Privacy Backgrounder

Personal Information Protection
and Electronic Documents Act

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) came into force on January 1, 2001.  This law, with a three-year phase-in structure, requires that private sector organizations follow specific rules for managing personal information. It gives customers, employees and the general public numerous rights that affect the way organizations collect, use, share, store and retain personal information.

The law is the result of government and private sector consensus that was arrived at through the Canadian Standards Associations technical committee that developed Ten Principles. The Ten Principles form the basis of PIPEDA. The advent of this law sets an international marker. The standards set for managing personal information in Canada are high, higher than some international codes or guidelines, and they enable Canadian firms to conduct business internationally, confident that if they comply with PIPEDA, they comply with international standards.

The Canadian model for ensuring compliance with the law includes the placement of an independent Commissioner who has investigatory and auditing powers, made more forceful by his legal ability to make findings public.

There is a ground swell of attention and concern focused on privacy, from both the consumer’s perspective and the corporate perspective. E-commerce has raised concerns about the collection, use and dissemination of personal information. Many of the practices employed through modern technology already in use in the hard copy world, but their reach and impact were restricted by the confines of physical control. Now, personal data is routinely collected on web sites, cash registers, profile questionnaires, credit card and debit card use, internet travels, entertainment preferences and every other customer/corporate interaction you can imagine. Once collected electronically, further use, disclosure, renting and selling is fast and easy.

The case for protecting personal data is clear, most organizations recognize the need to establish and maintain a relationship based on trust with their customers or patients. The government has taken that concept and added a broader set of requirements so that it is no longer simply a data security issue. Data security is only one of several means of accomplishing privacy compliance.

The Ten Principles,  which form Schedule One of the Act are:

1. Accountability – each organization must appoint an individual to be accountable for overall compliance
2. Identifying Purposes - organizations must identify why they are collecting personal information before or during collection
3. Consent – organizations must obtain informed consent from individuals before or during collection of personal information
4. Limit Collection – organizations can only collect personal information that is necessary for the purposes identified in Principle 2.
5. Limit Use, Disclosure and Retention – once personal data is collected, it can only be used or disclosed (with some exceptions) for the same purposes that it was originally collected for. Personal data can only be retained for as long as required to meet the original purposes of its collection
6. Accuracy – the personal data collected and used by organizations must be as accurate as possible. One means of enabling this is providing individuals access to their personal data so they can verify its accuracy
7. Safeguards – organizations are responsible for employing effective security practices to protect the data
8. Openness – the policies and procedures of an organization that deal with PIPED compliance must be made available to individuals upon request
9. Individual Access – Upon request, an organization must provide an individual with access to their personal information and explain how it has been used and to whom it was disclosed
10. Challenging Compliance – individuals must be able to seek redress directly from an organization, but can also file formal complaints with the Privacy Commissioner of Canada.

The Privacy Commissioner of Canada has a workforce of about 80 people, and a budget of $10 million and is tasked with hearing and investigating complaints against organizations regarding their compliance and implementation of PIPEDA, conducting audits of organizations personal information management practices and with conducting public education to inform Canadians of the laws existence. After completing an investigation, the Commissioner can take an organization to Federal Court (i.e. damages) if his recommendations are not responded to appropriately.

There is great value in an organization recognizing not only the inherent importance of privacy, trust and respect within the customer/organization relationship, but also the potential to differentiate an organization from it’s competitors by using this management regime to advantage.

While not every corporate or commercial organization in Canada is currently required to be compliant (federal works are currently required) they will soon need to be. Preparing for privacy compliance with a strategic privacy plan is critical and takes time. Preparing to show customers, employees, patients etc., that your company is competent in this area requires effort and preparation. A company’s lawyers, customer relations staff, Human Resource, Information Technology, Information Management, Marketing and Executive staff are critical to success. Privacy compliance is not just an information technology issue or a web based entity, it threads through the entire organization both horizontally and vertically and brings in virtually all external entities, from clients to outsourcers to competitors. Not doing it right will have revenue consequences.  Considering that the federal Human Resources Development Canada department received in excess of 80,000 privacy requests from June 1999 to December 1999, due to a report filed by the Privacy Commissioner in Parliament, organizations would want to manage their risks in this area carefully.

Corporate images and brands are critical to success, and can be hit hard when public perspective takes a turn for the worse. To minimize the risk of revenue loss, organizations need to employ a strategic privacy plan, one that might be based on Sysanova’s Four “C’s” of privacy; Concept, Capacity, Catalysts and Control:

1. Concept – establish vision, affirmative direction, degree of cultural and procedural change and a staged plan
2. Capacity – evaluate existing strengths and weaknesses, identify gaps and measures to remedy, acquire skills, consider structure and process
3. Catalysts – structural enterprises already exist, use them, such as the Human Resources experts, IT experts, security, legal, customer relations, marketing, communications and other infrastructure entities as well as outside networks
4. Control – organizations will want to sustain what they have started, rather than letting it weaken with lack of resources, only to have to rebuild when problems start. Inertia and ongoing measurement is critical.

Privacy management is not a flavour-of-the-month issue, and will be driven by the public and their awareness and expectations regarding corporate use of their personal information. Surveys are showing a growth spurt in this, mostly due to the rise in the collection, use and disclosure of personal information in the e-commerce world. Customer and employee trust are essential, you can take the risk or embrace the opportunity.

Sysanova Ltd. has nearly 20 years of experience with public sector implementation of privacy laws and is the only company in Canada that can make such a claim. Included in that experience is replying to individual access requests, refusing/releasing information and defending complaints with the Privacy Commissioner’s Investigators. Tap into that experience to make your privacy strategy and infrastructure efficient and competitive.