Privacy responsibilities under Canada’s personal information protection and electronic documents act (PIPEDA)



Prepared By: Matheis Associates
Available download as Adobe Acrobat PDF*  Size: 33.2 KB

Privacy Responsibilities under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) Matheis Associates has always been sensitive to the confidentiality of our members’ personal information. Over the past several years, Matheis Associates has continued to increase privacy disclosure to members. Access to personal information is limited to Matheis Associates employees and representatives in the performance of their duties, or those to whom members have granted access, and those authorized by law.

As a provider of financial services and assistance with administration of financial services, the collection and use of personal information is fundamental to our business. With the Personal Information Protection and Electronic Documents Act (PIPEDA) implementation date approaching (January 1, 2004), we will provide some background information on the legislation, as well as highlight the Principles of the privacy legislation.

What is PIPEDA?
PIPEDA is legislation that is being phased in over a three-year period beginning January 1, 2001 and applies to all organizations that collect, use or disclose personal information in the course of their business activities. On January 1, 2004 the Act will apply to all private sector businesses in Canada, including the financial service industry.

What is personal information?
All information about an identifiable individual is personal, including, but not limited to, name, age, gender, social insurance number and financial, income, and bank information. This includes information that could establish the individual’s identity; birthplace, address, phone numbers, e-mail addresses, education and beneficiary information are just some examples of personal information. This information must be protected, whether that individual is a client, a client’s dependent or a client’s beneficiary.

The key principles within the privacy legislation include:

Be accountable. Organizations must identify and assign ultimate responsibility for compliance with established privacy principles. Privacy policies and practices apply to all personal information within an organization’s control, including personal information transferred to a third party, such as an outsourcer, for data processing.

Identify the purpose and obtain consent from the individual.Organizations must disclose the purpose for collecting personal information and reveal why the information is needed prior to collecting the information.

Limit collection.Any personal information collected should be limited to what is required by an organization that is necessary to do business. A clear link must be established between the information collected and the purposes identified for collecting the information. No information should be collected in a deceptive or misleading way.

Limit use, disclosure and retention.Personal information should only be used or disclosed for the purposes identified at time of collection; new uses or disclosures must have the consent of the individual or as required by law. Personal information should be retained only as long as required by an organization to conduct business with an individual.

Be accurate.All personal information being disclosed is required to be accurate.

Use appropriate safeguards.The appropriate levels of security need to be taken by an organization to safeguard personal information.

Be open.An organization shall make available to individuals specific information about its policies and practice relating to the management of personal information.

Give individuals access.An individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information upon their request. The individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Provide recourse.An individual should be able to address a challenge concerning compliance with any of the principles to a designated individual or individuals responsible for the organization’s compliance.

Prepared By: Matheis Associates
Available download as Adobe Acrobat PDF*  Size: 33.2 KB

Available as a downloadable PDF*

* (PDF Reader required)