Canadian Privacy Legislation in the Private Sector
The Personal Information Protection and Electronic Documents Act (PIPEDA) addresses the collection, storage and use of personal information by organizations in the private sector. Its provisions apply to information collected, used or disclosed by federally regulated agencies, such as telecommunications companies, ISPs, broadcasters, airlines and banks. PIPEDA also applies to federally regulated companies that conduct business online; and it extends to businesses in Nunavut, the Yukon and the Northwest Territories.
The law also applies to provincially-regulated private-sector organizations, such as insurance companies and retail stores, unless the province has passed "substantially similar" legislation.
At present, Quebec is the only province or territory that has been found by the Privacy Commissioner of Canada to have substantially similar legislation in place. However, Alberta and British Columbia have both passed private sector privacy legislation which came into effect on January 1, 2004, though the Privacy Commissioner has yet to determine whether or not these acts are substantially similar to PIPEDA.
PIPEDA gives individuals the right to see and correct any personal information about them collected by companies in the course of their commercial activities. These provisions state that businesses must inform consumers of who is collecting the information, why the information is being gathered, and for what purposes it will be used.
Under the law's guidelines, personal information can be collected about you only as long as it is:
- Gathered with the knowledge and consent of the consumer
- Collected for a reasonable purpose
- Used only for the reasons for which it was gathered
- Accurate and up to date
- Open for inspection and correction by the consumer
- Stored securely
Unlike voluntary industry codes, PIPEDA is enshrined in law, and overseen by the Privacy Commissioner of Canada. All organizations in Canada are required to designate an individual to handle privacy issues and complaints. For the most part, disputes regarding the collection, storage and use of personal information should be resolved this way, between the individual and the organization.
But if the matter is not resolved satisfactorily in that manner, the individual can file a complaint with the Privacy Commissioner, who has the authority to investigate complaints regarding privacy issues—and also to publish the results of the investigation. However, this happens only rarely.
If an individual is still not satisfied with the resolution, the case can be taken to the Federal Court. If the Court rules that an organization has contravened the law, it must correct its practices. The Court can also award damages to the complainant, if warranted.
(information gathered from The Media Awareness Network 2009)