Canadian Privacy Legislation
There are four private sector privacy statutes in Canada:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Personal Information Protection Act (Alberta)
- Personal Information Protection Act (British Columbia)
- An Act Respecting the Protection of Personal Information in the Private Sector (Quebec)
These statutes apply to organizations that collect, use or disclosure personal information in the course of a commercial activity. Personal information is defined as information about an identifiable individual such as name and email address. In some cases IP addresses and cookie information may also be considered personal information. The Canadian privacy statutes set out a comprehensive set of rules for the protection of personal information. While the form of the statutes may differ, each of the Canadian privacy statues contains requirements embodying the following principles of fair information practices:
Accountability: An organization is responsible for personal information under its control and must designate an individual who is accountable for the organization’s compliance with the other privacy principles.
Identifying Purposes: The purposes for which an organization collects personal information must be identified by the organization at or before the time the information is collected.
Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, subject to limited exceptions.
Limiting Collection: The collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Personal information must only be collected by fair and lawful means.
Limiting Use, Disclosure, and Retention: Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information must be retained only as long as necessary for the fulfillment of those purposes.
Accuracy: Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is used.
Safeguards: Personal information must be protected by physical, technical, and administrative security safeguards appropriate to the sensitivity of the information involved. In the event of a breach of security safeguards that involves a real risk of significant harm to individuals, organizations subject to Alberta’s privacy legislation are required to notify the Commissioner and the Commissioner may also require that the organization notify affected individuals as well. A similar breach notification exists under PIPEDA but is not yet in force.
Openness: An organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Individual Access: Upon request (and subject to limited exceptions), an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. An individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Challenging Compliance: An individual must be able to address a challenge concerning compliance with the privacy principles to the designated individual accountable for the organization’s compliance.
To learn more about recent Canadian Legislation that may effect your business please contact us.