Your Privacy Responsibilities Guide


Published on

This guide helps businesses understand andmeet their new obligations under Part 1 of the
Personal Information Protection and Electronic Documents Act.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Your Privacy Responsibilities Guide

  1. 1. Office of the Privacy Commissioner of Canada PIPEDA A GUIDE FOR BUSINESSES AND ORGANIZATIONS Your Privacy Responsibilities Canada’s Personal Information Protection and Electronic Documents Act
  2. 2. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T About This Guide This guide helps businesses understand and meet their new obligations under Part 1 of the Personal Information Protection and Electronic Documents Act. * The Act sets out ground rules for the management of personal information in the private sector. It balances an individual’s right to the privacy of personal information with the need of organiza- tions to collect, use or disclose personal information for legitimate business purposes. The Act establishes the Privacy Commissioner of Canada as the ombudsman for complaints under the new law. The Commissioner seeks whenever possible to solve problems through voluntary compliance, rather than heavy-handed enforcement. The Commissioner investigates complaints, conducts audits, promotes awareness of and undertakes research about privacy matters. The Commissioner is also the ombudsman for complaints under the Privacy Act, which covers the fed- eral public sector. Part 1 of the Act came into force in three phases, beginning January 1, 2001. For more information, contact: The Office of the Privacy Commissioner of Canada 112 Kent Street Ottawa, Ontario K1A 1H3 Telephone: (613) 995-8210 Toll-free: 1 (800) 282-1376 Fax: (613) 947-6850 Web site: While prepared with care to ensure accuracy and completeness, this guide has no legal status. For the official text of the new law, consult our Web site at or call the Office of the Privacy Commissioner of Canada. IP54-2/2004 ISBN: 0-662-68004-9 Updated September 2009 * This guide deals only with Part 1 of the Act. All references to the Act in this document refer only to Part 1. Parts 2 to 5 of the Act concern the use of electronic documents and signatures as legal alternatives to original documents and signatures. For information on these, con- b tact the Department of Justice.
  3. 3. Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Is Your Organization Subject to the Act? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 What is not covered by the Act? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Your Responsibilities under the Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Fair Information Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Be accountable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Identify the purpose of data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Obtain consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Limit collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Limit use, disclosure and retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Be accurate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Use appropriate safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Be open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Give individuals access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Provide recourse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Exceptions to the Consent and Access Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Role of the Privacy Commissioner of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Complaints to the Privacy Commissioner of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Applications to the Federal Court . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Audits of Personal Information Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . 25 Privacy Questionnaire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 c
  4. 4. Introduction T he Office of the Privacy Commissioner Application to the of Canada has prepared this guide to help organizations fulfil their responsi- Federal Court bilities under the Personal Information After receiving the Office of the Privacy Protection and Electronic Documents Act Commissioner of Canada’s investigation (PIPEDA). PIPEDA is good news for both report, a complainant may apply to the organizations and individuals. Individuals Federal Court for a hearing under certain will appreciate doing business with organi- conditions as set out in Section 14 of the Act. zations that demonstrate a respect for their The Privacy Commissioner of Canada may privacy rights, which can ultimately lead to a also apply to the Court on her own or on the competitive advantage. Organizations can complainant’s behalf. The Court may order see this as an opportunity to review and an organization to change its practices improve their personal information handling and/or award damages to a complainant, practices. including damages for humiliation suffered. The Act in Brief Audits Organizations covered by the Act must obtain an individual’s consent when they The Commissioner may, with reasonable collect, use or disclose the individual’s per- grounds, audit the personal information sonal information. The individual has a right management practices of an organization. to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be Offences used for the purposes for which it was col- It is an offence to: lected. If an organization is going to use it I destroy personal information that an indi- for another purpose, consent must be vidual has requested; obtained again. Individuals should also be I retaliate against an employee who has assured that their information will be pro- complained to the Commissioner or who tected by specific safeguards, including refuses to contravene Sections 5 to 10 of measures such as locked cabinets, computer the Act; or passwords or encryption. I obstruct a complaint investigation or an audit by the Commissioner or her dele- Complaints gate. An individual may complain to the organiza- tion in question or to the Office of the Privacy Commissioner of Canada about any alleged breaches of the law. The Commissioner may also initiate a complaint, 1 if there are reasonable grounds.
  5. 5. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T DEFINITIONS Personal information Use Personal information includes any factual or subjective Refers to the treatment and handling of personal infor- information, recorded or not, about an identifiable indi- mation within an organization. vidual. This includes information in any form, such as: Federal work, undertaking or business I age, name, ID numbers, income, ethnic origin, or blood Includes“any work, undertaking or business that is under type; the legislative authority of Parliament” While most feder- . I opinions, evaluations, comments, social status, or dis- ally regulated organizations would be captured under ciplinary actions; and this definition, not all these types of organizations I employee files, credit records, loan records, medical are federal works. For instance, insurance companies records, existence of a dispute between a consumer and credit unions may be subject to some federal regu- and a merchant, intentions (for example, to acquire lation, but are considered to be within provincial juris- goods or services, or change jobs) diction under the Constitution and are not federal works for the purposes of the Act. The Act defines some of the Personal information does not include the name, title or specific federal works subject to Part 1 as follows: business address or telephone number of an employee I airports, aircraft or airlines of an organization. I banks Commercial activity Any particular transaction, act, or conduct, or any regular I grain elevators course of conduct that is of a commercial character, I inter-provincial or international transportation by including the selling, bartering or leasing of donor, mem- land or water bership or other fund-raising lists. I nuclear facilities Organization I telecommunications An organization includes an association, a partnership, a I offshore drilling operations person or a trade union. I radio and television broadcasting Consent Voluntary agreement with what is being done or pro- Note that this is not an exhaustive list of“federal works, posed. Consent can be either express or implied. undertakings and businesses” The fact that your com- . Express consent is given explicitly, either orally or in writ- pany is federally incorporated does not necessarily ing. Express consent is unequivocal and does not mean that it is a federal work, undertaking or business. require any inference on the part of the organization If your company is subject to any part of the Canada seeking consent. Implied consent arises where consent Labour Code, it is probably a federal work, undertaking may reasonably be inferred from the action or inaction or business. of the individual. Disclosure Making personal information available to others outside the organization. 2
  6. 6. Is Your Organization Subject to the Act? PIPEDA came into effect in three January 1,2004 stages: The Act extended to the collection, use or disclosure of personal information in the January 1,2001 course of any commercial activity within a In its first stage, the Act began applying to province. However, the federal government personal information (except personal may exempt organizations and/or activities health information) that is collected, used or in provinces that have adopted substantially disclosed in the course of commercial activi- similar privacy legislation. The Act also ties by federal works, undertakings and busi- applies to all personal information in all nesses. This includes, but is not limited to, interprovincial and international transac- federally-regulated organizations such as tions by all organizations subject to the Act banks, telecommunications and transporta- in the course of their commercial activities. tion companies. To date, Quebec, British-Columbia and At this stage the Act began applying to Alberta have adopted legislation deemed personal data that is collected, used or dis- substantially similar to the federal law.The closed by these same organizations about federal government has stated that organi- their employees. In addition, at this stage zations and activities subject to the substan- the Act began applying to disclosures of per- tially similar privacy legislation in these three sonal information for consideration across provinces will be exempted from the federal provincial or national borders, by organiza- act for intraprovincial matters. tions such as credit reporting agencies or In November 2003, the Governor in organizations that lease, sell or exchange Council issued an Order in Council declaring mailing lists or other personal information. Quebec’s An Act Respecting the Protection of The information itself must be the subject of Personal Information in the Private Sector the transaction and the consideration is for substantially similar.The Act, which predated the information. PIPEDA, came into effect on January 1, 1994. British Columbia and Alberta each adopted legislation in 2003 that applies to January 1,2002 all organizations within the two provinces, except for those covered by other provincial The Act extended to personal health infor- privacy legislation, and federal works, under- mation for the organizations and activities takings or businesses that remain subject to covered in the first stage. Personal health PIPEDA.The two laws – both called the information is defined as information about Personal Information Protection Act – came an individual’s mental or physical health, into force on January 1, 2004.The Governor including information concerning health in Council has issued two Orders in Council services provided and information about exempting organizations, other than federal tests and examinations. 3
  7. 7. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T works, undertakings or businesses, in Alberta What is not covered and British Columbia respectively, from the application of PIPEDA. by the Act? Ontario’s Personal Health Information I The collection, use or disclosure of per- Protection Act (PHIPA) came into force on sonal information by federal government November 1, 2004. PHIPA establishes rules organizations listed under the Privacy Act for the collection, use and disclosure of per- I Provincial or territorial governments and sonal health information by health informa- their agents I tion custodians in Ontario. Health An employee’s name, title, business information custodians are individuals or address or telephone number organizations listed under PHIPA that, as a I An individual’s collection, use or disclo- result of their power or duties, have custody sure of personal information strictly for or control of personal health information. personal purposes (e.g. personal greeting In November 2005, the Governor in card list) Council issued an Order in Council exempt- ing health information custodians in Ontario I An organization’s collection, use or disclo- from the application of PIPEDA. As a result, sure of personal information solely for Ontario health information custodians will journalistic, artistic or literary purposes not be subject to PIPEDA with respect to the I Employee information – except in the collection, use and disclosure of personal federally-regulated sector health information.The Information and Privacy Commissioner of Ontario will be See relevant fact sheets on this and other responsible for ensuring compliance with issues on our Web site. PHIPA, including investigating complaints about the personal information practices of health information custodians within the province. The Privacy Commissioner will continue to be responsible for oversight in relation to the collection, use and disclosure of personal health information that crosses provincial boundaries in the course of commercial activity. As well, our Office will continue to be responsible for personal health informa- tion collected, used or disclosed in Ontario in the course of commercial activities by organizations that are not health informa- tion custodians. 4
  8. 8. Your Responsibilities under the Act O rganizations must follow a code for These principles must be read in conjunc- the protection of personal informa- tion with key sections of the Act, particularly tion, which is included in the Act as including: Schedule 1. The code was developed by business, Sections 2 to 10 of the Act consumers, academics and government Schedule 1 must be read in conjunction with under the auspices of the Canadian Sections 2 to 10 of the Act. It is essential to Standards Association. carefully consider the obligations set out in It lists 10 principles of fair information these sections, along with the 10 principles. practices, which form ground rules for the collection, use and disclosure of personal Section 2 information. These principles give individu- I Provides definitions including commercial als control over how their personal informa- activity, federal work, undertaking or busi- tion is handled in the private sector. ness, personal information, personal An organization is responsible for the pro- health information and organization. tection of personal information and the fair I Specifies that the notes under clauses 4.3 handling of it at all times, throughout the and 4.9 of Schedule 1 are not part of organization and in dealings with third par- the law. ties. Care in collecting, using and disclosing personal information is essential to contin- Section 3 ued consumer confidence and good will. Defines the purpose of the Act: The 10 principles that businesses must I recognizes individuals’ right to privacy of follow are: their personal information 1. Accountability I recognizes the need of organizations to 2. Identifying purposes collect, use or disclose personal informa- 3. Consent tion for legitimate business purposes 4. Limiting collection I establishes rules for handling personal 5. Limiting use, disclosure and retention information 6. Accuracy Section 4 7. Safeguards Defines the scope of the Act’s application: 8. Openness I covers all organizations that collect, use or 9. Individual access disclose personal information in the 10. Challenging compliance course of commercial activities 5
  9. 9. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T I includes the personal information of an Section 7 employee of a federal work, undertaking I Specifies the circumstances when personal or business but not the personal informa- information may be collected, used or dis- tion of other private sector employees. closed without the individual’s consent. Section 5 Section 8 I Stipulates that every organization must I Sets out procedures for individuals to comply with the obligations of Schedule 1. make requests for personal information I Indicates what is not covered by the Act. and corrections to that information. I In the Schedule: I “shall”means an obligation Section 9 I “should”means a recommendation, I Explains when access to personal not an obligation. information may be refused. I Limits the collection, use and disclosure Section 10 to purposes that a reasonable person I Defines an organization’s obligation to would consider appropriate in the provide personal information in an alter- circumstances. The reasonable person’s native format (e.g. Braille, large print or perspective must be taken into account audio tape) to a person with a sensory when applying any aspect of Part 1 of disability. the Act. Section 6 I Establishes that identifying an individual to be accountable for compliance does not mean that the organization is not responsible for its obligations as set out in Schedule 1. 6
  10. 10. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T Fair Information Principles This section sets out the responsibilities for each of the 10 fair information principles of Schedule 1. It outlines how to fulfil these responsibilities and offers some tips. 1. Be accountable Your responsibilities I Comply with all 10 of the principles of TIPS Schedule 1. Train your front-line and management staff and keep them I Appoint an individual (or individuals) to informed, so they can answer the following questions: be responsible for your organization’s I How do I respond to public inquiries regarding our organiza- compliance. tion’s privacy policies? I Protect all personal information held by I What is consent? When and how is it to be obtained? your organization or transferred to a third I How do I recognize and process requests for access to party for processing. I Develop and implement personal infor- personal information? I To whom should I refer complaints about privacy matters? mation policies and practices. I What are the ongoing activities and new initiatives relating to How to fulfil these responsibilities the protection of personal information at our organization? I Give your designated privacy official sen- I What are the ongoing activities and new initiatives relating to ior management support and the author- the protection of personal information at our organization? ity to intervene on privacy issues relating to any of your organization’s operations. When transferring personal information to third parties, I Communicate the name or title of this ensure that they: individual internally and externally (e.g. I Name a person to handle all privacy aspects of the contract. on Web sites and in publications). I Limit use of the personal information to the purposes specified I Analyze all personal information handling to fulfil the contract. practices including ongoing activities and I Limit disclosure of the information to what is authorized by your new initiatives, using the following check- organization or required by law. list to ensure that they meet fair informa- I Refer any people looking for access to their personal informa- tion practices: tion to your organization. I What personal information do I Return or dispose of the transferred information upon we collect? I Why do we collect it? completion of the contract. I I Use appropriate security measures to protect the personal How do we collect it? I What do we use it for? information. I Where do we keep it? I Allow your organization to audit the third party’s compliance I How is it secured? with the contract as necessary. I Who has access to or uses it? I To whom is it disclosed? I I Include a privacy protection clause in When is it disposed of? I Develop and implement policies and pro- contracts to guarantee that the third cedures to protect personal information: party provides the same level of protec- I define the purposes of its collection tion as your organization does. I I Inform and train staff on privacy policies obtain consent I limit its collection, use and disclosure and procedures. I ensure information is correct, complete I Make information available explaining and current these policies and procedures to I ensure adequate security measures customers (e.g. in brochures and on I develop or update a retention and Web sites). destruction timetable I process access requests 7 I respond to inquiries and complaints
  11. 11. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T 2. Identify the purpose Your organization must identify the reasons How to fulfil these responsibilities for collecting personal information before or I Review your personal information hold- at the time of collection. ings to ensure they are all required for a Your responsibilities specific purpose. I I Before or when any personal information Notify the individual, either orally or in is collected, identify why it is needed and writing, of these purposes. how it will be used. I Record all identified purposes and I Document why the information is obtained consents for easy reference in collected. case an individual requests an account of such information. I Inform the individual from whom the I Ensure that these purposes are limited to information is collected why it is needed. what a reasonable person would expect I Identify any new purpose for the informa- under the circumstances. tion and obtain the individual’s consent before using it. G R A N D F AT H E R I N G TIPS Personal information that your company has collected during the course of its I Define your purposes for collecting data as clearly and narrowly commercial activities is subject to the Act. as possible so the individual can understand how the informa- Since it has already been collected, you tion will be used or disclosed. don’t need to recollect it. However, in I Avoid overly broad purposes as they may conflict with the order to continue to use or disclose this knowledge and consent principle. information, you now require consent. I Examples of purposes include: Some organizations have informed all I opening an account their customers what they do with their I verifying creditworthiness information, to whom it is disclosed and I providing benefits to employees given customers the option to object to I processing a magazine subscription these ongoing uses or disclosures. I sending out association membership information I guaranteeing a travel reservation See relevant best practices and fact I identifying customer preferences sheets on this and other issues on our I establishing customer eligibility for special offers Web site. or discounts. 8
  12. 12. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T 3. Obtain consent Your responsibilities I Inform the individual in a meaningful way TIPS of the purposes for the collection, use or I Consent is normally obtained from the individual whose disclosure of personal data. personal information is collected, used or disclosed. I Obtain the individual’s consent before or I For an individual who is a minor, seriously ill, or mentally at the time of collection, as well as when a incapacitated, consent may be obtained from a legal guardian, new use is identified. or person having power of attorney. I Consent is only meaningful if the individuals understand how How to fulfil these responsibilities* their information will be used. I Obtain consent from the individual I Consent clauses should: whose personal information is collected, I be easy to find used or disclosed. I use clear and straightforward language I Communicate in a manner that is clear I not use blanket categories for purposes, uses and can be reasonably understood. and disclosures I Record the consent received (e.g. note to I be specific as possible about which organizations file, copy of e-mail, copy of check-off box). handle the information. I Never obtain consent by deceptive I Consent can be obtained in person, by phone, by mail, via means. the Internet etc. I I The form of consent should take into consideration: Do not make consent a condition for I reasonable expectations of the individual supplying a product or a service, unless I circumstances surrounding the collection the information requested is required I sensitivity of the information involved. to fulfil an explicitly specified and legitimate purpose. I Express consent should be used whenever possible and in all I Explain to individuals the implications cases when the personal information is considered sensitive. of withdrawing their consent. Relying on express consent protects both the individual and the organization. I Ensure that employees collecting personal information are able to answer an individual’s questions about the purposes of the collection. * Note:There are some exceptions to the principle of obtaining consent. See page 17 of this guide for more information. 9
  13. 13. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T 4. Limit collection Your responsibilities How to fulfil these responsibilities I Do not collect personal information I Limit the amount and type of the infor- indiscriminately. mation gathered to what is necessary I Do not deceive or mislead individuals for the identified purposes. about the reasons for collecting personal I Identify the kind of personal information information. you collect in your information-handling policies and practices. I Ensure that staff members can explain TIPS why the information is needed. I By reducing the amount of information gathered, you can lower the cost of collecting, storing, retaining and ultimately archiving data. I Collecting less information also reduces the risk of inappropriate uses and disclosures. 10
  14. 14. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T 5. Limit use,disclosure and retention Your responsibilities I Use or disclose personal information only TIPS for the purpose for which it was collected, I It may be less onerous and complicated to destroy or erase unless the individual consents, or the use or disclosure is authorized by the Act. information than to make personal information anonymous. I Conduct regular reviews to help determine whether information I Keep personal information only as long as is still required. Establish a retention schedule to make necessary to satisfy the purposes. this easier. I Put guidelines and procedures in place for retaining and destroying personal information. How to fulfil these responsibilities I Keep personal information used to make I Document any new purpose for the use a decision about a person for a reason- able time period. This should allow the of personal information. person to obtain the information after the I Institute maximum and minimum reten- decision and pursue redress. tion periods that take into account any I Destroy, erase or render anonymous infor- legal requirements or restrictions and mation that is no longer required for an redress mechanisms. identified purpose or a legal requirement. I Dispose of information that does not have a specific purpose or that no longer fulfils its intended purpose. I Dispose of personal information in a way that prevents improper access. Shredding paper files or deleting electronic records are ideal. I Establish policies setting out the types of information that need to be updated. An organization can reasonably expect an individual to provide updated informa- tion in certain circumstances (e.g. change of address for a magazine subscription). 11
  15. 15. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T 6. Be accurate Your responsibilities How to fulfil these responsibilities I Minimize the possibility of using incorrect I Keep personal information as accurate, information when making a decision complete and up to date as necessary, about the individual or when disclosing taking into account its use and the inter- information to third parties. ests of the individual. I Update personal information only when necessary to fulfil the specified purposes. TIPS I Keep frequently used information accu- rate and up to date unless there are I One way to determine if information needs to be updated is to clearly set out limits to this requirement. ask whether the use or disclosure of out of date or incomplete information would harm the individual. I Apply the following checklist for accuracy: I List specific items of personal information required to provide a service. I List the location where all related personal information can be retrieved. I Record the date when the personal information was obtained or updated. I Record the steps taken to verify accuracy, completeness and timeliness of the information. This may require reviewing your records or communicating with the client. 12
  16. 16. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T 7. Use appropriate safeguards Your responsibilities I Make your employees aware of the I Protect personal information against loss importance of maintaining the security or theft. and confidentiality of personal information. I Safeguard the information from unautho- I Ensure staff awareness by holding regular rized access, disclosure, copying, use or modification. staff training on security safeguards. I I Protect personal information regardless The following factors should be considered of the format in which it is held. in selecting appropriate safeguards: I sensitivity of the information How to fulfil these responsibilities I amount of information I I extent of distribution Develop and implement a security policy I format of the information (electronic, to protect personal information. I paper, etc.) Use appropriate security safeguards I type of storage. to provide necessary protection: I physical measures (locked filing I Review and update security measures cabinets, restricting access to offices, regularly. alarm systems) I technological tools (passwords, encryption, firewalls) TIPS I organizational controls (security I Make sure personal information that has no relevance to the clearances, limiting access on a “need-to-know”basis, staff training, transaction is either removed or blocked out when providing agreements). copies of information to others. I Keep sensitive information files in a secure area or computer system and limit access to individuals on a“need-to-know” basis only. 13
  17. 17. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T 8. Be open Your responsibilities How to fulfil these responsibilities I Inform customers, clients and employees I Ensure front-line staff is familiar with the that you have policies and practices procedures for responding to individual for the management of personal inquiries. information. I Make the following available: I Make these policies and practices under- Iname or title and address of the person standable and easily available. who is accountable for your organiza- tion’s privacy policies and practices Iname or title and address of the person to whom access requests should be sent Ihow an individual can gain access to his TIPS or her personal information I Information about these policies and practices should be made Ihow an individual can complain to your available in person, in writing, by telephone, in publications or organization on your organization’s Web site. The information presented Ibrochures or other information that should be consistent, regardless of the format. explain your organization’s policies, standards or codes Ia description of what personal informa- tion is made available to other organiza- tions (including subsidiaries) and why it is disclosed. 14
  18. 18. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T 9. Give individuals access Your responsibilities I If your organization extends the time, I When requested, inform individuals if you must notify the individual making you have any personal information the request within 30 days of receiving about them. the request, and of his or her right to complain to the Privacy Commissioner I Explain how it is or has been used and of Canada. provide a list of any organizations to I Give access at minimal or no cost to which it has been disclosed. the individual. I Give individuals access to their I Notify the individual of the approximate information. costs before processing the request and I Correct or amend any personal informa- confirm that the individual still wants to tion if its accuracy and completeness is proceed with the request. challenged and found to be deficient. I Give individuals access to their personal I An organization should note any information. disagreement on the file and advise I Make sure the requested information third parties where appropriate. is understandable. Explain acronyms, How to fulfil these responsibilities abbreviations and codes. I Provide any help the individual needs to I Send any information that has been prepare a request for access to personal amended, where appropriate, to any information. third parties that have access to the I Your organization may ask the individual information. to supply enough information to enable I Inform the individual in writing when you to account for the existence, use and refusing to give access, setting out the disclosure of personal information. reasons and any recourse available. I Respond to the request as quickly as I There are some exceptions to the princi- possible and no later than 30 days after ple of providing access (see page 18 of receipt of the request. this guide). I The normal 30-day response time limit may be extended for a maximum of 30 additional days, according to specific cri- teria set out at Subsection 8(4) of the Act: I if responding to the request within the original 30 days would unreason- TIPS ably interfere with activities of your I Keep a record of where the information can be found to make organization I if additional time is necessary to retrieval easier. I Never disclose personal information unless you are sure of the conduct consultations I if additional time is necessary to identity of the requestor and that person’s right of access. I Record the date of receipt of the request for the information. convert personal information to an I Ensure that staff know how to identify an access request and to alternate format. whom it should be referred within the organization. 15
  19. 19. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T 10. Provide recourse Your responsibilities How to fulfil these responsibilities I Develop simple and easily accessible I Record the date a complaint is received complaint procedures. and the nature of the complaint (e.g. I Inform complainants of their avenues of delays in responding to a request, in- recourse. These include your organiza- complete or inaccurate responses, or tion’s own complaint procedures, those of improper collection, use, disclosure or industry associations, regulatory bodies retention). and the Office of the Privacy I Acknowledge receipt of the complaint Commissioner of Canada. promptly. I Investigate all complaints received. I Contact the individual to clarify the I Take appropriate measures to correct complaint, if necessary. information handling practices and I Assign the matter to a person with the policies. skills necessary to review it fairly and impartially and provide that individual with access to all relevant records, employees or others who handled the TIPS personal information or access request. I Ensure that staff is aware of policies and procedures for com- I Notify individuals of the outcome of plaints, and to whom these complaints should be referred investigations clearly and promptly, within the organization. informing them of any relevant steps I Record all decisions to ensure consistency in applying the Act. taken. I Handling a complaint fairly and appropriately may help to pre- I Correct any inaccurate personal informa- serve or restore the individual’s confidence in your organization. tion or modify policies and procedures based on the outcome of complaint, and ensure that staff in the organization are aware of any changes to these policies and procedures. 16
  20. 20. Exceptions to the Consent and Access Principles T here are a number of exceptions to the requirements to obtain consent and provide access set out in the Act. Exceptions to consent in Section 7 Organizations may collect personal informa- I if the use is clearly in the individual’s tion without the individual’s knowledge or interest and consent is not available in a consent only: timely way; or I if it is clearly in the individual’s interests and I if knowledge and consent would consent is not available in a timely way; compromise the availability or accuracy I if knowledge and consent would compro- of the information and collection was mise the availability or accuracy of the required to investigate a breach of an information and collection is required to agreement or contravention of a federal investigate a breach of an agreement or or provincial law. contravention of a federal or provincial law; Organizations may disclose personal infor- I for journalistic,artistic or literary purposes; mation without the individual’s knowledge I if it is publicly available as specified in the or consent only: regulations. I to a lawyer representing the organization; I to collect a debt the individual owes to Organizations may use personal information without the individual’s knowledge or the organization; consent only: I to comply with a subpoena, a warrant or I if the organization has reasonable an order made by a court or other body grounds to believe the information could with appropriate jurisdiction; be useful when investigating a I to the Financial Transactions and Reports contravention of a federal, provincial or Analysis Centre of Canada (FINTRAC) as foreign required by the Proceeds of Crime (Money law and the information is used for that Laundering) and Terrorist Financing Act; investigation; I to a government institution that has I for an emergency that threatens an requested the information, identified its individual’s life, health or security; lawful authority to obtain the informa- I for statistical or scholarly study or tion, and indicates that disclosure is for research (the organization must notify the purpose of enforcing, carrying out an the Privacy Commissioner of Canada investigation, or gathering intelligence before using the information); relating to any federal, provincial or for- I eign law; or suspects that the information if it is publicly available as specified in the regulations; 17
  21. 21. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T relates to national security, the defence of I in an emergency threatening an individ- Canada or the conduct of international ual’s life, health, or security (the organiza- affairs; or is for the purpose of administer- tion must inform the individual of the ing any federal or provincial law; disclosure); I to an investigative body named in the I for statistical, scholarly study or research Regulations of the Act or government (the organization must notify the Privacy institution on the organization’s initiative Commissioner before disclosing the when the organization has reasonable information); grounds to believe that the information I to an archival institution; concerns a breach of an agreement, or a I 20 years after the individual’s death or contravention of a federal, provincial, or 100 years after the record was created; foreign law, or suspects the information I if it is publicly available as specified in the relates to national security, the defence of Canada or the conduct of international regulations; or affairs; I if required by law. I if made by an investigative body for the purposes related to the investigation of a breach of an agreement or a contraven- tion of a federal or provincial law; Exceptions to access in Section 9 Organizations must refuse an individual Organizations may refuse access to personal access to personal information: information if the information falls under I if it would reveal personal information one of the following: about another individual* unless there is I solicitor-client privilege consent or a life-threatening situation; or I confidential commercial information* I if the organization has disclosed informa- I disclosure could harm an individual’s life tion to a government institution for law or security* enforcement or national security reasons. I it was collected without the individual’s Upon request, the government institution knowledge or consent to ensure its may instruct the organization to refuse availability and accuracy, and the collec- access or not to reveal that the informa- tion was required to investigate a breach tion has been released. The organization of an agreement or contravention of a must refuse the request and notify the federal or provincial law (the Privacy Privacy Commissioner of Canada. The Commissioner of Canada must be notified) organization cannot inform the individual I it was generated in the course of a formal of the disclosure to the government institution, or that the institution was dispute resolution process notified of the request, or that the Commissioner was notified of the refusal. * If this information can be removed, the organization must release the remaining information. 18
  22. 22. Role of the Privacy Commissioner of Canada T he Privacy Commissioner of Canada A privacy ombudsman has oversight of both the Privacy Act and Part 1 of PIPEDA. These acts pro- More than two decades of experience tect personal information according to inter- investigating complaints under the nationally accepted fair information Privacy Act have helped define the Privacy principles and practices. Commissioner’s ombudsman role. The The Commissioner is an Officer of Privacy Commissioner relies on the compe- Parliament, like the Auditor General of tence, knowledge and impartiality of her Canada or the Chief Electoral Officer. As an staff to seek whenever possible to resolve Officer of Parliament, the Commissioner disputes through investigation, persuasion, reports directly to the House of Commons mediation and conciliation. Ideally this and to the Senate, not to the government of approach to resolving disputes can be less the day. This independence ensures impar- intimidating to complainants and less costly tiality and open-mindedness in exercising to business than recourse to the courts. her role as an ombudsman for privacy mat- While the Commissioner protects individual ters. The Commissioner makes recommen- rights, she is also an advocate for the fair dations, not orders. However there is information principles that form the founda- provision to apply to the Federal Court to tion of the legislation. The Commissioner’s review a case. thorough investigations and impartiality In addition to the Privacy Commissioner, protect both individual rights and the organ- the Office has an Assistant Privacy ization against unfair accusations. Commissioner responsible for the Privacy Act and another Assistant Privacy Commissioner Specific responsibilities responsible for PIPEDA. under the Act The Act makes the Commissioner responsi- ble for ensuring compliance with the Act and for promoting its purposes. 19
  23. 23. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T Promoting the purposes The Commissioner may make public any information about an organization’s of the Act personal information handling practices, if The Commissioner promotes the purposes she considers it in the public interest to do of the Act through public education and so. She reports annually to Parliament on awareness initiatives, research, reporting, privacy issues including the extent to and consultation and agreements. which provinces have substantially similar The Commissioner’s mandate includes legislation. developing and conducting public educa- The Commissioner may enter into agree- tion and awareness programs to encourage ments with provincial counterparts who, and promote understanding of privacy under substantially similar legislation, have issues. similar powers and duties. These consulta- PIPEDA also requires the Commissioner to tions and agreements may cover complaint undertake and publish research about pro- mechanisms, research and developing tecting personal information so as to model contracts for protecting personal increase knowledge and improve compli- information in interprovincial or interna- ance with the Act’s fair information princi- tional matters. The Commissioner will ples. The Commissioner may conduct encourage organizations to develop independent research on privacy issues in detailed policies and practices to comply conjunction with academic or other with Part 1 of the Act. researchers. She may also provide grants and contributions for academic or other research on privacy issues. 20
  24. 24. Complaints to the Privacy Commissioner of Canada Types of complaints ing to the request (see page 15 of this guide for more on the time limit to respond to a A n individual may complain to the request). However, the Commissioner Commissioner about any matter may extend the time limit for an access specified in Sections 5 to10 of the complaint. Act or in the recommendations or obligations The Commissioner has one year from the set out in Schedule 1. This includes but is date of the complaint to prepare a report. not limited to allegations that an organiza- tion: I denies an individual access to personal How does the Privacy information; Commissioner of Canada I improperly collects, uses or discloses per- handle complaints? sonal information; As an ombudsman, the Commissioner I refuses to correct inaccurate or incom- seeks to take a cooperative and conciliatory plete information; approach to investigations whenever possi- I fails to provide access to personal infor- ble. She encourages the resolution of com- mation in an alternative format to an plaints through negotiation and persuasion. individual with a sensory disability; or Alternate dispute resolution methods such I as mediation and conciliation may be used does not use appropriate safeguards to to settle matters at any stage of the investi- protect personal information. gation process. Although the Commissioner The Commissioner may initiate a complaint has the power to summon witnesses, admin- if there are reasonable grounds to believe ister oaths and compel the production of that an investigation of a matter under Part 1 evidence, these means are only likely to of the Act is warranted. be used if voluntary cooperation is not forthcoming. Time limits At the outset of an investigation, the Commissioner will notify the organization in There is no time limit for filing most types writing of the substance of the complaint of complaints. and will identify the investigator responsible The only exception is a complaint that for the case. The organization may submit access to personal information has been representations to the Commissioner at any denied. In this case, the complaint must be time during the process. made within six months after the organiza- The investigator will contact the organi- tion’s refusal to provide the information, or zation’s designated staff member to indicate after the expiry of the time limit for respond- how he or she intends to proceed with the 21