“At the end of this year all businesses that collect and use information will have to comply with the 10 principles of fair information practices set out in the legislation. If you are going to have this personal information there are going to be steps that businesses have to adhere to in terms of collecting it,” explains Caroline Hubberftey, Director of Provincial and Community Affairs with the Canadian Bankers Association.

So, what are the 10 steps that you will have to follow as of January 1, 2004? Here's a closer look:

1. Be Accountable

You or at least one other employee in your business will have to ensure that each of the new regulations are being followed. If any of this information is given to a third party for data processing this individual must ensure that the regulations are still being followed. This person will also be responsible for designing and implementing new policies about the personal information being collected.

Hubberftey points out that this person could be you. However, once you have taken on this position you will have to handle any complaints in this area.

2. Identify the Purpose

Let clients know why you need this information and how you will be using it. If the information is going to be used for additional purpose you will have to contact these people and let them know either orally or in writing.

“Saying that you need the information for your computer is not a valid reason,” says Hubberftey. “Are you collecting it to distribute a product, or for ongoing marketing purposes? Let them know.”

3. Obtain Consent

Before you record any information you must ask your client for their permission to use it. Hubberftey stresses that you can only use this information for the reason that you have given your customer. So if you originally filed the information to ship a product and you want to use it to let people know about upcoming promotions you will have to contact them again to get permission.

4. Limit Collection

Avoid collecting any information you don't need. So if you're sending a product to a customer's home address you likely don't need their business phone number and email. Also keep in mind that you need to be upfront with why the information is being used, don't mislead clients about why you need the information. If you intend to use it for cross promotions, then make sure you tell them.

5. Limit Use, Disclosure and Retention

The information that you have can only be used for its original purpose, unless your client has agreed to having it distributed to other parties, or it is allowed under the Privacy Act. Once the information has served its purpose you will be expected to destroy it to prevent it from falling into the wrong hands.

Information used to make decisions about a client or employee should be held for a reasonable length of time. During this time the individual must be allowed access to it. For example, if you were hiring a new employee you could keep their resume for the duration of the hiring process but it would have to be destroyed once a decision was made.

6. Be Accurate

Make sure that any information you have permission to use is up to date and accurate. This principle will allow you to ensure that you are contacting the right people or sending goods to correct addresses. Chances are, if you are regularly in touch with clients this will be one of the easier components to comply with.

7. Use Appropriate Safeguards

Take precautions to protect the information that you have so that it isn't lost or stolen. This could be as simple as carrying a key to a locked filing cabinet or as complex as setting up firewalls and running updated virus software to prevent hackers from accessing your computer files.

“If the information is highly sensitive, you have to do more to make sure it's safeguarded,” says Hubberftey. “So if you're doing a transaction such as a credit card number you can ensure that it's happening over a secure connection.”

8. Be Open

“Let's say you're on a website that's selling products or just sharing information, if you go to the bottom of the website you'll usually see a privacy policy,” says Hubberftey. “That's the openness.”

Regardless of whether or not you have a website you will have to let customers know that you have a privacy policy in place when it comes to their information. The policy must be readily available and easy to understand.

9. Give Individuals Access

If clients ask for what kind of information you have regarding them let them know what it is and how it is being used. You may also be asked who else has access to the information so you will need to keep a record of any other parties who have been given access.

This regulation can also help you to keep information up to date and accurate as you will be expected to update the information if it is wrong. It is also your responsibility to let additional parties know if changes should be made.

10. Challenging Compliance

There may be times where people will complain that you have used their information without their permission or perhaps that they are still getting mail from you even though they've requested it to be stopped. To deal with these issues the last principle that you will have to follow is to have a procedure for answering and resolving them.

As part of this process you will be expected to familiarize yourself with any relevant codes of behaviour outlined by industry associations, or regulatory organizations that you may be a part of. If these groups have a prescribed method for dealing with complaints when dealing with personal information you may have to follow it.