Privacy Checklist: Are You Ready?
By Michelle Collins | November 30, 2003
As of January 1, 2004 the federal government will adopt a new set of privacy laws: the Personal Information Protection and Electronic Documents Act (PIPEDA.)
These laws will apply to every business in the country, regardless of what that business does. Hopefully, this isn’t the first time you’re learning about these changes. But if it is, there is no need to panic. Here is a checklist that will help you ensure that your business is compliance ready with time to spare.
To ensure that your company meets the new requirements, consider assigning responsibility for compliance to one person. This person would be responsible for learning the new laws and making sure that everyone in the business is following these laws by adopting the policies the compliance officer has created. Once you have done this, use the following checklist to ensure that you are following the new requirements.
Your policy should also include a process for dealing with complaints, a way to ensure that the data is secure, and the method you will use when information is destroyed.
Record and communicate your policy. Under the new privacy laws you need to let your clients and employees about your policies for collecting personal information. Make sure that your policies are easy to understand and readily available to anyone who wants to read them. Consider publishing your usage policy on your company website.
Get consent before collecting personal information. When the new privacy laws come into effect you will need to get consent before you can collect and use personal information. You need to tell people why you are collecting their information and how it will be used. You must also ask for their permission to use their information for the reasons you have described. Don't mislead people about the reasons you need this information. Once you have gained permission, make sure the information is only used for these purposes.
Use the data with care. Only use the information for the agreed upon purpose. So if a customer has agreed to let you call them on a monthly basis to offer new services, make sure that you stick to that time frame. If you would like to use the information for a new purpose, you need to contact your clients and gain consent again.
Maintain your database. Many companies already have a client database that contains personal information. While you can keep information that you have already collected, you will need consent to continue using it. As you continue to build your database, you need to ensure that the information you have is correct and current for as long as it will be used. Update the information only when it is needed for a reason that your clients are aware of and have agreed to.
Under the new privacy laws you may only keep the information on file only for as long as it is needed. When it comes time to destroy data, you must do this such that it can't be recovered.
Protect the information. Use methods to protect what information you have from loss or theft. For example, if you have paper files use a lock on the cabinet, or if the information is stored on a computer put up a firewall.
Give clients access to their data. If customers ask what kind of information you have regarding them, let them know and provide them with a copy of their own if it is required. When you fulfill an information request you must also tell them how it is being used and who else has access to this data. If the customer points out any mistakes make sure that you correct them promptly and inform others who have access as well.
Provide recourse. In your policy you will have a clause about how to handle complaints. Under the new laws you must look into each complaint that is made. Should you receive a complaint you need to let the customer about this clause, and how they can resolve it through either your own procedures, a governing industry association, regulatory bodies, or the Privacy Commissioner of Canada. Once the issue has been resolved make sure that you comply with the final decision and correct any mistakes.