The New Privacy Act: What Every Retailer Needs To Know
By Duncan C. Card and Robert L. Percival
In early April 2003 the federal government enacted new legislation that
will profoundly affect the way in which retailers can collect, use and
disclose the personal information of their consumers.
That Act, named the Personal Information Protection and Electronic Documents
Act, has two main parts. Part I is designed to protect the privacy of
personal information that is collected, used or disclosed in the private
sector. The remainder of the Act has provisions that permit and enable
business to be conducted with the federal government by electronic means
and to clarify how electronic records may be used as evidence. This article
focuses on Part I of the Act, and the privacy implications for Canadian
retailers and e-tailers.
The privacy principles established in the Act were developed by the Canadian
Standards Association and were the subject of significant negotiation
between the government, business and consumer interest groups. The Act
was intended to strike a balance between the need to protect the privacy
of individuals and the need of businesses to use and commercially exploit
an extremely valuable business asset: the personal information of their
customers. That compromise is reflected in the Act's preamble:
"... to establish, in an era in which technology increasingly
facilitates the circulation and exchange of information, rules to govern
the collection, use and disclosure of personal information in a manner
that recognizes the privacy of individuals with respect to their personal
information, and the need of organizations to collect, use or disclose
personal information for purposes that a reasonable person would consider
appropriate in the circumstances."
Does It Apply To You?
The Act applies to all organizations that collect, use or disclose personal
information in the course of commercial activities. The Act also applies
to organizations in respect to personal employee information that the
organization collects, uses, or discloses in connection with the operation
of a federal work, undertaking or business (for example, banks).
What constitutes "personal information" has been broadly defined
by the Act, and the scope of the definition remains to be determined.
The Act specifically states, however, that personal information does
not include "the name, title, business address or business telephone
number of an employee of an organization."
The Act also establishes 10 principles of privacy protection to which
retailers must adhere:
An organization is responsible for personal information under its control
and shall designate an individual or individuals who are accountable
for the organization's compliance with the following principles.
The purposes for which personal information is collected shall be identified
by the organization at or before the time the information is collected.
The knowledge and consent of the individual is required for the collection,
use or disclosure of personal information, except where inappropriate.
(Certain exceptions to this principle are contained in the Act).
The collection of personal information shall be limited to that which
is necessary for the purposes identified by the organization. Information
shall be collected by fair and lawful means.
Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other
than those for which it was collected, except with the consent of the
individual or as required by law. Personal information shall be retained
only as long as necessary for the fulfilment of those purposes.
Personal information shall be as accurate, complete and up-to-date
as is necessary for the purposes for which it is to be used.
Personal information shall be protected by security safeguards appropriate
to the sensitivity of the information.
An organization shall make readily available to individuals specific
information about its policies and practices relating to the management
of personal information.
Upon request, an individual shall be informed of the existence, use
and disclosure of his or her personal information and shall be given
access to that information. An individual shall be able to challenge
the accuracy and completeness of the information and have it amended
An individual shall be able to address a challenge concerning compliance
with the above principles to the designated individual or individuals
accountable for the organization's compliance.
What Could Happen To My Organization?
Organizations that fail to comply with the Act may become subject to
investigation and audit by the Privacy Commissioner of Canada, may be
brought before the Federal Court of Canada for a hearing or, in certain
circumstances, may face criminal charges.
The Privacy Commissioner maintains fairly broad powers of investigation
under the Act, including the power to summon witnesses, require the production
of "any records or things," administer oaths, and enter an organization's
premises and examine records relevant to its investigation. In certain
circumstances, applications may be made to the Federal Court of Canada
for breaches of the Act by either an individual complainant or the Privacy
Commissioner. In considering an application the Court may:
- Order an organization to correct its practices;
- Order an organization to publish a notice of any action taken or proposed
to be taken to correct its non-compliance; and
- Award damages -- including damages for any humiliation the complainant
may have suffered. (No limit!)
Failure to comply with the order of a Court could result in both fines
The Act also makes it a criminal offence for a company:
- to contravene the obligation under the Act to retain personal information
in its possession that is the subject of an individual's request for
so long as required to allow the individual to exhaust any recourse
under the Act;
- to seek retribution against an employee for such employee's refusal
to contravene the privacy policies of the Act;
- or, to obstruct the Commissioner in the course of a complaint investigation
or audit. Criminal sanctions could include a fine of up to $100,000
What Should My Organization Do?
Retailers that use personal information should review their existing
procedures to determine whether or not they comply with the requirements
of the Act. The following steps should be immediately considered:
1. Consult professional advisers.
The Act does not apply immediately to all organizations, and the timing
and scope of its application to your organization may depend on several
factors. Determine if your organization is governed by the Act, and
when it will apply.
2. Retailers governed by the Act,
and who collect or use personal information, should conduct an internal
audit to determine their compliance with the Act. Not only will this
enable your organization to identify practices that might be in violation
of the Act, but the fact that such an audit was conducted may be of
assistance in determining the "good faith" due diligence efforts
of your organization to comply with the Act. Some ongoing activities
by retailers that may contravene the Act are:
- Failing to obtain proper consents for the collection, use and disclosure
of personal information.
- The collection of unnecessary personal information.
- Making the disclosure of personal information a condition of providing
a service or product.
- Improper or unnecessary transfer of personal information to third
- Unsecured storage or management of personal information.
3. All retailers governed by the Act
ensures that the organization will comply with the Act.
4. Employees must be trained
to understand the importance of privacy and to adhere to the provisions
to ensure employee compliance may lead to complaints to, and investigation
by, the Privacy Commissioner.
There are many other sources of privacy and data protection regulation
that may apply to retailers in addition to the Act, including industry
association "guidelines," medical information laws, and both
foreign and provincial laws concerning the protection of private and confidential
information. However, it is widely accepted that dealing with the privacy
concerns of consumers in a secure and consistent manner will bolster the
level of trust between retailers and consumers, and will undoubtedly facilitate
the adoption of e-commerce and e-tailing in the retail sector.
Duncan Card and Robert Percival are members of the Technology, E-Commerce
and Communications Law Group at Ogilvy Renault in Toronto. Duncan is also
a member of Retail Council of Canada's Executive E-Business Partner Committee.
Their e-mail addresses can be accessed from www.ogilvyrenault.com,
or you can telephone them at (416) 863-0900.