As of January 1, 2004 all businesses in Canada were required to be compliant with the "Personal Information Protection and Electronic Documents Act ("PIPEDA"). One of the main purposes of PIPEDA is to protect personal information held by the private sector. This Act applies to all personal information collected, used or disclosed in the course of commercial activities by all organizations.

"Personal information" is defined as "information about an identifiable individual". That means that information such as race, age, marital status, religion, employment history, credit history, assets, home address, home telephone number and even opinions about an individual would be protected under this ACT.

"Commercial activity" is also defined in PIPEDA as "any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists".

If you think the Act doesnt pertain to your organization, think again. If you collect any information that could in any way be linked to a specific person, you must ensure that your organization is compliant with the following requirements:

You must designate an individual who is accountable for your organization's compliance with PIPEDA.
When you collect personal information about an individual, you must explain to that person the purposes for which you are collecting the information, and you must obtain that person's consent before you can collect, use or disclose the information. (Note: PIPEDA does not specify that consent must be obtained in writing, but it would be prudent to obtain it in writing so there are no misunderstandings down the road.)
You must not collect more information than is necessary to achieve your clearly stated purposes.
You also must not use or disclose the information for any other purposes without the individual's consent, so be sure you account for all the uses in your new policies and articulate these in writing.
You must destroy the personal information once you no longer need it to achieve your stated purposes; the length of time will vary on the information as there may be legal requirements for terms of information retention.
You must ensure the personal information is accurate and complete to the best of your ability. If an individual requests it, that person must be given access to their information including the details regarding the existence, use and disclosure of their personal information. It is your organizations responsibility to change any inaccurate information.
You must protect all personal information by taking appropriate security measures. The level and extent of these measures will be dictated by the sensitivity of the information, but should at the very least include:

1. physical measures, for example, locked filing cabinets and restricted access to offices
2. organizational measures, like security clearances and limiting access on a "need-to-know" basis
3. technological measures, such as the use of passwords and encryption.

And finally, you must make your policies and practices regarding the management of personal information available upon request. Your website is an effective method of conveying your organizations internal compliance officer(s), your privacy statement and methods in which individuals can access your documented PIPEDA compliance policies.

If you find all of this rather daunting, take comfort in the fact that you are in good company. Most of the people whom we have recently polled were only vaguely aware of the existence of a new privacy act. It would follow that they have done nothing to initiate their compliance with PIPEDA.

However you have now taken the first step by reading this article and familiarizing yourself with the key compliance issues of this act. If you would be interested in accessing more resources to assist in your organizations compliance initiative, please contact us for more information.

Copyright - Kelly Melanson, Certified Management Accountant