Overview of Canadian privacy legislation that covers the protection of personal information.
Small business owners have good reason to be concerned about privacy legislation. An increasing trend in business is to collect private information in order to provide customers or clients with updates on services, promotions, and so forth. Your customers are putting their trust in you, and they will feel reassured when they see that you are able to maintain their right to privacy and confidentiality. This, in turn, will lead them to value your business and return to you.
What Information is Private?
In general, any identifying information, such as a credit card number or other identification numbers (E.g., social insurance number) is considered private. Customer complaints, comments or opinions that can be linked to a specific individual are considered private, as are employee records, credit checks, loan records, medical records, and the like.
A good rule of thumb is to err on the side of caution. If you are not sure whether something is considered private by the legislation, it’s best to treat it as if it were.
Privacy Legislation in Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is the body of legislation that regulates the collection of private information by businesses in Canada. The act is divided into ten “fair information” principles, as follows:
- Accountability – Your business must have a privacy policy that is clearly marked and accessible. Many businesses post their privacy policies on their websites, and reference the link in printed publications.
- Identifying purposes – You must tell your customers how you will use the information you collect.
- Consent – You must ask your customers for consent before collecting any information. For example, you may have a computer system that can store their name and credit card number automatically when they make a purchase. You must ask them if you can add them to your database before you retain such information.
- Limiting collection – Personal information can only be collected directly from the individual. Thus, for example, you could not ask a husband to provide his wife’s personal information for your mailing list.
- Limiting use, disclosure, and retention – You cannot disclose personal information (e.g. share it with another company) unless you have specifically noted during the consent process that you will do so. As well, you cannot use private information for purposes other than those that you stated you were collecting it for.
- Accuracy – It is your responsibility to ensure your records are accurate and up-to-date. Many businesses periodically send out a notice to their customers that includes the information they have and invites customers to reply with any relevant changes.
- Safeguards – You must demonstrate that you can protect private information. Your privacy policy should explain how confidential information is stored (e.g. kept in a secure physical location, or protected with passwords if the information is electronic).
- Openness – It is your responsibility to be honest and clear in your communication about how information will be used, and to answer questions about protecting private information accurately.
- Individual access – You must provide customers with access to their personal information if they request to see it. You must not allow one customer to have access to any other customer’s personal information
- Challenging compliance – Privacy policies should also explain how complaints are resolved and make note of the fact that your business is compliant with the relevant legislation.
Although the idea of protecting privacy may seem daunting, in reality it comes down to common sense. Protecting privacy also makes good business sense, because customers that feel safe will be loyal to you.
