PRIVACY:  ACCOUNTABILITY, COMPLIANCE AND THE NEW LAW

The Personal Information Protection and Electronic Documents Act ("PIPEDA")

By Greg Hertzberger, Hertzberger, Olsen & Associates

The implementation of this Act will affect your business.  As of January 1, 2004, failure to comply could result in fines and/or civil liability.

This Act applies to all businesses operating in Canada - size or profitability is irrelevant.

The foundations of the Act are its ten privacy principles. Businesses must be able to demonstrate compliance with each of the following principles:

(1)  Accountability:  Every company must appoint one or more individuals whose responsibility it will be to ensure the organization complies with the Act by developing, implementing and monitoring personal information polices and practices.

(2)  Identifying Purposes: Companies must disclose the reason why personal information is collected, how such information will be used and whether it will be disseminated to third parties.

(3)  Consent: At the time of collection of personal information, an individual´s consent must be obtained. Consent must also be obtained whenever a new use is identified for previously collected information.

(4)  Limiting Collection: Organizations must limit the collection of personal information to only that necessary for its identified purposes.

(5)  Limiting Use, Disclosure, and Retention: Without consent, information may only be used for the purpose(s) for which it was collected.  An organization may only retain information for so long as it is required.

(6)  Accuracy: Personal information shall be maintained in an accurate, complete, and up-to date manner.

(7)  Safeguards: Personal information must be protected against unauthorized access, disclosure, copying, use, or modification.

(8)  Openness:  Organizations should have easily understandable and accessible practices relating to the management of personal information. Organizations must inform customers and employees of these policies and practices.

(9)  Individual Access: On request, organizations are required to inform individuals of the existence, use, and disclosure of personal information pertaining to them.  Individuals have the right to challenge the accuracy and completeness of the information.

(10)  Challenging Compliance: Organizations must provide simple and readily accessible mechanisms for individuals to challenge compliance with the Act. Organizations should inform individuals of the methods of recourse, including internal recourse mechanisms, responsible industry associations, regulatory bodies, and ultimately, the Privacy Commissioner of Canada.

This privacy legislation is seen as a victory for Canadian consumers who have become increasingly concerned about the “trading” of their personal information between such entities as market researchers and credit agencies. The Act provides not only a mechanism through which an individual may request access to personal information held about them, but also establishes a formal complaint procedure to correct inappropriate personal information collection and management practices.

Despite the foregoing, the Act has been criticized on many fronts.  One noted criticism of the Act is that it does not differentiate between large companies on one end of the spectrum and small companies, or sole proprietorships, on the other. It has also been argued that the federal government does not have authority to enact legislation of this breadth and that achieving compliance with the Act will create a financial and management tailspin, the likeness of Y2K, for some companies.

Despite these criticisms, this legislation is here to stay for now. Companies must ensure compliance with the legislation.

Companies also must review the personal information currently within their possession in order to assess the extent to which PIPEDA will interfere with their current practices. While one individual in each organization may be appointed as the person responsible for compliance with the legislation, we believe employees at all levels of any organization ought to be educated to ensure that they understand the legislation´s requirements and spirit.

Compliance on an ongoing basis will not be onerous, but for many organizations which do not currently have a system of protection of personal information in place, initial compliance will prove costly and time-consuming.

It is important for organizations to review their practices now to ensure that structures are in place to comply with PIPEDA by 2004. There are stiff fines for those who fail to comply with the legislation. Non-compliance may also give rise to damages, a Privacy Commissioner´s audit and public shame. Conversely, by complying with the Act, business may create environment that fosters trust and loyalty amongst their consumers, clients and the public-at-large.

How and where does this Act impact within your organization?

What will have to be addressed to ensure systems compliance?

(1) Human resource departments
(2) Employment Contracts
(3) Supplier agreements
(4) Termination
(5) Accounting Departments
(6) Professional Letters of Engagement
(7) Applications for Credit/Employment

For clarification or more information contact: 

Gregory C. Hertzberger,
HERTZBERGER, OLSEN & ASSOCIATES
Barristers and Solicitors
Associated in the Practice of Law 
GREGORY C. HERTZBERGER, B.A. (HONS.), LL.B. 
DAVID P. OLSEN, LL.B. 
DENISE M. KOCHER, B.A. (HONS), LL.B. 
Ten Duke Street West,  Suite 101 
Kitchener, Ontario N2H 3W4 
Telephone: (519) 570-1944
Facsimile: (519) 570-0989
reception@hertzbergerolsen.com
www.hertzbergerolsen.com
 “Our clients deserve the best and we deliver.”

Resources: 
The Privacy Commisioner of Canada www.privcom.gc.ca
Canadian Bankers Association www.cba.ca