A Summary of The
Personal Information Protection and Electronic Documents Act
http://strategis.ic.gc.ca/epic/internet/inoca-bc.nsf/vwGeneratedInterE/ca01460e.html
The Personal Information Protection and Electronic
Documents Act (PIPEDA) is a new law. It governs information
held by private sector organizations, and deal with information
collection, use and disclosure. It incorporates, as a schedule,
the 10
Fair Information Practices, and creates an oversight and
enforcement mechanism using the Federal Privacy Commissioner
and the Federal Court.
What This Act Is Designed to Do
PIPEDA is designed to help protect the privacy
of consumers in Canada. It does this by setting limits on -
and rules for - the collection, use and disclosure of personal
information collected in the course of commercial activities.
And it does so in a very simply way. It simply
states that every organization that collects information must
comply with the 10
Fair Information Practices set out in the Canadian Standards
Association's Model Code.
In a nutshell, that means the information must
be:
• gathered with your consent
• collected for a reasonable purpose
• used for the limited purposes for which it was gathered
• accurate
• open for your inspection and correction stored securely
What This Act Doesn't Apply To
PIPEDA is directed at fostering consumer confidence in commercial
transactions and meeting the requirements of the European Union's
Data Directive rather than creating an overall privacy protection
scheme. As such, it does not apply to:
• any government institution to which the Privacy Act
applies
• any individual in respect of personal information that
the individual collects, uses or discloses for personal or domestic
purposes and does not collect, use or disclose for any other
purpose
• personal information collected used or discloses for
journalistic, artistic or literary purposes and does not collect,
use or disclose for any other purpose
• non-commercial information gathering activities
Some Important Exceptions Dealing With Your Personal
Information
The following exceptions are set out in PIPEDA:
In a commercial context, personal information may be gathered
without the knowledge or consent of an individual if:
• the collection is clearly in the interests of the individual
and consent cannot be obtained in a timely way
• it is reasonable to expect that the collection with
the knowledge or consent of the individual would compromise
the availability or the accuracy of the information and the
collection is reasonable for purposes related to investigating
a breach of an agreement or a contravention of the laws of Canada
or a province; or
• the collection is solely for journalistic, artistic
or literary purposes; or the information is publicly available
and is specified by the regulations.
An organization may disclose personal information without the
knowledge or consent of the individual only if the disclosure
is:
• made to an advocate or notary (Quebec) or a barrister
or solicitor (all other provinces) representing the organization
• for the purpose of collecting a debt owed by the individual
to the organization
• required to comply with a subpoena or warrant issued
or an order made by a court, person or body with jurisdiction
to compel the production of information, or to comply with rules
of court relating to the production of records
• made on the initiative of the organization to an investigative
body and the information relates to an offence under the laws
of Canada or a province that has been or is about to be committed,
or to activities suspected of constituting threats to the security
of Canada
• for statistical, or scholarly study or research, purposes
that cannot be achieved without disclosing the information,
it is impracticable to obtain consent and the organization informs
the Privacy Commissioner of the disclosure before the information
is disclosed.
Implementation Schedule
Phase 1
Beginning January 1, 2001, the law applies to:
• Federal works, undertakings or businesses, such as
banks, telecommunications companies, airlines, railways and
inter provincial trucking companies, and to the employee records
in those organizations;
• Personal information disclosed across borders for consideration
(e.g., the sale or lease of lists).
Phase 2
Beginning January 1, 2002, the law applies to:
• Personal health information collected, used or disclosed
by organizations described under phase one of the law.
Phase 3
Beginning January 1, 2004, the law applies to:
• The collection, use and disclosure of personal information
by any organization in the course of commercial activity within
a province;
• All personal information in all inter provincial and
international transactions by all organizations subject to the
Act in the course of commercial activities.
The federal government may exempt organizations and/or activities
in provinces that have adopted substantially similar legislation.
That means, beginning January 1, 2004, the privacy rights of
all Canadians will be protected in one of two ways:
1. by the federal act, or;
2. by a provincial act that is substantially similar to the
federal law.
|
