navigation

• Home
• Photos (on Flickr)
• Archives
• Work

good reads

• Digital Parade
• Dunstan
• John
• Elfur
• Garrett
• Neuro
• Heather

internet stuff

• evolt is the best web community out there.
• listen to joel. he knows.
• Cluetrain Manifesto
• A List Apart
• Ask Tog
• Making a Commercial Case for Adopting Web Standards

02/07/2004 Archived Entry: "Canadian Privacy Law Affects Web Site Owners"

This article is based on one from my main business site. It was originally intended as advice for clients, but, who knows, it might apply to you. Oh yah, and if your company is from outside Canada, but does business in Canada, the law applies to you too.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that came into effect in 2001 for federally regulated industries but since January 1, 2004 it now affects all commercial activity where personal information is collected. If you have a web site for your business this means you. It makes no difference where your server is hosted - the government can impose consequences upon businesses within Canada for actions that occur outside of Canada. Since virtually every web site collects information of one sort or another, it may now be time to review (or write) your privacy policy.

What is "personal information" anyway?

According to this law personal information is "any information about an identifiable individual except the name, title, business address and business phone number of an employee." The following is considered personal information:

• age, name, ID numbers, income, ethnic origin, or blood type
• opinions, evaluations, comments, social status, or disciplinary actions
• employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)

What personal information does a web site gather?

Most web sites gather large quantities of data. For example, your web statistics program will track each person that visits your site. It can tell you which pages they visited, how long the looked at your web site for, what time and day they came to visit and if they've been to your site before - and that's just the start of the information that can be gathered from web statistics programs. But statistics programs aren't the only ways that a site can gather information. If you have a poll or a survey on your site - then you are gathering information. If you have any kind of a form that visitors fill out, then you are gathering information. If you sell anything from your site then you are gathering information - and this is usually sensitive personal information. So not all information that your web site gathers will be personal information - but it may be prudent to explain to your visitors what information is gathered and why - regardless of how personal the information is.

What does the law say I have to do?

Consent

• You must have consent to gather personal information.
  • There is implied consent for general non-sensitive information, so if you are gathering general information a privacy policy posted on your site is probably okay.
  • But you must get specific consent for sensitive information. So, for example, if you are collecting information about people's earnings or their social insurance number, you need to specifically ask for permission to take that information before you collect it and you must say what you are going to do with it.
• You can only collect information that most people would consider reasonable and appropriate. It's best to err on the side of caution, so explain what you are taking and what you are doing with all the information you take.

Existing Information

• If you have an existing database of customer information, a point to consider is that information already collected cannot be used now without consent. So you'll have to ask permission to use information you already have.

Privacy Policies

• You must appoint a privacy officer to ensure privacy compliance.
• You must have detailed policies and procedures for dealing with privacy. This is good practice in any case even if you aren't collecting personally identifiable information.

Limitations and Complaints

• You must:
  • limit collection to what's necessary,
  • limit disclosure to only those employees that need to know,
  • keep the information only as long as necessary,
  • maintain accuracy of information and
  • maintain security measures against loss, theft, disclosure, etc..
• Anyone who requests it must be given access to their personal information within 30 days.
• You must receive and respond to any complaints against you by individuals in regards to privacy legislation.

What should I do now?

Talk to your lawyer and your web designer or developer. It may not be a crisis situation. You should probably have a privacy policy, but that's not too hard to develop. And you should consider the implications of this law on any projects that you plan for the future. So that's the skinny on the new privacy law.

RESOURCES

• Office of the Privacy Commissioner of Canada (http://www.privcom.gc.ca/index_e.asp)
• PIPEDA on the Web (http://www.pipeda.org/)
• Industry Canada - Privacy for Business (http://privacyforbusiness.ic.gc.ca/)