The New Privacy Laws Explained
By Michelle Collins | December 31, 2003
Accountability – Naming someone in your business to act as the Privacy Officer to make sure that all of the requirements are met.
Identifying Purposes – You can collect data for a specific purpose that must be explained to your customers. You will also be required to tell them why the information is needed, how it will be used, and who else will have access to it.
Consent – You must ask for the client's permission to use and disclose this information. However, there are exceptions if the data is needed for a legal or emergency situation.
Limiting Collection – You will only be allowed to ask for information that is necessary for your purpose. Misleading or deceiving people to get personal data from them is also illegal under the new law.
imiting Use, Disclosure and Retention – Once the information has met its purpose it is your responsibility to destroy it in a way that it can't be retrieved. If the data was used to make some kind of decision for the customer agree on a time when it will be destroyed, so that the individual can have access to it if necessary.
Accuracy – When you or your employees record information, make sure that it is correct.
Safeguards – Protect this personal data from loss or theft, regardless of what format it is kept in.
Openness – Make customers, employees, and anyone else involved with your business aware of your privacy policies. These policies must be available to anyone who wants to read them.
Individual Access – You must allow your customers access to their own information, which will be as current and accurate as possible.
Challenging Compliance – You will need to develop a policy for dealing with complaints against you. This policy will include where people can direct their complaints to including your business, governing associations, or the Privacy Commissioner of Canada.
The personal information that will be governed by these laws includes anything that is factual or subjective, that allows your customer to be identified.
Koressis offers these examples:
- age, name, weight, height, or ethnicity
- ID numbers or income
- opinions, evaluations, comments, or social status
- records regarding employees, credit checks, or loans
- accounts of a dispute between a customer and a business owner
- information received for personal intentions such as resumes, or purchasing slips
These laws do not apply to business information such as contact numbers, addresses, job titles, or anything else you would print on your business card.
While these laws will have an obvious impact on the business to consumer situation, the business to business realm will be affected as well, says Koressis. You will need to talk to every member of your supply chain to ensure that their methods of collecting information follow these laws as well.
Koressis points to a couple of situations where these laws apply in a business to business situation:
Customer lists: If you are purchasing a customer list for marketing purposes you need to ensure that the seller has complied with the law by gaining consent from each person on the list, and that the information is correct.
Buying a business: If you are considering buying or investing in a business that has or is collecting personal information you must ensure that this data is compliant with the new laws.
Cross Border: If you are sharing customer information with foreign countries which aren't required to follow these Canadian laws, ensure that your customers are both aware and agree to this transaction.
Outsourcing: If you hire a contractor, or a third-party source to gather customer information it is your responsibility to ensure that they understand and comply with these laws.
You may be wondering if your business is subject to provincial or federal law. To date, British Columbia and Quebec are the only provinces, which have passed comparable legislation which businesses can adopt. However, the remaining provinces and territories will be expected to follow the new federal regulations.
If a business is accused and found guilty of breaking these privacy laws Koressis says that they may be expected to pay fines of $10,000 per incident on a summary conviction or $100,000 per incident for an indictable offence.
Additionally, the Privacy Commissioner of Canada may decide to audit our businesses practices regarding this personal information, and recommend damages to the Federal Court.