 The
Privacy Act - Your Small Business Responsibilities
By Diane Henders of Bright Ideas Personalized Learning
As of January 1, 2004, privacy legislation governing the collection, use,
retention and disclosure of personal information became applicable to all
businesses, including small businesses and sole proprietors. This was
relatively unpublicized, and many business owners don’t realize what their
responsibilities are under the new scope of the legislation.
For most privately owned businesses operating only in Alberta, the
provincial Personal Information Protection Act (PIPA) is the governing
legislation. This article will address only the provincial act, PIPA. In
PIPA, personal information is defined as “any information that would allow
an individual to be identified.” This includes information such as name,
address, gender, birth date, education, employment, income, medical
information, and the like. Some information, like name and address, are
essentially in public domain and can therefore be considered non-sensitive
personal information. Other information, such as income or medical data, is
more sensitive. PIPA requires information to be treated in a manner
appropriate to its sensitivity.
The keystones of PIPA may be summarized as follows:
Purpose - Before or when collecting personal information, businesses must
identify the reason for collecting the information, and the purpose for
which it will be used.
Collection - Businesses must collect, use, disclose and retain personal
information only as necessary for their purposes.
Consent - Businesses must obtain consent to collect, use and disclose
personal information. It may be expressed (a signed permission slip),
implied (when one volunteers information), or indicated by not opting out
(unless one specifically objects, he/she is deemed to consent). The method
of consent must be reasonable and appropriate to the type of information
being collected and its potential use.
Disclosure - As noted above, consent must be obtained from an individual
before disclosing his/her information. However, a business is obliged to
disclose personal information, even without consent, under certain
circumstances, including medical emergencies, situations affecting the
safety and security of the public, or legal or criminal investigations.
Accountability - Business owners and employees must take responsibility for
complying with PIPA and protecting personal information.
Accuracy - All collected personal information must be as accurate and
complete as possible.
Security - Businesses must take appropriate precautions to safeguard
personal information and sensitive personal information should be secured.
Access - At any time individuals can request access to their personal
information, and businesses must provide complete records of all information
pertaining to that individual.
Retention/Destruction - Information should only be retained as long as it is
pertinent. You should establish retention periods and a destruction policy.
When destroying records, be sure to use a method appropriate to the
sensitivity of the information (secure shredding, for example).
So what does your business need to do in order to comply with PIPA?
Incorporating the above principles into your corporate culture is a start.
In addition, every business should have a written Privacy Policy. The
Privacy Policy should be available on request to any individual or business,
including employees and consultants. It should address the above issues,
outlining how and when your business collects, uses, retains and discloses
information, both within your business and externally to third parties.
A Privacy Officer should be designated so that a contact person is available
both for internal and external questions and information. The Privacy Policy
should include contact information for the Privacy Officer, who can be any
owner or employee within your business who is familiar with PIPA and your
Privacy Policy.
You should document the location and type of all personal information, since
you must respond to a request for personal information within 45 days. It is
also important to keep current electronic data backups. This is common sense
for all businesses regardless of the Privacy Act, but it also addresses the
security and accessibility principles of the Act.
PIPA also requires businesses to ensure that, if and when they disclose
personal information to third parties, those parties will treat the
information in accordance with the Act. This may be done using an express
method of consent (requiring the third party to sign a document agreeing to
the terms) or a not-opting-out method (sending a letter to the third party
describing the requirements and requesting them to write back if they
object).
Businesses should have a clearly defined request and disclosure procedure
for personal information, and all staff should be trained to follow it.
Before anyone in your business requests personal information from an
individual, that individual should be informed what it will be used for, and
consent should be obtained. If the nature of your business requires you to
collect personal information on specific forms (application forms, for
instance), you can streamline the consent process by including a standard
not-opting-out phrase on each form. Furthermore, all staff should be trained
regarding disclosure of personal information. All procedures should be
appropriate to the sensitivity of the personal information being requested
or disclosed.
Diane Henders is the owner of Bright Ideas Personalized Learning. For
one-on-one or group on-site training, or to register for the course The
Privacy Act for Small Businesses, call 403.692.2255, or visit
www.meld.biz/bright
This article is not intended as legal advice. |
