As of January 1, 2004, all businesses in Canada must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Part 1 of this privacy act specifies the way businesses can collect, handle, and use personal information, which PIPEDA defines as "any factual or subjective information, recorded or not, about an identifiable individual".
In a nutshell, Canadian businesses have to get an individual's consent when they collect, use or disclose that individual's personal information. Further, a business can only collect personal information for a stated purpose and can only use the information collected for the stated purpose. If the business wants to use the information collected for another purpose, consent has to be obtained again.
And individuals have the right to access their personal information and correct it, if necessary.
Schedule 1 of PIPEDA lays out 10 principles that all businesses* must follow to comply with the privacy act. These principles include accountability, identifying purposes, consent, limiting collection, use, disclosure and retention, safeguards and individual access - and raise some issues of compliance that all small businesses should be aware of.
Take, for instance, PIPEDA's principle of consent. At first glance, it seems simple enough; you must obtain an individual's permission to collect whatever personal information you're asking for. The privacy act defines consent as "voluntary agreement with whatever is being done or proposed" and says that consent may be express or implied.
However, the privacy act also states that you must inform the individual in a meaningful way of the purposes for the collection, use or disclosure of his personal data, and that you must obtain the individual's consent again when a new purpose for the data you've collected is identified.
Practically, what this means is that your business is going to have to record each instance of consent (and what the consent is for) and implement a system that will enable you to seek that individual's consent again if you wish to use the data collected for another purpose.
You are going to have to do this right away, because old data is grandfathered into PIPEDA. If your business is like most businesses, you've already collected a fair bit of personal information about your customers and/or clients. Under the new privacy act, you now require consent to continue to use or to disclose this information.
Complying with PIPEDA also means that you are going to have to institute new privacy policies in respect to how your business uses and handles the personal information you collect. Continue on to page 2 to learn more...
*PIPEDA is in effect throughout Canada, except in provinces that have what the Privacy Commissioner of Canada has deemed to be "substantially similar legislation". So far, Quebec is the only province that has been deemed to have such legislation.
