Protecting your interests

Privacy and your business

The way you treat your clients' information matters. In Canada, most businesses have to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) which regulates how you may collect, use and disclose the personal information you gather as you do business. Some provinces, territories and industry sectors are subject to other regulations. This document provides an overview of your obligations under privacy regulations in Canada.

Understand your privacy obligations under PIPEDA

Having a sound privacy policy can do more for your business than simply keeping you in the good books of government; it can also improve the reputation of your business and help you build a stronger relationship with your clients. The greater the measures you take to protect your clients' information, the greater the trust and potential loyalty they will have for your organization.

• Privacy Guide for Small Businesses: the Basics
  
  http://www.priv.gc.ca/information/pub/guide_sb_e.cfm
  Read this short guide to understand the basics about handling personal information in a small business.
• A Guide for Businesses and Organizations — Your Privacy Responsibilities
  
  http://www.priv.gc.ca/information/guide_e.cfm#contenttop
  Get detailed information on the rules for the management of personal information in the private sector.
• How to ensure your business complies with PIPEDA
  
  http://www.priv.gc.ca/resource/io_pr_2_e.cfm#contenttop
  Complete a privacy questionnaire or read a fact sheet to understand the regulations that affect your business.
• Determining the appropriate form of consent
  
  http://www.priv.gc.ca/fs-fi/02_05_d_24_e.cfm
  Find out how to get permission to collect, use or disclose someone's personal information. The way you seek consent depends on how sensitive the information is and how you plan to use it.
• “Can I see some ID?”
  
  http://priv.gc.ca/information/guide/2009/gl_dl_090426_e.cfm
  If you will be asking for identification, you should be up to date on what you can and cannot copy off a driver's licence.
• Guidelines for Processing Personal Data across Borders
  
  http://priv.gc.ca/information/guide/2009/gl_dab_090127_e.cfm#contenttop
  If your data will be housed or processed outside of Canada, you need to ensure that you take reasonable measures to protect that information.
• Protecting Employee Records
  
  http://priv.gc.ca/fs-fi/02_05_d_18_e.cfm
  Businesses located in Yukon, Nunavut and the Northwest Territories, as well as businesses in federally-regulated sectors, must take steps to protect employee records.
• Best Practices for Dealing with Pre-PIPEDA Personal Information (Grandfathering)
  
  http://www.priv.gc.ca/fs-fi/02_05_d_22_e.cfm
  PIPEDA protects all personal information, including information collected before it came into force. Find out how to treat personal information that you collected before the law came into force.

Dealing with privacy breaches and complaints under PIPEDA

What happens if your business does not comply with PIPEDA or if you somehow fail to safeguard the information you collected? This information will help you understand what to do next.

• Information about privacy breaches and how to respond
  
  http://www.priv.gc.ca/resource/pb-avp/pb-avp_intro_e.cfm
  Find out what a privacy breach is, how the Office of the Privacy Commissioner of Canada can help and what steps you should take.
• Organizations' Guide to Complaint Investigations
  
  http://www.priv.gc.ca/fs-fi/02_05_d_20_e.cfm#contenttop
  Find out what happens if someone files a privacy complaint against your business.

Provincial and Territorial Privacy Laws

In addition to PIPEDA, your business may have to comply with provincial and territorial privacy laws. This can include general privacy laws or privacy laws that deal with specific types of information (that is, health records) or specific industry sectors (for example, credit reporting agencies). In some cases, provincial legislation has been determined to be substantially similar to PIPEDA. If your provincial legislation is considered substantially similar to PIPEDA, you do not need to comply with PIPEDA and are only subject to your provincial laws.

• Substantially Similar Legislation
  
  http://www.priv.gc.ca/legislation/ss_index_e.cfm
  Learn about provincial laws that are considered substantially similar to PIPEDA.

Stay up to date on privacy issues

If your business deals with a lot of personal information, you should ensure that you stay up to date on developments and best practices related to privacy and personal information protection. In addition to staying in touch with your lawyer on these issues, you can follow the Privacy Commissioner's blog.

• Office of the Privacy Commissioner of Canada Blog
  
  http://blog.privcom.gc.ca/
  The Privacy Commissioner's blog is updated regularly; you will find the most up to date developments and issues related to privacy and personal information protection.