Recently, I came across a blog written by the office of the privacy commissioner informing business owners that concerns about privacy are on the rise. According to a recent public opinion survey, 66% of Canadians are very concerned about the protection of their privacy, and 71% of Canadians have said that protecting personal information will be among Canada’s most important issues for the next decade. The results of this survey combined with the increasing role technology and the internet play in business makes it increasingly important that business owners be aware of the provisions of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which (in general) applies to organizations engaged in commercial activities across Ontario.
Section 3 of PIPEDA recognizes this as “an era in which technology increasingly facilitates the circulation and exchange of information”. PIPEDA is meant to establish rules to govern the collection, use and disclosure of personal information. PIPEDA recognizes that individuals have a right to privacy, and that organizations need to collect, use and disclose personal information for various purposes.PIPEDA defines personal information as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” Therefore, personal information may include a customer’s name, address or marital status. It may also include a person’s income, IP address or fingerprint.When collecting personal information from customers or clients, businesses should consider whether it is necessary to collect the personal information and be open about the reasons for collecting the personal information. Once a business has collected personal information from a customer or client, it should have safeguards in place to keep the personal information protected. Businesses should also be prepared to address concerns expressed by customers or clients regarding the collection, use or disclosure of personal information.If an individual feels that his or her privacy rights have been violated by a business, he or she may file a complaint with the Privacy Commissioner. For information on how to avoid such complaints, a fact sheet published by the Office of the Privacy Commissioner of Canada, Ten Tips for Avoiding Complaints to the OPC, can be read here.Finally, I mentioned earlier that there are certain limits to PIPEDA’s application. Examples of these exceptions include (but are not limited to) (1) government institutions to which the Privacy Act applies, (2) organizations collecting, using or disclosing personal information for journalistic, artistic and literary purposes, and (3) information collected by individuals for personal use. In addition, Ontario has specific legislation (the Personal Health Information Protection Act, 2004) which addresses the protection of personal health information.Overall, nearly 10 years have passed since PIPEDA came into full effect and privacy continues to be an issue that is on the minds of Canadians. As a result, it may be worthwhile for businesses to consider whether they are in compliance with PIPEDA (or any piece of privacy legislation which applies to them), and either revise or establish policies for the handling of personal information as necessary.