Did you know that, as a business, you may be required to abide by both provincial and federal privacy laws? Many provinces, such as Alberta, British Columbia, and Quebec have already introduced their own legislation for the collection, use, and disclosure of personal information that occurs while doing business in those provinces. For the rest of us, the Personal Information Protection and Electronic Documents Act (PIPEDA), probably applies.
PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of doing business. This information might include personally identifiable information (PII), such as names, telephone numbers, ethnicity, blood type, employee records, loan records, and even opinions, evaluations, and comments.
- Principle 1: Accountability
- Principle 2: Identifying Purpose
- Principle 3: Consent
- Principle 4: Limiting Collection
- Principle 5: Limiting Use, Disclosure, and Retention
- Principle 6: Accuracy
- Principle 7: Safeguards
- Principle 8: Openness
- Principle 9: Individual Access
- Principle 10: Challenging Compliance
Although PIPEDA doesn’t include many details on what it considers, “against policy”, the Office of the Privacy Commissioner of Canada (OPC) has outlined several examples of what would be considered generally innappropriate.
- Collecting, using or disclosing personal information in ways that are otherwise unlawful;
- Profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
- Collecting, using or disclosing personal information for purposes that are known or likely to cause significant harm to the individual;
- Publishing personal information with the intent of charging people for its removal;
- Requiring passwords to social media accounts for the purpose of employee screening; and
- Conducting surveillance on an individual using their own device’s audio or video functions.
The OPC website is probably the single best resource as it relates to PIPEDA. We’ve included some of the more relevant links here.
- PIPEDA fair information principles
- Provincial and territorial laws and oversight
- Privacy quiz for businesses
- PIPEDA Self-Assessment Tool
- Build a privacy plan for your business
- Top Ten Dos and Don’ts for Privacy Impact Assessments
- Expectations: OPC’s Guide to the Privacy Impact Assessment Process
- Privacy Act