With obligatory PIPEDA compliance less than a month away, the law firm Gardiner Roberts LLP held a seminar in Toronto last month in an attempt to help clear up some of the misunderstandings surrounding the new federal act.
As of Jan. 1, 2004, all Canadian companies must comply with the rules set out by the Personal Information Protection and Electronics Documents Act (PIPEDA), which dictates how companies collect, use and disseminate personal information.
Though there is still some confusion around the specifics of the act, the warning was to error on the side of caution.
Gardiner Roberts lawyer John Collins warned attendees that their companies need to take PIPEDA seriously, noting failure to comply could lead to fines of up to $100,000. The information and privacy commissioner of Ontario, Ann Cavoukian, added that a judge could award damages in excess to a $100,000 fine. “So this is serious,” she said.
Though the ramifications of non-compliance are huge, so too is PIPEDA ignorance. Cavoukian said a survey in May found 81 per cent of small- and medium-sized Canadian companies were essentially unaware of PIPEDA. “And for some reason [the number] seems to be going up,” she added. “I assure you, there is very little awareness.” One lawyer summed up the general state of corporate Canada.
“Most businesses are asleep at the switch on this issue,” she said.
At issue for many companies is exactly what can or cannot be done with customer information according to the act’s definition of commercial activity. Information can be found at the PIPEDA Web site (pipeda.org) but filtering through to find, and understand, what is pertinent is a daunting task. For example, commercial activity is defined as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
“If you think this is full of shades of gray, you are right,” Collins said. “There is a lot of confusion about what is a commercial activity.”
The starting point for most companies is to find out exactly what personal information they have. The act defines personal information as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” But even this introduces shades of gray since there is some debate as to whether a name and address (think phone book) is public or private information and thus regulated and, if so to what extent, by PIPEDA.
Cavoukian’s solution is for companies to be brutally honest with the data they have. “Get rid of anything that [you] don’t need,” she said. “It is a good [time] to clean up your shop.”
Cavoukian said it is far better for companies to think of privacy compliance as a business enabler rather than a non-recoverable cost, though she admitted compliance to the act “requires adjustments if you are collecting personal information.” The first thing a company should do, she said, is appoint a privacy officer, someone who is knowledgeable of PIPEDA and can be the go to person when issues pop up.
She also predicts that good privacy practices will reap business rewards as companies which comply with PIPEDA and respect customers’ personal privacy will be able to differentiate themselves in the marketplace based on their privacy reputation.
“The cost of a privacy meltdown is high,” she said. Data from the Royal Bank, Cavoukian said, suggested that 80 per cent of its customers would simply walk away from the bank if their personal information was misused.