Privacy laws in Canada: How do the rules affect your business?

In today’s digital era, the way you treat your clients' information matters. People are increasingly conscious of and concerned about how their personal information is collected, used, and shared. 

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law, regulating how to handle the personal information you gather in the course of your commercial activities.

Does privacy legislation apply to me?

PIPEDA applies to all private sector businesses engaged in commercial activities in Canada, unless a province implements a substantially similar privacy legislation. British Columbia, Alberta and Quebec, have their own privacy laws; however, even if your business is located in one of these provinces PIPEDA may still apply if any personal information or business activities cross jurisdictions. For businesses requesting Personal Health Information, New Brunswick, Nova Scotia, Newfoundland and Labrador, Ontario, and Manitoba have established a privacy act on how the information is to be collected and handled — so be sure to review your provincial or territorial legislation.

What is “personal information"?
Personal information includes age, medical records, income, ethnic background, employee files, credit card numbers and so forth. Generally, any information not available on a business card is protected. 

For a full list of what is covered by the legislation, see the Privacy Commissioner’s website. 

How do I create a privacy policy?
Start with the Office of the Privacy Commissioner of Canada. Their website includes:

• A Privacy Guide for Businesses which will walk you through your responsibilities, what the Act covers, and the underlying principles of any good privacy policy.
• A list of 10 Tips for a Better Online Privacy Policy.
• A video on protecting your customers’ privacy.
• And more resources – check out the PIPEDA compliance help section.

How can I comply with the Act?
Privacy legislation is complex, but here are six things you should do to better protect your clients’ and employees’ data and avoid a complaint. 

1. Train your staff about your Privacy Policy

To meet your PIPEDA responsibilities, your employees should be trained on privacy protection. The Office of the Privacy Commissioner of Canada does not consider an employee error as a valid excuse for PIPEDA violations. Be prepared to reinforce your privacy policies within your workplace, such as retraining your staff, disciplinary actions for not following privacy procedures, or limits on employees’ access to personal information.

2. Limit and protect personal information

You have a responsibility to safeguard the personal information you collect. You must be particularly careful with health and financial information, or any information that would facilitate identity theft. For example, you should encrypt any USB keys, laptops, mobile devices, and hard drives that may contain personal information. 

Note: for marketing purposes you can ask to use information for secondary purposes, as long as you make it optional, and you ask for consent. 

3. Clearly identify your privacy officer

Under PIPEDA, you must designate a Privacy Officer. This individual will be accountable for your business’ compliance with the Act. The contact information of your Privacy Officer should be clearly posted on your website, and your employees must be ready to identify the Privacy Officer on request.

4. Respond to requests for information

Your customers are entitled to access any information you have that is related to them as an identifiable individual within 30 days of requesting it. This should be done at little or no cost to them. This includes written information, and video / audio records. This provision also applies to all employees or applicants of a federally regulated business. When responding to access requests, you must protect the personal information of third parties and be aware there are some exceptions to the right of access.

5. Don’t ask for a SIN

Unless there is a legal requirement to do so, clearly indicate on all your forms that customers don’t have to provide a Social Insurance Number (SIN) to access your products or services. It is acceptable to examine a driver’s license for the purpose of identifying an individual or to validate an individual’s address. However, except in specific circumstances, you should never photocopy or record the driver’s license number.

6. Disclose Data Breaches

The Breach of Security Safeguards Regulations require businesses that experience a data breach involving personal information to do the following:

• Determine if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach. Significant harm includes: bodily harm, humiliation, damage to reputation or relationships, loss of employment, loss of business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
• Notify individuals as soon as feasible of any breach that poses a “real risk of significant harm”. 
• Report to the Privacy Commissioner any data breach that poses a “real risk of significant harm”, as soon as feasible. 
• Where appropriate, notify any third party that may have also been involved in the breach (e.g., Credit Card Breach). 
• Maintain a record of the data breach and make these records available to the Privacy Commissioner upon request 

Looking for a policy example?

Here’s one privacy policy you can examine: CFIB’s. A policy like this is a staple of any business’ website. 

More questions? Contact us at 1-833-568-2342 or by e-mail at hrnow@cfib.ca. You can also call the Office of the Privacy Commissioner at 1-800-282-1376, or submit a web form with any further concerns about PIPEDA and what it means for your business.