CFIB members save on Amex
Attract more customers with a lower rate
In today’s digital era, the way you treat your clients' information matters. People are conscious and increasingly concerned of how their personal information is collected, used and shared.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada. It regulates how to handle personal information you gather in your commercial activities.
PIPEDA in a nut shell:
Are sample policies available?
Personal information can include but is not limited to:
5 tips to avoid a privacy complaint
To meet your PIPEDA responsibilities, your employees should be trained on privacy protection. The Office of the Privacy Commissioner of Canada (OPC) does not consider an employee error as a valid excuse for PIPEDA violations. Be prepared to reinforce your privacy policies within your workplace, such as retraining your staff, disciplinary actions for not following privacy procedures or limits on employees’ access to personal information.
2. Limit and Protect Personal Information
You have a responsibility to safeguard the personal information you collect. You must be particularly careful with health and financial information, or any information that would facilitate identity theft. For example, encrypt any USB keys, laptops, mobile devices and hard drives that may contain personal information. Note that for marketing purposes you can ask to use information for secondary purposes, as long as you make it optional and you ask for consent.
3. Clearly Identify Your Privacy Officer
Under the PIPEDA you must designate a Privacy Officer. This individual will be accountable for your business compliance with the Act. The contact information of your Privacy Officer should be clearly posted on your website, and your customer service representatives must be ready to identity the Privacy Officer on request.
4. Respond to Access Requests
Your customers are entitled to access any information you have that is related to them as an identifiable individual within 30 days of requesting it. This should be done at little or no cost to them. This includes written information, and video /audio records. This provision also applies to all employees or applicants of a federally regulated business. When responding to access requests, you must protect the personal information of third parties and be aware there are some exceptions to the right of access.
Special Consideration: SIN Number - Driver’s License
Unless there is a legal requirement to do so, clearly indicate on all your forms that customers don’t have to provide a Social Insurance Number (SIN) to access your products or services. It is acceptable to examine a driver’s license for the purpose of identifying an individual or to validate an individual’s address. However, except in specific circumstances, you should never photocopy or record the driver’s license number.
The Office of the Privacy Commissioner of Canada mandate is to balance the protection of privacy with the legitimate needs of businesses. You can contact them at 1-800-282-1376.