Your responsibilities under the new Personal Information Protection and Electronic Documents Act
Effective January 1, 2004, Part I of the Personal Information Protection and Electronic Documents Act comes into force for all organizations conducting a commercial activity in Canada. However, the federal government may exempt organizations and activities in provinces that have adopted substantially similar privacy legislation. So far, Quebec is the only province with legislation dealing with personal information in the privacy sector, which has been accepted as meeting the “substantially similar” test. The Act sets out ground rules for the management of “personal information” in the private sector.
Under the Act, organizations must obtain an individual’s consent when they collect, use or disclose the individual’s personal information. The Act also covers personal information already collected in the course of commercial activities, so in order to continue to use or disclose it, consent is required. The individual has a right to access personal information held and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected and may not be used for any other purpose without the consent of the individual. Individuals should also be assured that their personal information will be protected by specific safeguards.
Personal information is any factual or subjective information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
The Act, sets out obligations imposed on every organization for the protection of personal information, including compliance with the 10 principles of privacy set out in Schedule 1. Those principles are:
1. Accountability,
2. Identifying purpose,
3. Consent,
4. Limiting collection,
5. Limiting use, disclosure, and retention,
6. Accuracy,
7. Safeguards,
8. Openness,
9. Individual access, and
10. Challenging compliance.
Among other things, every organization must:
1. designate an individual or individuals who are accountable for the organization’s compliance with the principles;
2. protect all information held or transferred to third parties for processing; and
3. develop and implement policies and practices for the protection of personal information.
The Act contains complaint procedures, audit procedures, enforcement procedures and substantial fines for noncompliance or breach. Therefore, it is extremely important that all organizations collecting personal information in the course of commercial activities familiarize themselves with the Act, and comply with their obligations thereunder. For more information, or assistance establishing policies or practices pertaining to the Act, please contact Howard Steinberg.
Share