Protecting privacy in Canada's private sector: businesses that are serious about competing successfully in Canada need to get serious about privacy. They can start by complying with Canada's new private-sector privacy legislation.

• Author: Taylor, Sheila

At the Core

This article

* examines Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)

* provides 10 principles organizations must follow to be PIPEDA-compliant

Many consumers are concerned about how their personal information is used, protected, and shared in commercial transactions. The loss of consumer confidence related to privacy fears has been particularly detrimental to e-commerce. Ann Cavoukian and Tyler J. Hamilton's book, Privacy Payoff: How Successful Businesses Build Customer Trust, suggests tens of billions of dollars in e-commerce growth have been forgone as a result.

However, privacy is also a business-to-business (B2B) requirement, because businesses should hold their customer information secure and confidential during interactions with suppliers, resellers, employees, and others. Given these concerns trod their economic implications, many jurisdictions such as Australia and the European Union have enacted privacy protection legislation aimed at restoring confidence in e-commerce transactions. Often such legislation extends the public sector's personal privacy protection requirements to the private sector.

The origin and ongoing development of Canada's private sector privacy legislation is a case in point, as it embodies principles of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

The Evolution of Canada's Private Sector Privacy Legislation

In Canada, interest in regulating privacy protection arose in the mid-1990s when the Canadian Standards Association drafted a generic privacy code (Model Code for the Protection of Personal Information) based on Organisation for Economic Cooperation and Development (OECD) international guidelines for fair information practices. That code was used subsequently as the basis for Canada's federal privacy statute, PIPEDA, which became law in April 2000. Divided into five parts, the first part of PIPEDA governs the collection, use, and disclosure of personal information in commercial activities by organizations of all types, including associations, partnerships, trade unions, and the Canadian offices or subsidiaries of foreign companies.

In recognition that privacy is both a consumer and a B2B concern, PIPEDA broadly defines the terms "personal information" and "commercial activity." Personal information is defined as factual or subjective information in any form about an identifiable individual, such as customers' credit/loan records and employee information such as medical conditions and disciplinary actions. (Personal information does not, however, include an employee's name, title, business address, telephone number, or publicly available information such as names, addresses, or telephone numbers published in directories or court records.) Commercial activity consists of any transaction, act, or conduct of a commercial nature, including the selling, bartering, or leasing of donor, membership, or other fundraising lists. A January 2003 article in the Canadian newspaper The Globe and Mail noted that privacy in Canada's private sector likely will be "covered by a crazy legal quilt" because requirements may differ across federal, provincial, and territorial boundaries. (See "Provincial Privacy Statutes" on page 36.)

Many organizations that will become subject to PIPEDA on January 1, 2004 (See "PIPEDA Implementation Schedule" above), are taking a wait-and-see approach, given the possibility that the provinces in which they operate may pass "substantially similar" legislation later this year. However, getting ready now may give organizations a competitive edge because concerns about privacy rank high with Canadian consumers and employees. Further, implementing privacy protection now will not be a wasted effort--even if an organization becomes subject to a provincial privacy statute--because a provincial statute must adopt the same basic principles as PIPEDA to secure an exemption. In fact, it is recommended that organizations begin to plan their compliance based on PIPEDA's requirements and adjust their business practices to comply with any substantive differences in provincial legislation that may be enacted before January 1, 2004, in the provinces in which they operate.

PIPEDA's 10 Principles

PIPEDA's goal is for organizations to have open and transparent relationships with their customers and employees by recognizing an individual's right to privacy and by establishing rules for collecting, using, and disclosing personal information in commercial activities. The 10 principles that organizations must follow are:

1. Accountability

   The requirements are two-fold. First, an organization is responsible for protecting both personal information in its possession and any personal information that it transfers to a third party for processing (e.g., when an employer transfers personal information to the provider of an employee benefits plan). Second, accountability for an organization's PIPEDA compliance rests with a designated individual or individuals.

   Compliance with this principle requires an organization to appoint a privacy officer responsible for developing and implementing a compliance program. An integral part of the program will be policies and procedures to standardize personal information-handling practices such as disclosing personal information and...