If your business collects personal information from customers for commercial purposes, you are required by law to have a privacy policy.
Besides being the law, a privacy policy also protects you from liability claims.
Your privacy policy must inform your customers of the personal information you’re gathering, how it'll be used and how you’ll safeguard it.
What is the privacy law businesses must follow in Canada?
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) regulates how for-profit organizations and businesses in the private sector manage personal information. Your business may be exempt from PIPEDA if your province has its own privacy legislation substantially like PIPEDA. This is the case with Alberta, British Columbia, and Quebec.
Note that the exemption is limited to commercial activities within a particular province. It is not applicable to interprovincial or international commercial activities.
Since Ontario does not have its own privacy law for the private sector, it comes under PIPEDA. However, this federal law does not apply to personal health information as Ontario has a substantially similar health-related privacy law.
Federally regulated businesses in Canada are also covered by PIPEDA.
What is meant by personal information?
Personal information is data that identifies you as an individual. For instance, your age, marital status, religion, race, social insurance number, etc.
What are my responsibilities under PIPEDA?
Your privacy policy must cover the 10 fair information principles set down in PIPEDA. These are:
Principle 1: Accountability
You are responsible for protecting all personal information collected by your business. This includes any data transferred to a third party for processing. You must appoint someone to ensure your compliance with PIPEDA and develop a privacy policy based on the 10 principles.
Principle 2: Identifying purposes
Your policy must inform your customers of the purposes for which the personal information is gathered. This should be done before or at the time of collection, either verbally or in writing. You'll need to get their consent again should you identify a new purpose. The purposes should meet the criterion of “what a reasonable person would consider appropriate under the circumstances”.
Principle 3: Consent
You must get informed consent from customers for the collection, use and disclosure of personal data. They must understand what they are consenting to, why you are collecting the data and what you'll do with it. For non-essential data gathering, people must be given a choice on whether to provide consent.
Principle 4: Limiting collection
You must only collect information that is needed for a “legitimate identified purpose”. You must not deceive the customers about the reasons for gathering personal data.
Principle 5: Limiting use, disclosure, and retention
Except in cases where a person consents or it is required by law, you must collect, use, or disclose personal data only for the stated purposes for collection. You should store the personal information for only as long as you need to fulfill those purposes. You must get fresh consent if you need to use or disclose personal information for a new purpose.
Principle 6: Accuracy
The personal information you collect must be accurate and up to date.
Principle 7: Safeguards
You must protect the personal data you collect against theft, unauthorized access, or disclosure, copying, use or modification. You must also educate your staff on the importance of keeping personal data confidential and the procedures developed to protect it.
Principle 8: Openness
Your policies and procedures for managing personal information should be easily available and easy to understand for your customers.
Principle 9: Individual access
You must provide a customer access to their personal information you store when requested, and within a stipulated time frame. They also have the right to have the data amended or updated, if needed. If you refuse access, you must provide reasons for doing so in writing. You must also inform them of the available means of redressal.
Principle 10: Challenging compliance
You must also set clear procedures on handling complaints related to your compliance with PIPEDA. Such complaints should be addressed to the person designated to ensure your business’s compliance with the privacy law. You must inform complainants of the available methods of redressal. You must investigate all complaints and take appropriate remedial measures, where needed.
What else should I keep in mind?
Your privacy policy must cover the 10 fair information principles set down in PIPEDA. You should also customize it to meet your specific business needs. Your company’s privacy policy must be easily accessible to your customers.
An effective way of doing so is to place a link to your privacy policy in the footer of your website (known as a browse-wrap agreement). The text should be legible and appear on every page of your website or mobile app.
It is also advised that you include a link to your privacy policy in your contact and registration forms. This is the clickwrap method, wherein a website visitor confirms they’ve agreed to the privacy policy before using your services.
Do you need more information on creating a privacy policy for your small business?
Our experts can help you develop company policies as well as with any other HR and health and safety advice you need. See how we have helped other small and medium businesses get their business compliant with provincial legislation.
