|
Did You Know?
Personal
Information Protection Act (PIPA)
Submitted by: Cindy Greenway, Victoria Business Solutions
On December
2, 2003, I attended a presentation on the new
Personal Information Protection Act that came into
affect January 1, 2004. This Act applies to every
organization – no matter how big or small.
For the
purposes of the Personal Information Protection Act, an
organization is defined as:
•
a person
•
a
corporation
•
a
partnership
•
an
individual acting in a commercial way , but not an individual
acting in a personal or domestic capacity or acting as an
employee,
•
association that is not incorporated,
•
a trade
union,
•
a
not-for-profit organization, and
•
a trust
(except for a private trust for the benefit of friends or
family of the individual who sets up the private trust).
This
purpose of this Legislation is to “govern the collection,
use and disclosure of personal information by organizations in
a manner that recognizes both the right of individuals to
protect their personal information and the need of
organizations to collect, use or disclose personal information
for purposes that a reasonable person would consider
appropriate in the circumstances”.
As I
mentioned above, this Act applies to every organization and
means that organizations can only collect/use/disclose
personal information when the individual voluntarily provides
it on the basis of informed consent.
In order
for consent to be valid, the organization must, on or before
collection of the information, disclose to the individual:
•
the purpose
of the collection of the information
•
if
requested, contact information regarding the person in the
organization who can answer questions re
collection/use/disclosure.
Some advice
around the Act:
•
if you
don’t need it, don’t collect it
•
if you
don’t need it any longer for the purpose for which it was
collected, get rid of it (subject to the various statutory
rules regarding retention of certain types of information.
•
if you’re
not sure that you have consent for a proposed use, ask for it.
There are a
variety of considerations that need to be made in order to
ensure that your business is complying with the Act. Adopting
a policy, documenting consents from those you are collection
personal information on, tracking each time you disclose
personal information to a third party, establishing
contractual and other safeguards are just a few.
What you
should be doing NOW in order to comply with the Act
includes:
•
Adopt/Publish a Policy
•
Conduct a
Personal Information Review
•
Designate a
Privacy Officer
•
Establish
internal systems:
o
Safeguards
o
Tracking
use/disclosure
o
Providing
access/means to correct
Failure to
comply with an order can result in a fine of up to $100,000.
Where there is an order as a result of a breach of the
organization’s PIPA obligations, any individuals affected have
a cause of action for damages.
The Office
of the Information and Privacy Commissioner for British
Columbia website (http://www.oipcbc.org/)
offers a variety of links and information to assist you and
your business in complying with the Act.
Quick Links
– Personal Information Protection Act information:
The
Personal Information Protection Act
http://www.legis.gov.bc.ca/37th4th/3rd_read/gov38-3.htm
Ten Steps
to Compliance
http://www.mser.gov.bc.ca/foi_pop/Privacy/Tools/PIPA_Tool_1.htm
Implementation Tools
http://www.mser.gov.bc.ca/foi_pop/Privacy/Tools/Tools_toc.htm
Contact Information:
Cindy Greenway, Virtual Assistant
Victoria Business Solutions
http://www.victoriabusinesssolutions.com
|
