Privacy rules

Written by Paul Lima

Pity all those customer-relationship management companies that promise to give you powerful levels of customer insight, because it looks like their software and services are about to lose a lot of utility. On Jan. 1, 2004, a new federal law will hamstring every enterprise that wants to collect, slice, dice, disclose and otherwise use the personal information of Canadians.

The Personal Information Protection and Electronic Documents Act is crafted with good intentions. After all, the sheer abundance and liquidity of personal data in the Internet Age means it’s a lot easier to lose, abuse or steal information that many of us consider private, from dates of birth and unlisted phone numbers to financial histories and even opinions. Unfortunately, the Act — which has applied to federally incorporated firms since 2001 — makes the same stringent demands of companies large and small.

The penalties for non-compliance? Complaints are investigated by the federal Privacy Commissioner, which can award punitive damages and order remedial action; failure to cooperate with the Commissioner’s investigations or directives can result in fines of up to $100,000.

It’s a lot to stomach, but you can improve your prospects of a happy New Year by acting now. Read PIPEDA (, call your lawyer and get a flying start by following these five first steps to compliance:

  1. Appoint a privacy officer. Under the Act, every company must have a point person for PIPEDA-related enquiries and complaints. (Yes, CEOs of one-person startups must add Chief Privacy Officer to their titles.) Your privacy officer should also audit the personal information your company has on file, plus review where and how it collects, stores, uses and reveals personal information. This audit is required in case of investigation by the Privacy Commissioner.
  2. Obtain informed consent. As of January 1, you’ll no longer be allowed to use and disclose personal information collected before that date, nor collect and work with personal information after that date, unless you’ve received the informed consent of the individual in question. Collect only personal information that’s necessary to running your business, and explain why information is required and how it will be used.
  3. Secure personal information. The more private, personal and confidential the information, the tighter the security should be, up to and including the encryption of data.
  4. Comply with information requests. Deploy the resources and systems necessary to grant individuals access to their personal information within 30 days of requests, as required by law, and be prepared to quickly correct any identified inaccuracies.
  5. Create a privacy statement. Your statement should outline how the company collects, uses and shares personal information and inform individuals of their right to review and consent to the use of their personal information. Post your privacy statement online and in other documents.

© 2003 Paul Lima

Originally appeared on