Understanding Your Compliance Obligations
Privacy is a rising concern for organizations across sectors, as well as a renewed focus for legislators and regulators. Canada’s privacy legal landscape is complex, with federal and provincial laws, sector specific laws, and common law forming a network of protection for individual privacy rights. It is important for organizations to understand all of the laws that apply to them.
“Personal information” (PI) is the foundational concept of Canadian privacy law. In Canada, an individual has the right to make decisions about how data about them is collected and used by others.
The key feature of PI is that it can be used to identify an individual, either alone or in combination with other available information. For example, the name “Jane Smith” would not identify a specific person, but a record that includes the name “Jane Smith” and a postal code would almost certainly identify one person whose contact information could be found using public directories.
What is Personal Information?
Some of the more common types of personal information that organizations handle are contact information, financial information, personal records, and demographic information. There’s no exhaustive list of what may be considered PI. The Office of the Privacy Commissioner of Canada, which enforces federal privacy laws, interprets the term broadly, focusing on the context of each given case. As well, as new technologies emerge, new types of data will be protected as PI.
Companies often mishandle personal data by assuming that meta-information is not PI. All the following types of metadata are PI:
• Credit reports, customer service notes, profile annotations, and comments on job performance.
• Audio recordings or video footage of someone, including CCTV recordings.
• Digital metadata such as IP addresses, web search histories, contact lists, location data, and social media activity.
Canadian Private Sector Privacy Legislation
The most important Canadian privacy law affecting the private sector is the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to organizations that collect, use, or disclose personal information over the course of their commercial activity. PIPEDA does not, however, apply to private organizations that operate entirely within the provinces of British Columbia, Alberta, and Quebec, as these three Canadian provinces have their own substantially similar privacy legislation.
There are also some sector-specific privacy laws, such as the federal Bank Act, and provincial privacy legislation that applies to personal health information and employee personal information. Common law is also relevant, as several provinces have adopted legislation creating a statutory tort of invasion of privacy, which allows individuals to seek compensation. Finally, any organizations that use email, text messages, or any other electronic private messages to promote products or services should be aware of Canada’s Anti-Spam Legislation.
PIPEDA (as upgraded by the 2015 Digital Privacy Act) is the key piece of legislation that all private-sector organizations should understand. Even if your organization isn’t primarily a business, it may still be regulated by PIPEDA. The Privacy Commissioner has held that PIPEDA applies to activities such as non-profit organizations exchanging fundraising lists; health professionals disclosing patient information to insurance companies or the government in order to receive payment; and social networking sites analyzing user posts to target advertising.
Working Towards Compliance
Hopefully this article has been helpful in clarifying which Canadian privacy laws may apply to your organization. However, the best strategy for compliance is to stay ahead of changing privacy regulations by implementing best practices through a comprehensive privacy program. This begins with a corporate mandate, a governance framework, and the appointment of an expert privacy officer who can lead your organization in developing policies and procedures for the management of personal information.
This article is based on my book, Privacy In Design: A Practical Guide to Corporate Compliance.