Privacy laws in Canada: How do the rules affect your business?

To meet your PIPEDA responsibilities, your employees should be trained on privacy protection. The Office of the Privacy Commissioner of Canada does not consider an employee error as a valid excuse for PIPEDA violations. Be prepared to reinforce your privacy policies within your workplace, such as retraining your staff, disciplinary actions for not following privacy procedures, or limits on employees’ access to personal information.

You have a responsibility to safeguard the personal information you collect. You must be particularly careful with health and financial information, or any information that would facilitate identity theft. You should take steps to protect this by, for example, encrypting any USB keys, laptops, mobile devices and hard drives that may contain personal information. 
Note that for marketing purposes you can ask to use information for secondary purposes, as long as you make it optional and you ask for consent. 

Under PIPEDA, you must designate a Privacy Officer. This individual will be accountable for your business’ compliance with the Act. The contact information of your Privacy Officer should be clearly posted on your website, and your employees must be ready to identify the Privacy Officer on request.

Your customers are entitled to access any information you have that is related to them as an identifiable individual within 30 days of requesting it. This should be done at little or no cost to them. This includes written information, and video / audio records. This provision also applies to all employees or applicants of a federally regulated business. When responding to access requests, you must protect the personal information of third parties and be aware there are some exceptions to the right of access.

Unless there is a legal requirement to do so, clearly indicate on all your forms that customers don’t have to provide a Social Insurance Number (SIN) to access your products or services. It is acceptable to examine a driver’s license for the purpose of identifying an individual or to validate an individual’s address. However, except in specific circumstances, you should never photocopy or record the driver’s license number.
 

The Breach of Security Safeguards Regulations require businesses that  experience a breach of data involving personal information to do the following:

• Determine if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach. Significant harm includes: Bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
• Notify individuals as soon as feasible of any breach that poses a “real risk of significant harm”. 
• Report to the Privacy Commissioner any data breach that poses a “real risk of significant harm”, as soon as feasible. 
• Where appropriate, notify any third party that may have also been involved in the breach (e.g., Credit Card Breach). 
• Maintain a record of the data breach and make these records available to the Privacy Commissioner upon request