All those who haven’t heard of PIPIDA (Bill C6) go to the back of the class. The Personal Information Privacy and Electronic Documents Act and a raft of supporting provincial legislation regulate the use, collection and disclosure of personal information in the course of commercial activity. The Act started to apply to federally regulated companies from the start last year, but on January 1, 2004 it will extend to cover all Canadian commercial activity at the provincial, inter-provincial, and international level.
Given the relatively distant compliance date and the recent emphasis on security, it isn’t surprising that privacy is often not a high priority on the corporate agenda. However, there are some compelling reasons for shaping up sooner rather than later.
Key Aspects of the Legislation
The Act applies to the collection, use, or disclosure of personal information by any organization involved in commercial activity. PIPIDA lists 10 principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. These principles give individuals control over how their personal information is handled in the private sector. Briefly and informally, the principles are:
1. Be Accountable – appointing someone to be accountable for implementing personal information policies and practices.
2. Identify Purpose – identifying why personal information is needed and how it will be used, and informing the person concerned.
3. Obtain Consent – obtaining and recording consent from each individual whose information you collect, use, or disclose.
4. Limit Collection – not collecting information you do not need for the stated purpose.
5. Limit Use, Disclosure, Retention – limit use and disclosure of the information to the purpose it was collected for, keep it only as long as is needed, and then destroy it. If you find a new purpose for the information you must go back and re-obtain consent for that purpose.
6. Be Accurate – ensure that the information you have is as accurate as it needs to be for the purpose, particularly where use of inaccurate information could be harmful to the individual.
7. Use Appropriate Safeguards – there is no privacy without security. Personal information must be protected from unauthorized access, disclosure, copying, modification, or use.
8. Be Open – inform everyone about your privacy policies and procedures in a readily understandable manner.
9. Give Individuals Access – give individuals access to all the information you hold about them (in any form) and provide a means to update it; tell them how it has been used and with whom it has been shared and when.
10. Inform Complainants – develop simple and accessible complaint procedures; inform complainants about official avenues of recourse.
The challenges for business
Complying with the legislation is not without challenges. Obtaining and recording information will require a consent mechanism for your Web site and call centre processes. Using appropriate safeguards may well require updating your security best practices to a demonstrable standard (such as the International Standard ISO17799).
There are even more challenges. Complying with the requirements of individual access may require you to have an excellent grasp of your corporate information architecture. Do you know what information you hold about your customers? Where is it stored? One would assume it is in your customer databases, but what about all those other data extracts, such as data held on PCs in spreadsheets, internal paper records, and information shared with other offices, trading partners, and suppliers? What privacy practices are in place with outside groups?
While the compliance date seems quite a way off, companies should act now. Why? Some might recall the pain of implementing Y2K compliance uncomfortably close to the deadline: it’s tempting to put off the work, and then struggle to the finish. This Act does have teeth in terms of potential hefty fines for non-compliance, and the threat of negative press is very real.
If fines and public embarrassment don’t strike fear into you, consider the impact on the other systems you are working on: your Data Warehouse, the Knowledge Management system, CRM implementation, and those new Customer Information Systems that pull together your information in new and valuable ways. These applications must also be compliant. Your organization will need to complete a Privacy Impact Assessment for each project to ensure you don’t build in liabilities for the future.
The cost of reengineering at the front end is always much lower than trying to play catch-up in later development cycles. More critically they may directly impact the ROI that the system was supposed to deliver if that ROI was based on disallowed activities.
Who Do You Trust?
If you remain unconvinced then let me add one more good reason – trust. Trust remains the main barrier to the growth of e-business and the public acceptance of new technologies (smart-cards are an example). If I can’t trust you to keep my information safe, to not share it indiscriminately, and to not spam me with wonderful offers you have established I’ll like (based on creative rearrangement of my customer profile), then guess what? I’m not doing business with you. Trust is essential to all customer relationships and the best underpinning for trust is good privacy practice, irrespective of any legislative requirement.
We can predict that the Act may well be subject to legal interpretations and even legislative modifications. However, implementing best practices in order to minimize the pain of future compliance, and avoid expensive system reworks, is sound IT management. Building trust with your customers through good privacy practices is basic business sense.
For further details the privacy com-missioner of Canada Web site (http://www.privcom.gc.ca/information/guide_e.asp) has excellent guidance for companies on the corporate responsibilities required to comply with the Act.
Paul Lewis is Associate Director, Security & Privacy Services, at DMR Consulting’s
Toronto office. He can be reached at email@example.com