As a business owner, it is essential to know your responsibilities for protecting and using any personal information disclosed to you, including in dealings with third parties. Personal information is anything factual or subjective about a person, like their name, income, medical files, credit records or social status. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are obligated to ensure that any collection, use, or disclosure of personal information falls within the guidelines of PIPEDA's ten fair information principles.
The ten fair information principles form the foundation for the rules governing the collection, use and disclosure of personal information for organizations. They were created in collaboration with businesses, consumers and the government and outline what responsibilities you have to comply with under the act.
- Be Accountable. Develop and implement policies around storing, using, and protecting personal information and appoint someone in your organization to be responsible for compliance.
- Identify the Purpose. Before you collect any personal information, determine why you need it and how it will be used.
- Obtain Valid, Informed Consent. Clearly define what information you are collecting and why, before or at the time of collection and have the individual agree before moving forward. If, at some point after receiving consent, you decide to use their information for a new use, you must obtain consent again.
- Limit Collection. Only collect as much information as is necessary for your purposes. This helps reduce the risk of inappropriate use or disclosure of personal information.
- Limit Use, Disclosure and Retention. Personal information should only be used for the purpose that the individual consented to and should just be kept as long as it is needed to satisfy the purpose. Having proper guidelines and procedures for retaining and getting rid of personal information is crucial.
- Be Accurate. Keep information as up-to-date as possible, especially if it is frequently used or needed to make a decision.
- Use Appropriate Safeguards. Protect personal information from loss or theft by developing and implementing a security policy using physical measures, technological tools, and organizational controls. You should regularly review these safeguards to ensure they are effective.
- Be Open. Inform all stakeholders, especially customers and frontline employees, that you have procedures to manage personal information. This can be in person, in writing and online, but should be consistent across all channels.
- Give Individuals Access. Individuals have a right to access any information you hold about them, and it should be provided within 30 days of request.
- Provide Recourse. Develop a procedure for any complaints you may receive about PIPEDA compliance. This should be easily accessible to all employees and clearly laid out for customers.
With privacy becoming increasingly important to consumers, good privacy practices are vital for business, and following the suggestions outlined in these principles is a great start. For more information on how to apply these principles, the Office of the Privacy Commissioner of Canada has put together a Privacy Toolkit (PDF) with additional tips.