Are your Business Practices an Invasion of Privacy?

WeirFoulds LLP | JANUARY 1, 2004
John Wilkinson

Do you:

• ask your drivers for their driving histories or criminal record information?

• collect information about your employees' medical histories?

• use surveillance cameras in your parking lots?

• sell customer lists?

If you collect, use or disclose this type of information, you may be subject to the federal Personal Information Protection and Electronic Documents Act ("PIPEDA"). With the goal of protecting an individual's right of privacy, PIPEDA regulates how businesses collect, use and disclose personal information.

How do you know if your business is caught by PIPEDA?

If you operate an interprovincial or international transportation business that is subject to the Canada Labour Code, PIPEDA already applies to your business.

Starting January 1, 2004, PIPEDA will apply to all organizations that collect, use or disclose personal information in the course of commercial activities intraprovincially, interprovincially, and internationally. The only circumstance in which PIPEDA will not apply to your business is if your principal place of operation is in a province which has its own substantially similar privacy legislation. In that circumstance, the province's privacy legislation applies. Importantly, Ontario does not have such legislation.

What is PIPEDA?

PIPEDA is a federal statute which establishes rules to regulate the collection, use, and disclosure of personal information associated with a commercial activity. "Commercial activity" means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

In the case of federal works, undertakings and businesses such as interprovincial and international transportation companies, PIPEDA also governs the collection, use and disclosure of personal information relating to employees.

What is "Personal Information"?

"Personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

In the transportation sector, companies collect personal information about their employees, independent contractors, customers, suppliers, and creditors. Such information might include names, home addresses, phone numbers, age, sex, physical and psychological characteristics, race, present or past state of health, religion, political or other affiliations, education, criminal record, disciplinary record, opinions, intentions, attitudes, credit records, and financial means. All of this information is considered "personal information" for the purposes of PIPEDA.

What are the Privacy Principles?

PIPEDA sets out 10 privacy principles which describe your obligations, as follows:

1. Accountability

This principle requires your organization to take responsibility for personal information that is under your control and to delegate the responsibility for dealing with compliance issues relating to privacy to an individual or individuals within the organization.

2. Identifying Purposes

This principle requires your organization to inform individuals of all purposes for which personal information is collected and such identification must take place at or before the time the information is collected by you.

3. Consent

Your organization must obtain the consent of an individual for the collection, use or disclosure of personal information relating to that individual.

4. Limiting Collection

Your organization may only collect personal information that is necessary for the purposes identified by the organization.

5. Limiting Use, Disclosure and Retention

Your organization may not use or disclose personal information for purposes other than those for which it was collected. The exceptions to this rule include uses and disclosures with the consent of the individual and as required by law.

6. Accuracy

Your organization is responsible to ensure that personal information under your control is accurate, complete and up-to-date as necessary for the purposes for which it is to be used.

7. Safeguards

Your organization shall protect personal information under your control using security safeguards appropriate to the sensitivity of the information.

8. Openness

Your organization shall ensure that there is public availability of information relating to your privacy practices and polices and compliance with PIPEDA.

9. Individual Access

Your organization must have a process available by which individuals may request the personal information that you hold and such information must be provided to the individual. Another aspect of this rule is that there be a process by which individuals may challenge the accuracy and completeness of information that is held by your organization and amend such information as appropriate.

10. Challenging Compliance

Your organization must ensure that there is a process in place that permits individuals to challenge your organization's compliance with the privacy rules and the requirements under PIPEDA.

What happens if you do not comply with PIPEDA?

Any person has the right to challenge your organization's compliance with PIPEDA and can file a complaint with the federal Privacy Commissioner. Once it receives a complaint, the Privacy Commissioner can conduct an investigation or an audit and make a report issuing recommendations. The Privacy Commissioner may also initiate a complaint. If the complaint is not resolved, the complainant has a right to bring proceedings in the Federal Court. The Federal Court has the jurisdiction to, among other things, order the organization to pay damages, including damages for humiliation. In addition, there are penalties under the PIPEDA where an organization impedes the complaint process, which include fines of up to $100,000 and imprisonment.

How to comply with PIPEDA

If you operate an interprovincial transportation undertaking, it is almost certain that you have to comply with PIPEDA. That means that you have to take certain minimum steps to ensure compliance, including knowing what personal information you collect, knowing how you use it, and creating a system to ensure that it is not used improperly.

We have developed a simple five-step process to ensure your organization's compliance with PIPEDA. We can help you to:

1. consider PIPEDA's applicability to your organization and the personal information your organization handles;

2. create a privacy team;

3. analyze your organization's existing practices;

4. develop a plan and a schedule for implementation of a regime compliant with the 10 principles set out in PIPEDA; and,

5. develop a schedule for internal compliance.

 

For more information about PIPEDA, please contact Carole McAfee Wallace at 416-947-5098 or cmcafee@weirfoulds.com or John Wilkinson at 416-947-5010 or jwilkinson@weirfoulds.com.