Soberman - LLP
 HomeAbout UsServicesIndustriesGlobal ServicesWhat's NewCareersLinks
Soberman - LLP -
Soberman - LLP


Soberman - LLP
Soberman - LLP

Press Releases Upcoming Events Publications Comments Tax Letters Insolvency Forms and Publications

12/22/2003
Federal Privacy Legislation - Comments Fall 2003

By DONALD BORTS, BComm, CA, CFP, Partner RUKSHANA DINSHAW, BA, CA, Director of Professional Practice

Few things are as important in today's business environment as business contact lists for customers, clients and employees. As business processes become more complex and sophisticated, more and more personal information is being collected and used. The privacy of such personal information has become increasingly vulnerable and is a critical concern for businesses, government and the public in general.

Well documented incidents, such as the disappearance of financial information, inappropriate access to medical records and identity theft for illegal purposes, regularly appear in the press. As a result, privacy is a matter of growing concern, and accordingly, the federal government has enacted the Personal Information Protection and Electronic Documents Act (PIPEDA). It is anticipated that similar provincial legislation will follow in the near future.

PIPEDA, which comes into full force on January 1, 2004, establishes new rules for protecting the privacy rights of all Canadians. These rules and regulations apply to any organization engaged in commercial activity. PIPEDA addresses the challenges faced by businesses in accommodating the personal information protection concerns of customers and employees, and the varying circumstances under which such information is collected and used for commercial purposes. Personal information is broadly defined to include name, Social Insurance Number, income, credit records, loan records, social status, employee files, evaluations/comments, disciplinary actions and health information. PIPEDA applies to personal information maintained in either electronic or paper format.

Ten Principles

PIPEDA is based on ten fundamental and internationally recognized principles. Compliance with PIPEDA is achieved by adhering to each of the following principles:

Accountability: An organization is responsible for personal information under its control and must designate an individual, or individuals, who are accountable and oversee the organization's compliance with PIPEDA.

Identifying Purposes: The purposes for which personal information is collected is to be identified by the organization at or before the time the information is collected.

Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Consent must be obtained whenever a new use emerges for previously collected personal information.

Limiting Collection: The collection of personal information (by fair and lawful means) must be limited to that which is necessary for the purposes identified by the organization.

Limiting Use, Disclosure, and Retention: Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. As described in the organizationˇ¦s retention policy, information must be retained for only as long as necessary.

Accuracy: Personal information should be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Safeguards: Personal information must be protected by security safeguards appropriate to the sensitivity of the information to prevent loss or misuse.

Openness: Specific information of an organizationˇ¦s policies and practices relating to the management of personal information must be readily available to individuals.

Individual Access: Upon request, an individual is to be informed of the existence, use and disclosure of his or her personal information and is to be given access to that information. An individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging Compliance: An individual must be able to address a challenge concerning compliance with the above principles to the designated individual, or individuals, accountable for the organizationˇ¦s compliance.

Good privacy practices will not only ensure compliance with PIPEDA, but also build customer confidence and loyalty, protect the integrity of your organization and even add to the bottom line.

A recent survey indicated that almost 50% of consumers would buy more frequently and in greater volume from companies known to have more reliable privacy practices. At the same time, 83% indicated that they would stop doing business entirely with companies that misuse customer information.

The Canadian Institute of Chartered Accountants (CICA) recently published Privacy Compliance: A Guide for Organizations and Assurance Practitioners. This guide indicates that prudent business practices call for a privacy risk assessment and implementation of an appropriate privacy compliance regime.

A privacy compliance regime requires a strong commitment from senior management, appointing a privacy official and establishing related policies and procedures as previously discussed. It is essential for organizations to start assessing current policies pertaining to privacy and, if need be, implementing new policies to comply with this new piece of legislation.

Compliance Checklist

To ensure compliance with PIPEDA, organizations should have in place a privacy policy that includes the following:

- Designate an individual who is responsible and accountable for compliance with PIPEDA;

- Identify the purpose of collecting personal information;

- Obtain consent to the use of personal information from employees and customers;

- Develop procedures to keep personal information in an accurate, complete and up-to-date manner;

- Implement appropriate safeguards to protect the information, including physical access, information systems security and organizational procedures;

- Develop a retention policy limiting the length of time information is kept on file;

- Provide training and communicate organizational privacy policies to employees; and

- Ensure access to own personal information.

Comments has been prepared for the general information of our clients. Specific professional advice should be obtained prior to the implementation of any suggestion contained in this publication.

info@soberman.com
Soberman - LLP
Soberman - LLP
Soberman - LLP
  Privacy Policy   •   Disclaimer   •   Sitemap 		Soberman - LLP