What are my business’s responsibilities under PIPEDA?

PIPEDA includes 10 fair information principles that all businesses subject to the Act must follow. Let’s look at a few highlights from each principle to give you a sense of what your business can do to fulfill its responsibilities. Keep in mind that this is just an overview of your responsibilities—the Privacy Guide for Businesses outlines each of the principles in more detail and can link you to other helpful resources. The first principle is “Accountability”. Your business is responsible for the personal information under its control. In other words, it must be accountable. That means: Appointing someone to be responsible for PIPEDA compliance—for example, a Chief Privacy Officer. Protecting all personal information, including any that gets transferred to a third party, and Developing and implementing policies and practices to protect personal information. It’s important to tell employees and customers who your designated privacy official is and how to contact them. In order to show your accountability, you should also make sure that all front-line employees are able to explain your company’s privacy policies to customers. The next principle is “Identifying purposes”. You have to be able to clearly explain to your customers what personal information you’re collecting and why, and this needs to happen before or at the time of collection. That means reviewing all the personal information your business holds to make sure it’s required for a specific purpose. It also means that when you request personal information from a customer you explain your reasons for collecting it. If you’re not sure how to define your purposes, think about what a reasonable person would consider appropriate under the circumstances. Keep the definition as clear and as narrow as possible so it’s easy to understand how the information will be used. Keep a record of all these identified purposes and the consents your business has obtained. The third fair information principle is “Consent”. Businesses that wish to collect, use or disclose personal information have to ask for and obtain permission. This gives your customers greater control over their personal information. You may have noticed that a lot of privacy policies and terms of use are long and full of legal jargon. Your business must provide information to customers in a clear, timely, user-friendly way. That will help to ensure that the consent your customers give is meaningful. Businesses need to clearly explain to customers: What personal information is being collected. Why they’re asking for this personal information. Who they’re going to share it with, and Any potential harms that may arise from collecting or sharing their information. Consent is a key element of PIPEDA. You can read more about it in the Privacy Guide for Businesses as well as in the OPC’s Guidance on obtaining meaningful consent. The fourth fair information principle is quite simple: Limit the personal information your business collects to only what is needed to fulfill a legitimate purpose. Always be honest with your customers about why you’re collecting the information—it’s against the law to mislead or deceive customers about the purpose. Remember: it’s much safer to collect less information than too much. That reduces the risk of it being inappropriately accessed, used or lost. The fifth principle is all about limiting how you use, disclose and retain personal information: Only use personal information for the reasons you’ve told the customer. If you want to use or disclose the information for a new purpose, obtain fresh consent, and Don’t keep the information any longer than you need it. You can only keep personal information for as long as it fills its intended purpose. After that, you must destroy or erase the information. Information must be disposed of securely to prevent a privacy breach. That could mean securely shredding paper files or effectively deleting electronic records. The sixth fair information principle is “Accuracy”. Make sure that the personal information your business holds is as accurate, complete and up-to-date as necessary to fulfill the purpose you collected it for. Have policies to govern what types of information need to be updated. This will minimize the possibility of using incorrect information when making a decision about an individual or disclosing the information to a third party. Always ask yourself if any harm might come to your customer if you were to disclose wrong or outdated information. “Safeguards” is the seventh principle. Use appropriate security safeguards to protect personal information against loss, theft, unauthorized access, disclosure, copying, use or modification. The more sensitive the personal information is, the stronger your security safeguards should be. That means putting in place: Physical measures like locked cabinets and alarm systems. Organizational controls like security clearances and staff training, and Technological tools, like passwords or encryption. Test your technology for vulnerabilities. Make sure that any old systems or databases aren’t vulnerable if you upgrade to newer technology. There are off-the- shelf solutions and security specialists that can help with this. It’s also important to know your industry. Hackers will often try the same tricks against multiple businesses. The more aware you are, the better chance you have of avoiding the same pitfalls. The eighth fair information principle is “Openness”. Show customers you take their privacy seriously by letting them know that your business has established policies and practices for managing their personal information. And make sure these policies are understandable and readily available. Put up signs, post information on your website and look for other ways to actively share this information. The ninth principle is “Individual access”. Your customers generally have the right to see the personal information your business holds about them. They also have the right to challenge the accuracy and completeness of the information, and to have that information changed as appropriate. Be ready to respond to requests for access: When asked, let people know what personal information your business holds about them. Explain how that information is being used and who it’s being shared with, and If a customer requests it, provide them with a copy of the information or allow them to view or review a recording of the information. You have to respond to requests as quickly as possible. Thirty days is the standard response time limit. You also have to make sure you document any disputes and advise third parties where appropriate. Note that there are exceptions to the Access principle. For example, a business may not need to provide access if doing so would reveal personal information about another person or if the information is protected by solicitor-client privilege. The Privacy Guide for Businesses provides further guidance, including other exceptions to the Access principle. The tenth and final principle is “Challenging compliance”. People have the right to challenge your business’s compliance with the 10 fair information principles. They also have the right to effective recourse if their personal information was mishandled. Let customers know that if they have any questions or concerns about how you handle their personal information, they can contact your business’s designated privacy official. Develop simple and accessible complaint procedures, and investigate all complaints your business receives. If your investigation uncovers problems, take appropriate measures to address your personal information handling practices. All businesses must follow the 10 fair information principles to protect personal information. Being proactive on privacy means you can enjoy the confidence and trust of your customers.

, , , , ,

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *