How’s Your PIPE-DA?

Please trust me on this: I really and truly don’t enjoy the additional legal activity that new, intrusive and misguided government regulation imposes on businesses or individuals. A couple of past examples of this kind of thing are the federal the Foreign Investment Review Act and the Ontario employment equity legislation (regardless of what you might think about the underlying “good intentions” of either initiative).


Well, there is a new piece of intrusive government regulation will require some of your attention: certain provisions of the Personal Information Protection and Electronic Documents Act (Canada)(“PIPEDA”) which came into force on January 1, 2004. These provisions apply to all “commercial activities”, and there are very few exemptions. There is no exemption for very small businesses.

Basically, PIPEDA applies to all “personal information” collected, used or disbursed about employees, customers or even third parties.

The PIPEDA website is a good starting point for anyone fixed with the job of dealing with this legislation. It contains useful, but highly redundant, guidelines on training and compliance for PIPEDA.

This is a brief overview of PIPEDA from that website:

Organizations covered by the Act must obtain an individual’s consent when they collect, use or disclose the individual’s personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.

“Personal information”, the key concept in this scheme of things, is described as:

any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type
  • opinions, evaluations, comments, social status, or disciplinary actions
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)

Personal information does not include the name, title, business address or telephone number of an employee of an organization.

First, I would point out that enforcement of these privacy law requirements will be complaint-driven, so it is unlikely that an inspector and storm troopers will descend unannounced on your office just do a privacy compliance audit. Further, this legislation is so broad, so encompassing of all “commercial activity” that there is no way on earth that the Privacy Commissioner will have the resources to investigate or prosecute anything other than high profile, flagrant cases. So, don’t be flagrant.

As a responsible business person, you will want to initiate a sensible compliance program to avoid problems and hassles. Also, you do not want disgruntled customers, suppliers, competitors or former employees to use your non-compliance as a weapon against you.

Please note that there are two main aspects involved: public individuals you interact with, on the one hand, and your employees, on the other hand.

This is a brief summary of your responsibilities under the commercial activity PIPEDA provisions:

1.    Before or when any personal information is collected, identify why it is needed and how it will be used, stored, managed and disclosed (look at your forms, applications, interactive websites, interviews, contests, and so on).

2.    Obtain the individual’s informed consent (written, implied, specific or general) before using their personal information.

3.    Create a “Privacy Policy”, which will provide for the ongoing management and administration of personal information, including updating, correction, security, and complaint processes.

Now then, you can call up any number of consultants, accounting firms and law firms who will be delighted to deliver a comprehensive, multi-module PIPEDA training and compliance program for just $5,000 – $25,000, or more.

Hey, this is worse than the phony Y2K fear-mongering nonsense we suffered thru in 1999! Remember that? The end of the world was predicted for any business that failed to line the pockets of the consultants and computer hardware and software suppliers. It’s a consultant’s paradise. And you wonder why lawyers love politics and government?

Or, if you are not enamoured of technical memos in glossy, embossed document folders and time-wasting multi-media seminars, you can work with the PIPEDA website (www.privcom.gc.ca), a professional adviser and a couple of checklists in order to arrive at a sensible privacy policy for your business.