New Privacy Legislation for Canadian Companies

As you may know, the new Personal Information Privacy and Electronic Documents (PIPEDA) Act came into effect on January 1, 2004. This new law affects most businesses in Canada, especially those who operate web sites, and requires that you make certain changes and updates to your web site and internal policies.

Here is some general information about the PIPEDA Act, along with some details about what you need to do in order to comply.

PLEASE NOTE note that this message does not constitute legal advice and that SGJP design strongly recommends that you consult with legal counsel prior to drafting and enacting your own policies.

General Information About PIPEDA

The PIPEDA Act sets out ground rules for how all organizations can collect, use or disclose personal information in the course of commercial activities. It balances an individual's right to privacy with the need of organizations to collect, use or disclose personal information for legitimate business purposes, as follows:

If your business wants to collect, use or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.

You can use or disclose people's personal information only for the purpose for which they gave consent.

Even with consent, you have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.

Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.

There is oversight, through the Privacy Commissioner of Canada, to ensure that the law is respected, and redress if people's rights are violated.

"Personal information" includes age, name, ID numbers, income, ethnic origin, or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

Personal information does *NOT* include the name, title, business address or telephone number of an employee of an organization.

Does this apply to our web site?

The PIPEDA act applies to any organization that:

• Uses their site to collect personal information and/or opinions from individual consumers
• Uses their site to collect shipping and/or contact information from individual customers who have made an online purchase
• Uses their site to collect e-mail addresses for use in an e-mail distribution list
• Identifies an individual when they visit your site, and then track/record specific information about their usage patterns.
• There may be other reasons why PIPEDA applies to your web site as well.

What do we need to do in order to comply with PIPEDA?

If you have a website, then as a minimum you should have a Privacy Statement posted which specifies, for a start, how people's personal information will be used. You will also need to comply with all 10 sections of the new Act, such as identifying the personal information which you collect, obtaining consent, specifying how the personal information will be used, specifying who within your organization receives inquiries about personal information, etc. Some of this is solved by business procedures, and other portions of it needs to be communicated on your website before you collect comments/feedback, shipping addresses, payment information, etc.

How can we help?

SGJP design can provide guidance and assistance with the development and posting of content that is required to comply with PIPEDA. This may include:

• posting a page on your site that contains your privacy policies
• adjusting forms and/or scripts that currently ask for information that may no longer be allowed under the PIPEDA Act without providing more information
• adjusting wording on various pages of your site
• providing a template for a privacy policy that you can use to get started on your own.

Where can I find more information?

You may obtain more information from the Privacy Commissioner of Canada's website at http://www.privcom.gc.ca or more specifically, from their "PIPEDA Act E-kit for Business", located at http://www.privcom.gc.ca/ekit/ekit_e.asp