Protecting personal information is not just part of doing business. Our customers, potential customers and employees believe that their information belongs to them and that businesses are custodians, not owners of the information that is shared with them. Twenty years ago, the CSA, an independent standards organization, worked with businesses, consumers and privacy experts to develop a model code. That code formed the basis of most legislation in Canada.
In much of the country, Canadians’ personal information is protected under the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It’s a law that applies to all businesses that aren’t federally regulated, except in provinces that have adopted their own private-sector privacy laws. So far, only Alberta, British Columbia and Quebec have done so. Some provinces also have laws in place that are more restricted in scope — targeting health information, for example. The Quebec law is currently being strengthened.
Businesses need to be mindful, however, that other countries have their privacy regimes, too. One of the most far-reaching is the European Union’s General Data Protection Regulation, or GDPR, which can apply to Canadian businesses that collect, use, and disclose personal data on EU consumers. In the U.S., there are privacy laws at the state level addressing specific sectors. To date, the California Consumer Privacy Act (CCPA) is the most sweeping and comprehensive among them. Like the European GDPR, in some circumstances, the CCPA can apply to Canadian businesses.
GDPR recognizes that businesses may use third parties to store and manage data. It creates different roles and responsibilities for the business (data controller) and the third party (data processor). GDPR has strong rules (and penalties) that give individuals rights over their information, including the right to be forgotten (removal of their data).
Common privacy principles
There are ten common principles in most privacy codes and laws:
- Accountability: The organization is responsible for personal information in its control and should appoint someone to ensure compliance.
- Identifying purpose: You should say why you’re collecting personal information and not use it for another purpose.
- Consent: Except where it is inappropriate or impossible, get a person’s informed consent before collecting, using or disclosing their information.
- Limit collection: Don’t collect what you don’t need. What you collect must be done lawfully.
- Limit use, disclosure and retention: Unless there is consent, or the law requires otherwise, use personal information only for the purpose for which it was collected. And keep it only as long as necessary.
- Accuracy: Personal information should be accurate, complete and up to date. Be open to requests to correct accordingly.
- Safeguards: Protect information according to its sensitivity. Health records are more sensitive than telephone numbers.
- Individual access: If requested, inform an individual of the existence, use and disclosure of their personal information. Give them access to that information and allow them to challenge the accuracy and completeness of the information, and amend it if necessary.
- Challenging compliance: An individual must be able to make a complaint to the person responsible for privacy in the organization. A growing trend is requiring the appointment of a privacy compliance officer and that their title and contact information be published.
Best practices include:
- Conducting a privacy assessment of each activity in your organization (Privacy by Design)
- Mapping how data is used
- Establishing a records management system
- Establishing a record retention period for each kind of record, and following it
- Making use of a records disposition contractor and keeping proof of disposal
- Testing your information security
- Breach reporting to privacy regulator
This is intended as an outline to personal information protection rules and not as legal advice.
At Simplex Legal, we have experienced lawyers who can provide specific advice to help you manage these issues. We can also help you to develop a privacy program.
In the coming weeks we will share more information about the Quebec bill, CCPA and GDPR.
Gerard Power has practiced in this area since 1984 and represented a leading association of manufacturers before Parliamentary committees when PIPEDA was being examined.