By Anna Cook, Cox & Palmer
In a time of astonishingly efficient data and information sharing, we have grown accustomed to knowing more and sharing more... probably more than we actually need to for business purposes. With that in mind, it may be time for a reminder about the statutory duties and responsibilities that are imposed upon business owners with respect to the personal information they have on hand about their customers.
In Canada, the Personal Information Protection and Electronic Documents Act (referred to as PIPEDA) restricts what businesses can do in terms of collection, use, and disclosure of personal information about individuals in the course of commercial activity. There is no similar legislation to govern corporations, and therefore privacy and confidentiality in that context is largely governed by contracts and agreements rather than by statute.
The PIPEDA rules are detailed and rely on the principles set out in the National Standard of Canada Model Code for the Protection of Personal Information. In the simplest terms, businesses must be open, transparent, and accountable about how they treat personal information and, other than in certain limited exceptions, they must obtain consent for the collection, use, and disclosure of information from the individual who owns it. This essentially means:
- Collect only what personal information you need in order to provide goods or services to your client.
- Explain why you are collecting it: why you need it and what you will use it for.
- Use collected personal information only for the purpose for which it was collected and no other unrelated purpose.
- Safeguard what you have collected so as to avoid inadvertent disclosure and data breaches.
- Disclose information only to those to whom you have permission to disclose.
In addition to this, be aware that cross-border data transfers or disclosures come with their own set of unique rules to deal with multinational issues and the laws of other countries.
Failure to abide by the requirements of PIPEDA can result in a complaint to the Federal Privacy Commissioner and lead to fines and penalties for your business—not to mention some very bad press and media attention. Poor privacy practices are damaging to corporate reputations and brands (just ask Equifax, CapitalOne, or Facebook). Good privacy is good business.
While this may sound like additional layers of burden, red tape, and responsibility, when it comes down to it, it really translates to an exercise of good judgement and ethical client service:
- Treat your clients’ personal information with the respect and care that it deserves. Ask yourself: how you would want your own personal data handled by companies that you do business with.
- Tell them what you are doing, why you are doing it, and what they can expect from
you. Individuals should not be (unpleasantly) surprised by what you are doing with their information.
- Do your very best to make sure that any personal information within your organization is
kept secure, private, and confidential, but have protocols or policies in place in the event that, despite your best efforts, something goes wrong.
Once you have someone’s personal information, you are responsible for protecting it. So take stock of what personal information you currently have in your custody and control, what personal information you typically collect, and what personal information you really and truly need to carry on your business. If you don’t need it, destroy it. Or, better yet, don’t collect it in the first place.
Anna Cook is a partner at Cox & Palmer, St. John’s, where her practice focuses primarily on corporate and commercial, employment and labour, and privacy law. She handles matters including commercial financings, commercial real estate purchases, financing and leasing, share sales, asset sales, mergers and acquisitions, and joint ventures. She has extensive experience acting for clients ranging from small-business start-ups to large multinational and international corporations and has advised businesses at every stage of the business cycle. A strong supporter of women in business, Anna is an active NLOWE member and a presenter for the NLOWE Entrepreneur of the Year Awards.