In Canada, privacy laws protect us. The Personal Information Protection and Electronic Documents (PIPED) Act is Canada’s new private sector privacy law, which came into effect on January 1, 2004.
GOOD PRIVACY IS GOOD BUSINESS
In an increasingly competitive marketplace, Padgett Business Services relies on personal information to identify and stay in touch with our clients. We use it to seek out new clients who might be interested in our products. We want to find out what the market is looking for and what it will bear. And we want information about our employees, so that we can administer benefits and ensure a safe and productive workplace.
Obtaining and using that personal information in ways that don’t offend the fundamental human right of privacy is the challenge for modern businesses.
Respecting and protecting privacy is a key element of good client relations — and that makes it a key element of competitive advantage. Our clients want privacy and our employees need it.
It’s not an abstract legal concept. It’s simple consideration, respect and courtesy — the essence of a good relationship with our clients and employees. Showing respect for privacy is part of showing respect for our client, and respecting our client is the cornerstone of a strong client relationship.
THE PIPED ACT IN BRIEF
The PIPED Act sets out ground rules for how private sector organizations can collect, use or disclose personal information in the course of commercial activities. It balances an individual’s right to privacy with the need of organizations to collect, use or disclose personal information for legitimate business purposes.
On January 1, 2004, the PIPED Act was applied right across the board — to all personal information collected, used or disclosed in the course of commercial activities by all private sector organizations, except provinces that have enacted legislation that is deemed to be substantially similar to the federal law. To date, Quebec, Alberta and B.C. are the only provinces with legislation that is substantially similar to the PIPED Act.
The basic outline of the PIPED Act looks like this:
If Padgett Business Services wants to collect, use or disclose personal information about clients, we need their consent, except in a few specific and limited circumstances.
We can use or disclose clients’ personal information only for the purpose for which they gave consent. Even with consent, we have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.
Individuals have a right to see the personal information that our business holds about them, and to correct any inaccuracies. There’s oversight, through the Privacy Commissioner of Canada, to ensure that the law is respected, and redress if people’s rights are violated.
PADGETT BUSINESS SERVICES RESPONSIBILITIES UNDER THE PIPED ACT
The PIPED Act reflects the realities of the business world. It’s based on the Canadian Standards Association’s Model Code for the Protection of Personal Information, which is incorporated into the legislation. The Code lists 10 principles of fair information practices that are summarized as Padgett Business Services’ policies.
Accountability. Padgett Business Services: appointed a Chief Privacy Officer responsible for our organization’s compliance to protect all personal information held by our organization or transferred to a third party for processing; and developed and implemented personal information policies and practices.
Identifying purposes. Our organization will: identify the reasons for collecting personal information before or at the time of collection; advise before or when any personal information is collected, identify why it is needed and how it will be used; document why the information is collected; inform the client from whom the information is collected why it is needed; identify any new purpose for the information and obtain the client’s consent before using it.
Consent. Padgett Business Services must inform the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data and obtain the individual’s consent before or at the time of collection, as well as when a new use is identified.
Limiting collection. Our organization does not collect personal information indiscriminately. We will not deceive or mislead individuals about the reasons for collecting personal information.
Limiting use, disclosure, and retention. Padgett Business Services must: use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act; keep personal information only as long as necessary to satisfy the purposes; keep personal information used to make a decision about a person for a reasonable time period. We have guidelines and procedures in place for retaining and destroying personal information. This will allow the person to obtain the information after the decision and pursue redress and destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement.
Accuracy. Our organization must minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties.
Safeguards. Our policies will: protect personal information against loss or theft; safeguard the information from unauthorized access, disclosure, copying, use or modification; protect personal information regardless of the format in which it is held.
Openness. Padgett Business Services will inform our clients and employees that we have policies and practices for the management of personal information and make these policies and practices understandable and easily available.
Individual access. When requested in writing, Padgett Business Services will: inform individuals, within 30 days, if we have any personal information about them; explain how it is or has been used and provide a list of any organizations to which it has been disclosed; give individuals access to their information; correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient; provide a copy of the information requested, or reasons for not providing access, subject to exception set out in Section 9 of the Act. Padgett Business Services will note any disagreement on the file and advise third parties where appropriate.
Provide recourse. Padgett Business Services has simple and easily accessible complaint procedures that inform complainants the avenues of recourse. These include Padgett Business Services complaint procedures, those of industry associations, regulatory bodies and the Privacy Commissioner of Canada. Our organization will investigate all complaints received and take appropriate measures to correct information handling practices and policies. Complaints should be sent to:
Chief Privacy Officer
Padgett Business Services of Canada Ltd.
775 Pacific Road
Oakville, ON L6L 6M4
Individuals who feel their privacy rights have been infringed upon can complain to the Privacy Commissioner of Canada. The Commissioner’s role is that of an ombudsman, trying to find solutions to privacy problems, resolving complaints through negotiation and persuasion, and using mediation and conciliation if appropriate.
Consent may be express or implied depending on the circumstances. Please note that, in some cases, your choice to refuse or withdraw consent to certain collection, use or disclosure of personal information may impact on our ability to provide you with certain products or services.
WHAT IS PERSONAL INFORMATION?
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
Age, name, ID numbers, income, ethnic origin, or blood type;
Opinions, evaluations, comments, social status, or disciplinary actions; and
Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
Personal information does not include the name, title, business address or telephone number of an employee of an organization.
WHAT IS NOT COVERED BY THE ACT?
The collection, use or disclosure of personal information by federal government organizations listed under the Privacy Act
Provincial or territorial governments and agents of the crown in right of a province
An employee’s name, title, business address or telephone number
An individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes