Privacy laws revamped

Print Action, Jun 2003 by Boucher, Pierre

[Graph Not Transcribed]

Printers as a third party are often in possession of personal information. Some printers act as the organization providing fulfillment services for a client, while others are diversifying their businesses toward the modern information age by collecting data for their clients. If you are handling such electronic data, or planning to in the future, you need to know about new privacy legislation enacted by the federal government.

The Personal Information Protection and Electronic Documents Act (PIPED) is designed to regulate the collection, use and disclosure of personal information in commercial activities.

The Act came into play on January 1, 2001, for several types of activities by federally regulated organizations such as banks, telecommunications and transportation companies. On January 1, 2004, the Act will extend to the collection, use or disclosure of personal information in the course of any commercial activity within each province. The federal government, however, may exempt organizations and/or activities in provinces that have adopted substantially similar privacy legislation (Quebec being an example). The Act will also apply to all personal information in all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.

Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

- Age, name ID numbers, income, ethnic origin or blood type:

- Opinions, evaluations, comments, social status, or disciplinary actions; and

- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant or intentions (for example, to acquire goods or services, or change jobs).

The activities not covered by the Act are limited to:

- The collection, use or disclosure of personal information by federal government organizations listed under the Privacy Act:

- Provincial or territorial government and their agents:

- An employee's name, title, business address or telephone number;

- An individual's collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list): and

- An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.

Private sector businesses must follow a code for the protection of personal information, which is outlined by the Act. The code was developed by businesses, consumers, academies and the government through the auspices of the Canadian Standards Association. It lists 10 principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. These principles give individuals control over how their personal information is handled in the private sector. The principles are:

Accountability: An organization must designate responsibility for ensuring the appropriate management of the personal information in its custody. The accountability principle also extends to any personal information transferred to third parties for processing.

Identifying purposes: An organization must identify why it collects personal information and how it will be used. It needs to communicate the purpose(s) to the individuals concerned.

Consent: An organization must obtain consent before collecting, using or disclosing an individual's personal information. You must obtain consent for the continued use or disclosure of that information because the Act applies retroactively.

Limiting collection: An organization should not collect personal information indiscriminately and should limit collection to that which is necessary for the identified purpose(s). You are prohibited from collecting personal information through deception or misrepresentation.

Limiting use, disclosure and retention: Except with an individual's consent or as required by law, an organization should not use or disclose personal information except for the purpose(s) for which it was collected. However, you may keep the information for as long as necessary to satisfy an intended purpose or a legal requirement of retention.

Accuracy: An organization must ensure that the information is sufficiently accurate, complete and up-to-date for the purpose(s) for which it will be used, thereby minimizing the possibility that incorrect information could harm an individual.

Safeguards: An organization is required to provide adequate security for the personal information to protect against loss or theft and safeguard from unauthorized access, disclosure, copying, use or modification.

Openness: Upon request, an organization is required to make available its policies and the name and contact information of the individual responsible for the organization's compliance with the Act.

Individual access: Upon a written request, an organization is required to provide an individual with access to his/her personal information, identify the uses to which the information was put and provide names of any third parties to whom the information was disclosed. Subject to a few exemptions, you must respond to a request with due diligence within 30 calendar days.