Canadian Privacy Legislation affecting Businesses

Personal Information Protection and Electronic Documents Act (PIPEDA)

As of January 1 2004, virtually all businesses in Canada became subject to the Personal Information Protection and Electronic Documents Act. This legislation was previously in force for federally regulated companies such as banks. As of January 1 2004, it applies to all businesses. The legislation allows provinces to create their own legislation to apply instead of the federal version, so long as it is substantially similar.

In passing this legislation, the Canadian government has recognized that it is all too easy now for businesses to gather large amounts of personal data on others. Much of it is being gathered by people without a legitimate need to know all of the information they are obtaining. Even if they have a legitimate use for it, the information needs to be safeguarded so that it is only collected with the informed consent of a person and cannot be used for other purposes. Unless the process is regulated, that data can be accessed inappropriately, released to or intercepted by someone without proper authorization, sold to marketers or worse yet, misused by identity thieves.

If your business gathers and records information about customers, employees or others, there are limits about what you can gather and how long you can keep it. It affects most businesses because almost everyone keeps name and address information about customers and employees. Most keep a lot more than that.

Reasonable Personal Information with Consent

Under PIPEDA, a business is generally only entitled to gather personal information with the consent of the person that it relates to. There are exceptions that will be mentioned below. In normal cases, if you operate a business, you can only ask people for personal information that is reasonable in relation to the type of business being conducted. For example, most businesses now are not entitled to ask customers for health insurance numbers simply as a means of identification unless they are practising in the health field and need the number for billing. A business may no longer ask for a customer's social insurance number unless there is a legitimate need for the number. However, if a credit check is required to grant credit to a customer, such as an application for credit to purchase a new vehicle, then it is fair and reasonable to ask a social insurance number because the number is required to perform a credit bureau search. If you don't need the SIN number for a legitimate purpose, then you are not permitted to gather it. If you obtained a person's consent to obtain information for a disclosed purpose, you cannot make use of it for other purposes.

What is Personal Information

The type of information that is covered by PIPEDA is personal data about people such as their name, address, birth date, personal identification numbers and information, credit records, loan records, income information, race, religion, etc.. These are just some obvious examples but of course, other information can be included as well. The privacy extends to information a business keeps about its employees as well as customers or others. In terms of employees, the information includes employee files, opinions, evaluations, comments or disciplinary actions. There are also some common sense exceptions for harmless information gathering. For example, you don't have to give up your christmas card list.

Retention and Security

A business may only retain personal information for a reasonable period of time, depending on the situation. There are no hard and fast guidelines. Acting in a "reasonable" manner is the most common test. A business must take steps to ensure that any personal information it retains is secure so that others cannot improperly access it.

Making a Demand

Under section 8 of the Act, a business must respond within 30 days to a person's written demand for what personal information it has about them. If it is shown that the information is incorrect, the business has an obligation then to correct its records. The business may even be obligated to help the person fill out the necessary forms to make the demand.

Charges for Responding to a Demand

Although the guidelines do not appear to be specified, it does appear in section 8 of the legislation that a business may impose a reasonable charge for supplying information to a person making a demand, but the business must indicate the approximate cost after the request is made. One cannot supply the information and then submit a bill after the fact.

Exceptions to Obligation to Disclose

In some cases, it would be unfair to require that a business release information to someone making a demand. For that reason, section 9 of the Act lists various exemptions from releasing the information such as where it is being gathered to investigate the breach of a law (i.e. law enforcement agencies), where it involves solicitor client privilege, where it was generated in the course of a formal dispute resolution process or where its disclosure could harm someone's life or security. Another exception is that a business may not in certain cases be obligated to disclose sales statistics or other confidential business information that relates to a customer making a demand. Section 9(3)(b) states that an organization is not required to give access to personal information where it would reveal confidential commercial information.

Avoiding Mistakes

If you are a business operator responding to a demand, you should ensure that you are only giving personal information about the individual demanding it. By way of example, if a person makes a demand, you should not release personal information about their spouse as it is possible that they are no longer together or the person may otherwise object to its release. The spouse should be demanding that information themselves. You should also ensure that the person demanding the information is who they claim to be. Ask for appropriate identification before releasing anything. You also need to ensure that any personal information is kept secure so that it cannot be accessed by others. By way of example, you should not store personnel files in an unlocked drawer where employees can improperly access confidential information about other staff.

Privacy Act

Sometimes people mistakenly refer to this type of legislation as "The Privacy Act". There is legislation by that name enacted by the government of Canada. However, it only regulates how and when federal government institutions can receive and release personal information. It does not affect how people and businesses deal with privacy issues.

There is also Saskatchewan legislation called The Privacy Act. It is not nearly as comprehensive as what I have described above. It can apply, but is not specifically addressed at business practices the way that PIPEDA is. It relates more to the statement in section 1 of this Act that "It is a tort, actionable without proof of damage, for a person wilfully and without claim of right, to violate the privacy of another person." In 2018, some additions were made to it to specifically make it against the law to distribute or publish (etc) intimate images or recordings of someone without their consent. The law will presume that no consent was ever given. The onus will be on the person distributing or publishing it to prove otherwise. If you do an internet search for the King's Printer Saskatchewan, you will find a Saskatchewan government website where you can access a copy of this or any other Saskatchewan legislation or regulations.

Further Information

For more information, you may wish to vist the website for the Privacy Commissioner of Canada. It contains more detailed information. The ultimate source of reading federal legislation information is to read the Act itself. Remember these government links can change often so at some point my link may no longer work.

Please contact me if I can be of any assistance to you.



Notice:The information on this website is general in nature only. It relates to Saskatchewan, Canada and may not be applicable in your jurisdiction. It does not constitute legal advice to you and no solicitor client relationship will be established. A conflict check would also be required before our firm can act for someone. You should seek specific legal advice regarding your circumstances from a lawyer entitled to practise law in your jurisdiction.
* Richard Carlson Legal Prof. Corp.

www.rickcarlson.com | Sunday, Jan 19 2025 14:06 pm UTC1 (-6 hrs for Sask)