PIPEDA”), is not really a new law, as it has already been in force since January 1, 2001. However, until this January, the applicability of PIPEDA has been limited to federally regulated entities such as banks, railways, telecommunication companies and the postal services, to personal information disclosed outside of a province for profit and to personal health information. Governments themselves have been subject to privacy laws for some time.
The privacy protection provisions of PIPEDA are designed to “recognize the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances” (paraphrased from PIPEDA).
In short, PIPEDA requires that organizations obtain consent when they collect, use or disclose personal information of an individual in the course of a commercial activity. Personal information may only be used for the purposes for which it was collected and if an organization is going to use the personal information for another purpose, consent must be obtained again. Personal information must be protected by appropriate safeguards that are appropriate in the circumstances, including measures such as physical security barriers as well as electronic measures such as passwords and encryption. Any individual has a right to require that an organization disclose to him or her the specifics of the personal information of the individual that such organization possesses. Organizations are required to take steps to ensure that the personal information of individuals that it possesses is accurate and must correct or amend information that is inaccurate.
‘Personal information’ is
defined broadly under PIPEDA to include “information about
an identifiable individual, but does not include the name, title
or business address or telephone number of an employee of an organization”.
It includes factual or subjective information in any form (print,
electronic, digital, photographic etc.) about an identifiable individual,
such as identification numbers (for example, passwords, social
insurance numbers, account numbers), financial information, birth
dates, opinions, evaluations, preferences, etc. Information that
cannot be traced to a specific person, such as aggregated or personal
information that has been rendered anonymous, is not restricted
Consent, as required by PIPEDA, may be either implied or express. The more sensitive the personal information you are dealing with, the more likely it is that express consent will be required for that information to be used or disclosed. It is interesting to note that the Privacy Commissioner’s office (which is responsible for administering compliance with PIPEDA) has stated that any personal information can be considered sensitive, depending on the situation.
There are several instances where personal information may be collected, used or disclosed without first obtaining consent. Examples of exemptions are in cases of publicly available information, where use and disclosure are clearly in the person’s interests and the person is not available in a timely way, in cases of a health emergency or where information is required to be disclosed by law.
PIPEDA is a fact that organizations must become accustomed to quickly. The implications of a failure to comply with PIPEDA can be quite severe- ranging from being required to comply with orders of the Privacy Commissioner to change privacy of personal information policies to the time and expense of complete audits of privacy policies to damages, including damages for humiliation suffered as well as stiff offences for breaches of PIPEDA. Of course, the potential loss of reputation that may follow as a result of a privacy breach becoming public knowledge cannot be overlooked.
Steven Weiss is a corporate-commercial lawyer at DelZotto, Zorzi LLP in Toronto.