PIPEDA is an acronym for “Personal Information and Privacy of Electronic Documents Act”. This piece of Canadian federal legislation is an Act to govern the privacy and security of personal information. Its early precedents originated in California and Europe. The Act protects personally-identifying data, such as name and address. However, non-personal data – like a postal code – is not protected. The Act has extensive powers to protect medical information and social insurance numbers.
PIPEDA came into effect January 1, 2002, after a 2-year grace period, which was given to allow businesses to ‘make the shift’. This grace period ended on January 1, 2004. Currently, data privacy must be considered a necessity in any business plan.
Your business plan should include direction for privacy policies, data security procedures and control measures. Ensuring your business is in complete compliance with PIPEDA is not only legally mandatory, but it also makes good business sense. Lack of privacy procedures can not only damage your business reputation, but may result in considerable cost to your business in terms of both time and money. Precedent cases in the United States have resulted in convictions, fines and even jail sentences!
Your business must have an explicit privacy policy regarding the collection, use and storage of personal information. This can include the personal information of your clients, suppliers, partners and/or employees. All of these people must be considered in your policy, and the necessary points spelled out in clear and concise terms, for both your clients and employees.
eMail is a main area of concern. There are numerous elements required to make an eMail campaign fall in line with PIPEDA legislation. Ideally, you should provide:
• a double opt-in message – where permission to send is received both at time of sign-up, and upon receipt of the first message
• identification of the message source – including, if you send eMail to US-based recipients, a postal address for the message origin
• an “unsubscribe” function – which is a mandatory element, under the Act
It’s also a good idea to provide recipients with a link to your company privacy policy in each eMail you send out. Best practice is to also provide a contact eMail address for an officer or department of your company who can provide further information on privacy matters, if the recipient chooses to ask about such things.
To avoid confusion, keep your privacy policy free of hard-to-understand legal jargon. Be aware that if you are asking for information such as names and eMail addresses on your website, you must state to the consumer what you will do with that information BEFORE you actually collect it.
There are a myriad of angles to consider with regard to your privacy policy. Some of the questions which should be considered are: Who collects the information and who has access to it? How and where is the sensitive data stored? Is it encrypted or kept off-site?
With laws come regulation and overseers. In this case, PIPEDA falls under the jurisdiction of the Privacy Commissioner of Canada. Complainants may go directly to the Commissioner, and a blatant offence may result in immediate action or go to a hearing. Findings may result in fines or conviction against the company and suspension of telephone or internet accounts. As a further deterrent to potential offenders, the Privacy Commissioner findings are made public, on the Commission’s website. (Find the site at http://www.privcom.gc.ca/)
In summary, your business can take the following steps to ensure you are compliant with the laws and directions under PIPEDA.
1. Review your business plan to see where privacy issues crop up.
2. Contact your customer base, if you need to, to confirm that you have their permission to market to them using personally-identifying data, such as an eMail address.
3. Draft a privacy policy, and provide an obvious link to it on your website.
4. Approach each privacy issue as though you were the customer.
5. If you are not sure, check the Privacy Commissioner’s website or call for clarification. Ignorance is not a defense.
Adherence to privacy laws makes good sense, and will protect both your company and your customers, in the long run.
