The Act governs the collection, use and disclosure of personal information in the commercial sphere. Personal information includes information about an identifiable individual, presented in any form, including: age, name, ID numbers, income, ethnic origin, blood type; opinions, evaluations, social status, disciplinary actions; employees files, credit records, loan records, medical records and intentions (e.g. to change jobs or purchase a product). Personal information does not include name, title, business address or telephone number of an employee of an organization.

The Act may eventually apply to all organizations that collect, use or disclose personal information and will be implemented in three phases:

It will apply to most of the federally regulated private sector, such as telephone companies, cable companies, broadcasters, banks, interprovincial and international transportation companies, airports and grain elevators. It will apply to personal data collected, used or disclosed pertaining to employees of the federally regulated private sector. It will apply to all organizations that trade in personal information across provincial or national borders, such as credit reporting agencies or businesses engaged in selling or exchanging consumer lists or other personal information

The Act extends to cover health information for the organizations and activities outlined under phase one

The Act extends to cover the collection, use and disclosure of personal information during any commercial activity within Canada. Companies will be exempt from the federal law if the province has enacted ‘substantially similar’ legislation

Adhering to the 10 Privacy Principles, Schedule 1 of the Act outlines ten privacy principles that organizations must follow when developing their ‘fair information practices’. These ten privacy principles were originally developed as a national standard in 1996 as The CSA Model Code for the Protection of Personal Information. The CSA Model Code was developed through consensus, with input from business, consumer groups and government. The ten principles are:

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

The Act provides the federal Privacy Commissioner with extended powers. The Privacy Commissioner can investigate complaints (i.e. call witnesses, compel evidence and visit business premises), mediate disputes, audit compliance, make investigation findings public and appeal to the Federal Court. The last two provisions are key for business. By making investigation findings public, the Privacy Commissioner has a powerful compliance mechanism: the ability to create public relations damage to a company. In addition, individuals and the Privacy Commissioner can appeal to the Federal Court for remedy. The Federal Court can order companies to comply with the provisions of the legislation, to publish notices of correction and/or actions taken to comply with the legislation, and award damages, including punitive damages.

There are three offences under the Act:

1)  destroying personal information that a person has requested

2)  retaliating against an employee who has complained to the Privacy Commissioner, or who refuses to contravene the Act (whistleblower clause)

3)  obstructing a complaint investigation or an audit by the Office of the Privacy Commissioner

A person can be fined up to $10,000 on summary conviction and up to $100,000 for an indictable offence.

When collecting, using or disclosing personal information during the course of a commercial transaction obtain informed consent. Ask permission and explain the purposes for which you intend to use and disclose the information. Defining informed consent and implied consent will likely cause some debate between government regulators and business.

There are a few exceptions to the general requirement of obtaining an individual’s consent. These exceptions include situations where: collection clearly benefits the individual; obtaining consent would compromise the accuracy of the information and the data is required for a legal investigation; the information would aid in resolving an emergency where lives are at stake; the information is for journalistic, artistic, literary or scholarly purposes, or; if the information is ‘publicly available’. For a comprehensive list of exceptions see Sections 7.1, 7.2 & 7.3 of the Act.

You must protect personal information even when you transfer the data to a third party. You may wish to implement ‘privacy protection’ clauses into your contracts to guarantee that third parties provide the same level of protection as your organization. This is another likely area of confusion and debate under the Act.

While there are a number of disparate approaches to privacy and the protection of personal information across jurisdictions, the ten privacy principles enshrined in the Act, if applied properly, provide a high level of protection that will allow you to comply with the requirements of different countries. Canada is currently seeking acceptance of its Act from the European Union. Inevitably, there will be differences between provincial and federal laws and regulations and between our laws & regulations and those in other countries.

While the Act aims to cultivate trust in electronic commerce, it applies equally to companies that use the Internet and to those that do not.

The Act stipulates that a company names an individual to be accountable for the organization’s compliance with the legislation. It will be beneficial for this person to be senior in the organization and to have the support of senior management, as they will need to effectively implement the requirements of the Act.

This legislation leads Canada and Canadian businesses into uncharted legislative and regulatory waters, which makes predictions on its future application somewhat difficult.

The Privacy Commissioner has just
 released the new Guide for Business