Skip to main content

Privacy Legislation – What It Means for Your Business

In today’s digital era, the way you treat your clients' information matters. People are conscious and increasingly concerned of how their personal information is collected, used and shared. 
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada. It regulates how to handle personal information you gather in your commercial activities. 

PIPEDA in a nut shell:

  • You must have an individual's consent when you collect, use or disclose personal information. 
  • An individual has a right to access their personal information.
  • Personal information can only be used for the purposes for which it was collected. If you're going to use personal information for another purpose, consent must be obtained again.
  • Ask the least amount of personal information needed as part of providing the product or service you offer and clearly tell your customers why you are collecting it.
  • Any personal information you collect must be appropriately protected against unauthorized access, collection, use or disclosure.
  • Establish a comprehensive privacy policy, it will demonstrate you can handle your customer's information with the appropriate level of care.
  • Train your employees on their responsibilities when managing personal information. 

Are sample policies available?

We recommend using the privacy tool on the Office of the Privacy Commissioner website to help you develop a privacy policy and plan for your business.

Personal information can include but is not limited to: 

  • Age, name, ID numbers, ethnic origin, social status, income level, blood type 
  • employee files, credit or loan records, credit card number, medical records
  • opinions, comments, evaluations, disciplinary actions

5 tips to avoid a privacy complaint 

1. Train your staff about your Privacy Policy 

To meet your PIPEDA responsibilities, your employees should be trained on privacy protection. The Office of the Privacy Commissioner of Canada (OPC) does not consider an employee error as a valid excuse for PIPEDA violations. Be prepared to reinforce your privacy policies within your workplace, such as retraining your staff, disciplinary actions for not following privacy procedures or limits on employees’ access to personal information.

2. Limit and Protect Personal Information

You have a responsibility to safeguard the personal information you collect. You must be particularly careful with health and financial information, or any information that would facilitate identity theft.  For example, encrypt any USB keys, laptops, mobile devices and hard drives that may contain personal information. Note that for marketing purposes you can ask to use information for secondary purposes, as long as you make it optional and you ask for consent. 

3. Clearly Identify Your Privacy Office

Under the PIPEDA you must designate a Privacy Officer. This individual will be accountable for your business compliance with the Act. The contact information of your Privacy Officer should be clearly posted on your website, and your customer service representatives must be ready to identity the Privacy Officer on request.

4. Respond to Access Requests

Your customers are entitled to access any information you have that is related to them as an identifiable individual within 30 days of requesting it. This should be done at little or no cost to them. This includes written information, and video /audio records. This provision also applies to all employees or applicants of a federally regulated business. When responding to access requests, you must protect the personal information of third parties and be aware there are some exceptions to the right of access.

Special Consideration: SIN Number - Driver’s License

Unless there is a legal requirement to do so, clearly indicate on all your forms that customers don’t have to provide a Social Insurance Number (SIN) to access your products or services. It is acceptable to examine a driver’s license for the purpose of identifying an individual or to validate an individual’s address. However, except in specific circumstances, you should never photocopy or record the driver’s license number. 

More Resources: 

The Office of the Privacy Commissioner of Canada mandate is to balance the protection of privacy with the legitimate needs of businesses. You can contact them at 1-800-282-1376.