Privacy laws in Canada: How do the rules affect your business?

In today’s digital era, the way you treat your clients' information matters. People are conscious and increasingly concerned of how their personal information is collected, used, and shared. 

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law, regulating how to handle personal information you gather in your commercial activities.

Does privacy legislation apply to me?

PIPEDA applies to all federally-regulated businesses in Canada, with the exception of British Columbia, Alberta and Quebec, who have their own privacy laws. However, even if your business is located in one of these provinces PIPEDA may apply if any personal information crosses jurisdiction. For businesses requesting Personal Health Information, most provinces and territories have established a privacy act on how the information is to be collected and handled — so be sure to review your provincial or territorial legislation.

What is “personal information"?
Personal information includes age, medical records, income, ethnic background, employee files, credit card numbers and so forth. Generally, any information not available on a business card is protected. 

For a full list of what is covered by the legislation, see the Privacy Commissioner’s website

How do I create a privacy policy?
Start with the Office of the Privacy Commissioner of Canada. Their website includes:

How can I comply with the Act?
Privacy legislation is complex, but here are six things you should do to better protect your clients’ and employees’ data and avoid a complaint. 

1. Train your staff about your Privacy Policy

To meet your PIPEDA responsibilities, your employees should be trained on privacy protection. The Office of the Privacy Commissioner of Canada does not consider an employee error as a valid excuse for PIPEDA violations. Be prepared to reinforce your privacy policies within your workplace, such as retraining your staff, disciplinary actions for not following privacy procedures, or limits on employees’ access to personal information.

2. Limit and protect personal information

You have a responsibility to safeguard the personal information you collect. You must be particularly careful with health and financial information, or any information that would facilitate identity theft. You should take steps to protect this by, for example, encrypting any USB keys, laptops, mobile devices and hard drives that may contain personal information. 
Note that for marketing purposes you can ask to use information for secondary purposes, as long as you make it optional and you ask for consent. 

3. Clearly identify your privacy officer

Under PIPEDA, you must designate a Privacy Officer. This individual will be accountable for your business’ compliance with the Act. The contact information of your Privacy Officer should be clearly posted on your website, and your employees must be ready to identify the Privacy Officer on request.

4. Respond to requests for information

Your customers are entitled to access any information you have that is related to them as an identifiable individual within 30 days of requesting it. This should be done at little or no cost to them. This includes written information, and video / audio records. This provision also applies to all employees or applicants of a federally regulated business. When responding to access requests, you must protect the personal information of third parties and be aware there are some exceptions to the right of access.

5. Don’t ask for a SIN

Unless there is a legal requirement to do so, clearly indicate on all your forms that customers don’t have to provide a Social Insurance Number (SIN) to access your products or services. It is acceptable to examine a driver’s license for the purpose of identifying an individual or to validate an individual’s address. However, except in specific circumstances, you should never photocopy or record the driver’s license number.

6. Disclose Data Breaches

The Breach of Security Safeguards Regulations require businesses that  experience a breach of data involving personal information to do the following:

  • Determine if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach. Significant harm includes: Bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
  • Notify individuals as soon as feasible of any breach that poses a “real risk of significant harm”. 
  • Report to the Privacy Commissioner any data breach that poses a “real risk of significant harm”, as soon as feasible. 
  • Where appropriate, notify any third party that may have also been involved in the breach (e.g., Credit Card Breach). 
  • Maintain a record of the data breach and make these records available to the Privacy Commissioner upon request 

Looking for an example?

Here’s one privacy policy you can examine: CFIB’s. A policy like this is a staple of any business’ website. 

More questions? Call us! If you still have questions about PIPEDA and what it means for your business, you can call the Office of the Privacy Commissioner at 1-800-282-1376. 

Or, call your CFIB Counsellor!