Written By: Ryan Hanna, DUKE Law Intern
February 01, 2020
While collection and use of personal information is essential to many modern business activities such as marketing and sales, the use and protection of personal information can create risks for the business if not handled appropriately.
In Canada, federal and provincial legislation provides rules for the collection, use, and disclosure of personal information in a way which respects the privacy of individuals while recognizing the needs of organizations to utilize that information. Foundationally, the Access to Information Act and the Privacy Act together provide useful information on the privacy rights of individuals.
When it comes to private businesses and their use of personal information, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides some additional ground rules. ‘Personal Information’ is defined as information, about an individual, such as their age, name, ID numbers, income, ethnic origin, opinions etc.
Given the breadth of this definition, it is important for businesses to take caution when engaging with anything that could reasonably be used to identify an individual person. PIPEDA provides 10 principles which businesses must follow to ensure the protection of personal information and to avoid violating PIPEDA. These principles define responsibilities and offer guidance to businesses on the collection, use and disclosure of personal information. Some of these principles include, Identifying purposes, Consent, and Safeguards.
Identifying purposes, refers to the activities before the collection of personal information, and states that the purposes for which the personal information is being collected must be identified by the organization before or at the time of collection. This will both protect the potential client by minimising the amount of personal information collected, but also guide the business by helping narrow down the reason for collecting information.
Another principle closely related to collecting personal information is consent. Consent means that not only must organizations obtain meaningful consent for the collection, use and disclosure of personal information, organizations are also responsible for ensuring that people understand what they are consenting to. This means that consent is usually given for very specific reasons and use of personal information outside of given consent may have legal implications which should be avoided.
Safeguards, refer to the protection of personal information in a way that is appropriate to how sensitive it is, and to ensure that the information is protected against, loss, theft, or any unauthorised access, disclosure, or copying of the information.
Make sure that you are familiar with the various acts, as knowing about the businesses responsibilities regarding the collection, use and protection of personal information will help your business avoid some of the pitfalls and risks of dealing with personal information, and any legal implications thereof.