You and the Privacy Act - It's the Law

Privacy Legislation Compliance guidelines for your business

The federal (Canadian) Personal Information Protection and Electronic Documents Act, came into effect on January 1, 2004. As a result, all businesses are subject to new stringent guidelines regarding the collection, storage and disclosure of private and personal information collected on individuals. Failure to comply with the Act can result in lawsuits and the awarding of punitive damages.

Businesses located in Quebec are already regulated under provincial privacy legislation (for information on Quebec's legislation go to the website for La Commission d'accès à l'information du Québec http://www.cai.gouv.qc.ca/).

The following is a brief outline of how the privacy legislation affects your business:

WHAT IS PERSONAL INFORMATION?

The Privacy legislation defines personal information as: age, name, weight, height, medical records, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, employee files, disciplinary action, credit records, loan records, existence of a dispute between a consumer and a merchant and intentions (for example, to acquire goods or services, or change jobs.)

WHAT THE ACT COVERS

Accountability: The Act states that organizations must have a documented Privacy policy, and appoint an internal Privacy Expert/Commissioner who is knowledgeable about the legislation and able to train persons who will be collecting, using, or disclosing personal information.

Identification of Purposes: Individuals must be informed of the purpose for the collection, and how the information might be used or disclosed to other outside organizations.
Consent: There are three types of consent that can be used, A. Express Consent/Permission (Opt-in), B. Negative Option (Opt-out), and C. Implied Consent. Information of a more sensitive nature (health, medical, financial) will require stronger methods of obtaining consent (Please refer to the Privacy Commissioner web site for a detailed description of these options.)

Limiting Collection: Gather only the information that is necessary for the identified purposes. Limit Use, Disclosure, and Retention: Personal information must only be used for the purposes for which consent has been given. Only keep the information for as long as it is necessary.

Accuracy: Personal Information should be accurate. Processes/procedures must be put in place for persons to flag and rectify inaccuracies in their own personal information.
Safeguards: Measures must be taken to ensure that personal information is secured, such as locked cabinets, electronic firewalls, and limited staff access.

Openness: Privacy policies and practices should be available in a public document or web site.

Individual Access: Ability to inform individuals how their information was collected, used and disclosed, including a list of with whom their information has been shared.

Provide Recourse: Privacy policies should describe complaint resolution procedures.

COMPLIANCE TIPS:

_ Obtain consent when collecting personal information from a customer. Consent can be obtained in person, by phone, by mail, by fax or via the Internet.
_ Make sure clients fully understand how their information will be used.
_ Define your purposes for collecting data as clearly and narrowly as possibly. This allows less data to be collected.
_ Limit who has access to personal information.
_ Protect personal information against loss or theft. Store it in a locked cabinet, using a program that only a few employees have access to, use an encryption program for electronic data, use passwords on files.
_ Let the customer know why you need to collect the data.
_ Inform customers, clients and employees that you have policies and practices for the management of personal information. Make these policies available and easy to understand.
_ Develop customer complaint procedures and investigate all complaints received.

WHAT THE ACT DOESN'T COVER
• The Collection, use or disclosure of personal information by federal government organizations listed in the Privacy Act;
• Provincial or territorial governments and their agents;
• An employee's name, title, business address or telephone number;
• An individual's collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list); and,
• The collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.

WHERE TO GET MORE INFORMATION

For up to date announcements and useful links to privacy related sites please reference the CFIB Privacy page on the National Affairs website: http://www.cfib.ca/legis/national/Privacy.asp

To access the official documents or to receive more detailed information on the issue please refer to Resource Centre on the Privacy Commissioner of Canada's website http://www.privcom.gc.ca or call 1-800-282-1376.

PROVINCIAL LEGISLATION
The federal privacy legislation meets international requirements allowing Canadian firms to do business internationally. Although the federal Act covers all organizations across Canada, some provinces have decided to draft legislation which exceeds the scope of the federal legislation. Currently only Quebec has passed private sector privacy legislation, however legislation is in the works for Ontario, British Columbia and Alberta.

Quebec
La Commission d'accès à l'information du Québec http://www.cai.gouv.qc.ca/ or call toll free 1-888-528-7741.

Information is from Canadian Federation of Independent Business D-IN0530-0312(213)

Thanks for asking. Lorinda

Awesome Wellness & Energy Therapies
www.a-w-etherapies.ca
705.818.6563

Bookmark

Email this

Comments (0)

Subscribe to this comment's feed

Write comment

Name

Email

Website

Comment

smaller | bigger

Subscribe via email (registered users only)

I have read and agree to the Terms of Usage.

Write the displayed characters

Add Comment