Canada's new privacy law, "The Personal Information Protection and Electronic Documents Act" (PIPEDA) came into full force for most Canadians and Canadian organizations on January 1, 2004. It applies to all commercial activities in the provinces where no substantially similar legislation had been passed. Only Quebec meets that requirement, since the only other provinces that have passed legislation - British Columbia and Alberta - have not yet received Federal recognition.
Federal commercial activities and employment relationships have been covered by PIPEDA since 2001. As such, banks, telecommunications companies, airlines, etc. have already lived with this legislation for two years, and most have privacy plans in operation.
Some major organizations are well ahead of the curve, having produced and publicized their privacy codes and procedures in mid-2003. But most Canadian organizations are not aware of the depth and breadth of either PIPEDA or the accompanying provincial legislation. And very few are prepared to comply.
Privacy falling on IT's shoulders
Canada's new privacy laws have far reaching implications for all businesses, and anyone within business that collects, stores, secures, manages and shares personal information. That being said, senior IT executives stand to be among the most impacted by the new legislation for several reasons:
- Part of the legislation calls for every organization to appoint an executive responsible and accountable for all the company's privacy policies, a position often referred to as the Chief Privacy Officer. For a variety of reasons, and for better or worse, CIOs are increasingly finding the responsibility falling on their shoulders.
- The laws also call for responsible management of all existing and new personal information in the way it is collected, used and shared. Where small businesses can get away with doing this manually, larger organizations require the right tools and technologies to ensure the laws are adhered to, while at the same time minimizing the cost and time to do so. This squarely falls on the CIO's plate.
With these responsibilities in mind, it is important for senior IT executives to understand the true legal and practical implications of the law, and what they should be doing to prepare.
What you need to know about PIPEDA:
- It applies to all "personal information" - almost everything about someone except their business contact information. Personal information may be electronic or in hard copy, and all versions, including backups, are included.
- The collection may be official (i.e. sanctioned by your company) or unofficial. For example, a supervisor's personal notes on his PDA or in his notebook are just as subject to the law as is an official database.
- There is no grandfathering of data; any personal information that you possess from any time in the past is equally subject to the Act.
- PIPEDA covers consumers, customers, suppliers, sub-contractors, patients, and anyone else whose personal information is collected in the course of "commercial activity".
- All organizations, for profit and not-for-profit, have a responsibility to manage personal information responsibly. Volunteer organizations also need to understand that this legislation includes donor activity, and possibly volunteer management as well.
- PIPEDA applies directly to the employer/employee relationship only for Federal Works, but the respective provincial laws in Quebec, Alberta, and B.C. apply to that relationship now, as the others will when they are enacted.
- It applies to organizations of all sizes; small doesn't matter. That includes the corner video store (where they collect your driver's license, home contact info, etc).
The key to this legislation is that individuals must give knowledgeable consent for their personal information to be collected, and that knowledge should include how the information is expected to be used. That consent may be revoked, and organizations must record consent being given and/or withdrawn. And finally, individuals have the right to question any organization about how they are using that personal information.
Risks of non-compliance:
Neither PIPEDA nor the provincial laws carry any significant risk of financial penalties. The intent of all Canadian privacy legislation to date is to resolve individual's privacy complaints. By far the greatest risk will be the negative publicity that will accompany any commissioner's investigation and negative finding, particularly as Canadians become increasingly aware of their new privacy rights.
Unlike Y2K, which was accompanied by great publicity and relatively little impact, Canada's new privacy laws have had very little publicity and have huge potential impact. The arrival of privacy represents a revolution in how (and why) personal information is collected, stored, and utilized.
IT executives need to understand how the various privacy laws may effect the management of the data within their various systems, but other executives in Sales, Marketing, HR and even Finance also have to understand that Privacy is a serious concern, right now. Some organizations are actually naming their CEO as their Chief Privacy Officer (CPO) to illustrate the seriousness with which they regard their privacy responsibilities.
CIOs in the know should work with the rest of senior management to ensure that the entire team fully understands the current legislative environment, and that the entire organization moves forward to create one comprehensive personal information privacy management plan.
What you should be doing:
Act responsibly. Reduce your risk.
1. Become aware of your corporate responsibilities in all of the jurisdictions in which you operate.
2. Conduct a thorough assessment of how your organization collects, stores and retains, or uses and discloses personal information for anyone, including: customers/clients/patients, suppliers, and employees. This should include all data-sharing activities: interfaces, warehouses, enterprise directory, etc. Don't forget that all personal information, not just that collected from January 1, 2004 onwards, is included. Ensure that the entire organization: Marketing, Sales, HR, Payroll, Finance, Purchasing and operations is part of the assessment and plan.
3. Appoint a Chief Privacy Officer (CPO).
4. Write a privacy code for your organization that complies with the law.
5. Establish a privacy policy and management plan.
- Establish guidelines for different categories of information; o Review security levels to ensure that "need to know" is used as a measure for allowing access to personal information;
- For each instance of personal information that is desired: document why you want to collect the information (the purpose to which it will be put), the probable retention period, the type and nature of access (including third parties, if any, who might be given access);
- Create and distribute a communication that advises individuals about that purpose, the projected retention period, and that requests their consent accordingly;
6. Determine what tools you have to manage personal information and consent. Are those tools - application software, paper file processes - sufficient? If not you will need to invest in a privacy-tracking tool or create policies and procedures that make up for the tool deficiencies.
7. Develop specific and detailed policies and procedures about how your organization should operate, given its privacy compliance obligations, including:
- Collection/retention, including what is required, and why
- Knowledgeable consent (including "opt out" or withdrawal)
- Personal right of access (including specific time periods to respond)
- Staff access rules; Who has a need to know?
- Personal information storage tools and procedures (hard & soft) o Transmittal tools and procedures
8. Have ALL third parties sign an agreement to abide by your code, or provide one of their own that is as least as good as yours. Train all employees and third parties who manage employee personal information to ensure compliance with your code and procedures.
9. And finally, put procedures in place to close the loop; monitor adherence.
Other legislation:
The story of the privacy of personal information is not limited to PIPEDA. Quebec has had privacy legislation for a decade, and while both British Columbia and Alberta have privacy laws that also went into effect January 1st, neither of those two provinces have yet received Federal recognition as "substantially similar". Several other provinces have published, but not passed, some form of privacy law, so PIPEDA does apply in every province but Quebec, as well as to cross-border data movement.
Furthermore, it is not only PIPEDA and substantially similar provincial legislation that deals with privacy as it relates to human resource management. In the federal legislative framework, and in those of each province and territory, as well as in various international treaties there are other laws, rules, and regulations dealing with a wide range of subject matter. These include, but are certainly not limited to: freedom of information, employment standards, worker's compensation, and occupational health and safety.
The federal government and each provincial government and Territory has legislation protecting the information gathered by organizations in the public sector, including the information gathered from government employees.
These acts, along with PIPEDA, also protect an individual's health information and there are several other laws in Canada that specifically safeguard health information.
As is the case with any new legislation, findings (by the Privacy Commissioner) and later federal court rulings will play a huge role in more fully defining the parameters of managing privacy in Canada. The provinces will also play a role as they put forward legislation (that may, or may not, be found substantially similar) and provincial privacy commissioners make their findings.
How companies will comply with the new laws, the extent to which consumers will exercise their new rights, and what the true repercussions will be for those who don't comply remain to be seen. The only certainty about this entire legislative area is that ten years from now we will almost certainly look back on these years as the privacy decade.
Privacy Services and Tools
Canadian Privacy Institute - www.canadianprivacyinstitute.ca
Centre for Innovation Law and Policy - www.innovationlaw.org/lawforum/pages/information_privacy.htm
Department of Justice Canada: Access to Information and Privacy - www.canada.justice.gc.ca/en/ps/atip/index.html
Electronic Frontier Canada - www.efc.ca
eQuest Systems - www.equestsystems.com
IBM Privacy Research Institute - www.research.ibm.com/privacy
Industry Canada: The Digital Economy in Canada - www.e-com.ic.gc.ca
PIPEDA on the Web - www.pipeda.org
Privacy Commissioner of Canada - www.privcom.gc.ca/
PrivacyInfo.ca - www.privacyinfo.ca
PrivaSoft - www.privasoft.com
Nymity - www.nymity.com
ZeroKnowledge - www.zeroknowledge.com
Ian Turnbull is a Director of The Canadian Privacy Institute (416-410-3877). He is a frequent speaker on privacy issues and is the primary author and editor of "Privacy in the Workplace", a book recently published by CCH Canadian Ltd. on the practical issues of Privacy legislation in Canada. For more information visit www.canadianprivacyinstitute.ca.