The Personal Information Protection and Electronic Document Act (PIPEDA) was enacted by the federal government in 2000 and became effective for all organizations in Ontario that are engaged in a commercial activity on January 1, 2004. Organizations include any corporation, individual, association, partnership, or trade union that collects, uses or discloses personal information in the course of commercial activity. Most small and medium sized enterprises are currently struggling with the implementation of this complex and voluminous legislation.
Canada is the first country to implement private-sector privacy rules based on national standards, the Canadian Standards Association “model code for the protection of personal information”. Information is available on the PIPEDA web site at www.privcom.gc.ca
Aercoustics Engineering Limited (“Aercoustics”) is committed to the protection of personal information collected, used or disclosed in the course of its business activities. Aercoustics will only collect, use or disclose personal information that is necessary for the purposes of serving our clients as agreed to in our various letters of engagement.
The following principles are set out in the “model code for the protection of personal information” published by the Canadian Standards Association and form the basis of Aercoustics’ privacy policies and procedures:
- Accountability: An organization is responsible for personal information under its control. It must designate one or more individuals to be accountable for its compliance with the following principles.
- Identifying Purpose: At the time the personal information is collected, the organization shall identify the purposes for which information is collected.
- Consent: The organization is required to obtain consent for the collection, use or disclosure of personal information, except where inappropriate (particular exceptions to the need to obtain consent are set out in PIPEDA).
- Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
- Accuracy: Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is to be used.
- Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: An organization shall make readily available specific information about its policies and practices relating to the management of personal information.
- Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy or completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
In order to become compliant with the legislation the following procedures are being adopted by Aercoustics:
- Appoint a privacy officer to be responsible for privacy compliance.
- Identify the relevant legislation and match to the ten privacy principles.
- Determine the privacy philosophy of the firm and the organization’s risk tolerance level.
- Undertake a privacy assessment to determine the organization’s current practices with respect to collecting, using, disclosing, securing and destroying personal information. A free privacy diagnostic tool to assist in this process can be found at www.ipc.on.ca
- Identify opportunities arising from addressing privacy gaps and developing a privacy proposal.
- Develop privacy work plan that includes identifying individuals and specific roles and responsibilities, information gathering forms and tools to be used, scope refinements, identify and allocate resources, document work plan and confirm with privacy committee.
- Develop procedures by which individuals can gain access to his or her personal information and correct the information as required. Ensure the procedures are publicized.
- Finalize all privacy policies and obtain consent of senior management prior to publication.
- Develop team training procedures.
- Develop appropriate control and review procedures.
- Communicate all of the above across the organization.
As you can see from the very brief information provided above, the new privacy legislation will provide a significant challenge to all organizations in Ontario. Aercoustics will continue to develop its privacy policies and procedures.