Canada's new privacy law, "The Personal Information Protection and Electronic Documents Act" (PIPEDA) came into full force for most Canadians and Canadian organizations on January 1, 2004. It applies to all commercial activities in the provinces where no substantially similar legislation had been passed. Only Quebec meets that requirement, since the only other provinces that have passed legislation - British Columbia and Alberta - have not yet received Federal recognition.
Federal commercial activities and employment relationships have been covered by PIPEDA since 2001. As such, banks, telecommunications companies, airlines, etc. have already lived with this legislation for two years, and most have privacy plans in operation.
Some major organizations are well ahead of the curve, having produced and publicized their privacy codes and procedures in mid-2003. But most Canadian organizations are not aware of the depth and breadth of either PIPEDA or the accompanying provincial legislation. And very few are prepared to comply.
Privacy falling on IT's shoulders
Canada's new privacy laws have far reaching implications for all businesses, and anyone within business that collects, stores, secures, manages and shares personal information. That being said, senior IT executives stand to be among the most impacted by the new legislation for several reasons:
- Part of the legislation calls for every organization to appoint an executive responsible and accountable for all the company's privacy policies, a position often referred to as the Chief Privacy Officer. For a variety of reasons, and for better or worse, CIOs are increasingly finding the responsibility falling on their shoulders.
- The laws also call for responsible management of all existing and new personal information in the way it is collected, used and shared. Where small businesses can get away with doing this manually, larger organizations require the right tools and technologies to ensure the laws are adhered to, while at the same time minimizing the cost and time to do so. This squarely falls on the CIO's plate.
With these responsibilities in mind, it is important for senior IT executives to understand the true legal and practical implications of the law, and what they should be doing to prepare.
What you need to know about PIPEDA:
- It applies to all "personal information" - almost everything about someone except their business contact information. Personal information may be electronic or in hard copy, and all versions, including backups, are included.
- The collection may be official (i.e. sanctioned by your company) or unofficial. For example, a supervisor's personal notes on his PDA or in his notebook are just as subject to the law as is an official database.
- There is no grandfathering of data; any personal information that you possess from any time in the past is equally subject to the Act.