The New Privacy Act: What Every Retailer Needs To Know

By Duncan C. Card and Robert L. Percival

In early April 2003 the federal government enacted new legislation that will profoundly affect the way in which retailers can collect, use and disclose the personal information of their consumers.

That Act, named the Personal Information Protection and Electronic Documents Act, has two main parts. Part I is designed to protect the privacy of personal information that is collected, used or disclosed in the private sector. The remainder of the Act has provisions that permit and enable business to be conducted with the federal government by electronic means and to clarify how electronic records may be used as evidence. This article focuses on Part I of the Act, and the privacy implications for Canadian retailers and e-tailers.

The privacy principles established in the Act were developed by the Canadian Standards Association and were the subject of significant negotiation between the government, business and consumer interest groups. The Act was intended to strike a balance between the need to protect the privacy of individuals and the need of businesses to use and commercially exploit an extremely valuable business asset: the personal information of their customers. That compromise is reflected in the Act's preamble:

"... to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the privacy of individuals with respect to their personal information, and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."

Top

Does It Apply To You?

The Act applies to all organizations that collect, use or disclose personal information in the course of commercial activities. The Act also applies to organizations in respect to personal employee information that the organization collects, uses, or discloses in connection with the operation of a federal work, undertaking or business (for example, banks).

What constitutes "personal information" has been broadly defined by the Act, and the scope of the definition remains to be determined. The Act specifically states, however, that personal information does not include "the name, title, business address or business telephone number of an employee of an organization."

The Act also establishes 10 principles of privacy protection to which retailers must adhere:

Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Consent

The knowledge and consent of the individual is required for the collection, use or disclosure of personal information, except where inappropriate. (Certain exceptions to this principle are contained in the Act).

Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Limiting Use, Disclosure and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Accuracy

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Individual Access

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

Top

What Could Happen To My Organization?

Organizations that fail to comply with the Act may become subject to investigation and audit by the Privacy Commissioner of Canada, may be brought before the Federal Court of Canada for a hearing or, in certain circumstances, may face criminal charges.

The Privacy Commissioner maintains fairly broad powers of investigation under the Act, including the power to summon witnesses, require the production of "any records or things," administer oaths, and enter an organization's premises and examine records relevant to its investigation. In certain circumstances, applications may be made to the Federal Court of Canada for breaches of the Act by either an individual complainant or the Privacy Commissioner. In considering an application the Court may:

• Order an organization to correct its practices;
• Order an organization to publish a notice of any action taken or proposed to be taken to correct its non-compliance; and
• Award damages -- including damages for any humiliation the complainant may have suffered. (No limit!)

Failure to comply with the order of a Court could result in both fines and imprisonment.
The Act also makes it a criminal offence for a company:

• to contravene the obligation under the Act to retain personal information in its possession that is the subject of an individual's request for so long as required to allow the individual to exhaust any recourse under the Act;
• to seek retribution against an employee for such employee's refusal to contravene the privacy policies of the Act;
• or, to obstruct the Commissioner in the course of a complaint investigation or audit. Criminal sanctions could include a fine of up to $100,000 and imprisonment.

Top

What Should My Organization Do?

Retailers that use personal information should review their existing procedures to determine whether or not they comply with the requirements of the Act. The following steps should be immediately considered:

1. Consult professional advisers.

The Act does not apply immediately to all organizations, and the timing and scope of its application to your organization may depend on several factors. Determine if your organization is governed by the Act, and when it will apply.

2. Retailers governed by the Act,

and who collect or use personal information, should conduct an internal audit to determine their compliance with the Act. Not only will this enable your organization to identify practices that might be in violation of the Act, but the fact that such an audit was conducted may be of assistance in determining the "good faith" due diligence efforts of your organization to comply with the Act. Some ongoing activities by retailers that may contravene the Act are:

• Failing to obtain proper consents for the collection, use and disclosure of personal information.
• The collection of unnecessary personal information.
• Making the disclosure of personal information a condition of providing a service or product.
• Improper or unnecessary transfer of personal information to third parties.
• Unsecured storage or management of personal information.

3. All retailers governed by the Act

must create a privacy policy that deals with personal information and ensures that the organization will comply with the Act.

4. Employees must be trained

to understand the importance of privacy and to adhere to the provisions of any privacy policy that is adopted by your organization. Failure to ensure employee compliance may lead to complaints to, and investigation by, the Privacy Commissioner.

There are many other sources of privacy and data protection regulation that may apply to retailers in addition to the Act, including industry association "guidelines," medical information laws, and both foreign and provincial laws concerning the protection of private and confidential information. However, it is widely accepted that dealing with the privacy concerns of consumers in a secure and consistent manner will bolster the level of trust between retailers and consumers, and will undoubtedly facilitate the adoption of e-commerce and e-tailing in the retail sector.

Duncan Card and Robert Percival are members of the Technology, E-Commerce and Communications Law Group at Ogilvy Renault in Toronto. Duncan is also a member of Retail Council of Canada's Executive E-Business Partner Committee. Their e-mail addresses can be accessed from www.ogilvyrenault.com, or you can telephone them at (416) 863-0900.

Top