With the last phase of the Personal information Protection and Electronic Documents Act (PIPEDA) set to take effect on Jan. 1, 2004 the Canadian Advanced Technology Alliance (CATA) last week enlisted one if its members, a law firm, to help businesses comply with the impending legislation.
PIPEDA is a federal privacy law that will apply to all Canadian organizations where personal information is collected, used or disclosed during commercial activity. Part of the Act includes implementing policies and systems to manage the collection, use and dissemination of such personal information. It has been rolled out in three stages over the last four years. In January 2001, the Act applied to all federal work, undertaking or business (FWUB) such as broadcasters and banks; a year later, the Act extended to health information.
CATA member and law firm Gowling Lafleur Henderson LLP is working on a pro bono basis so that businesses are PIPEDA-compliant next year. What makes the last phase of PIPEDA important is that it now applies to all Canadian businesses, aside from FWUB, which must comply with the privacy legislation.
Andrew Foti is a partner and leads the national technology group at the Ottawa-based law firm. He explained that the compliance initiative the firm is providing to CATA will involve having businesses conduct a privacy impact assessment on where organizations collect information about individuals, how the data is used and stored and where the data is contained within the business. With the deadline for compliance less than eight months away, organizations need to take the arrival of PIPEDA more seriously.
“What we’re finding is that even large institutional clients are only now starting the process of compliance. There’s some concern that companies in the midmarket and below really haven’t even begun the process of starting to figure out what information they collect and how they are going to comply,” he said.
At the very core of the debate is how the information collected by companies will be used. Foti further explained that consumers have two alternatives that are intended to ensure that the data collected remains with the company which collected the information. The higher level of protection is an “opt-in regime where [the consumer] decides what their information is going to be used for” and an opt-out protection policy where if the citizen doesn’t want the data used, the individual must tell the organization not to use the information for marketing purposes, he said.
With the final legislation on its way, vendors such as Ottawa-based COAST Software have solutions targeting enterprise customers that address PIPEDA. Its Web Quality Central “will scan through a Web site and it applies page rules to specific pages or the entire site to identify pages that collect information and ensure that it is on secure forms,” said Tom Vair, marketing manager at COAST. The product can also flag pages that collect information on the Web site so that companies are aware that the data is being collected. Still, Vair said that demand for its product is in its “early days” as Canadian companies continue to wrap “their heads around PIPEDA a little more.”
Gowling Lafleur Henderson’s Foti said that PIPEDA is reasonable legislation in its requirements from a protection of information perspective, but he added that doubts linger as to how “federal officials that have the mandate to enforce the legislation will actually enforce it.”