Every organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) is specifically required to designate an individual who is accountable for its compliance with the Act (often called a Privacy Officer), and to make the identity of the Privacy Officer known on request. Contact information for this individual should be prominently posted on your website, and your customer service representatives need to know this information or how to direct customers to it.
2. Train staff about privacy
Put basic information on privacy protection responsibilities (and the designated privacy officer contact info) in tools and training for staff, especially customer service representatives and staff designing new customer products or forms, or new record keeping systems.
3. Take responsibility for employee actions
Sometimes employees disregard policies related to privacy (deliberately or by accident). Organizations must be aware that employee error is not an excuse for PIPEDA violations; it is not enough to just have privacy sensitive policies. To meet your PIPEDA responsibilities you need safeguards to reinforce these policies, which may include: staff training/retraining, consequences for not following procedures, limits on employees’ access to personal information where they don’t need access, and/or safeguards against mass copying of information to portable devices (if warranted).
4. Limit collection of personal information
PIPEDA requires businesses to ask for the least amount of personal information to meet the purpose of providing the product or service and to clearly tell customers why they are collecting it. You may ask for information that goes beyond the purpose of providing the product or service if you make it clearly optional; or you may ask for consent to use information for secondary purposes, such as marketing, if you make it optional.
5. Make SINs optional
Make it clear (on all forms and with staff training) that customers don’t have to provide a Social Insurance Number to access products or services (unless there is a legal requirement to collect the SIN). A SIN is not required to do a credit check.
6. Driver’s licenses – you can look, but don’t record
If you need to validate an individual’s address or identity, it is generally acceptable to examine a driver’s license, but you should not photocopy or record the driver’s license number, except in rare circumstances. This number is sensitive and valuable to those who intend to commit identity crimes.
7. Tell customers about video surveillance
Even if you are not retaining the footage, video surveillance constitutes collection of personal information, so you should only use it if you have a real need to do so. You should also post clearly visible signs to let people know that video surveillance is being used, and to give contact information for complaints or questions about surveillance.
8. Protect personal information
If you decide to collect personal information, you should use safeguards proportional to the sensitivity of the information. For example, be particularly careful with health and financial information, or information that would facilitate identity theft. As well, avoid collecting and keeping any personal information if you don’t need to (e.g. check someone’s identification, but do not keep a copy), but if you do keep it, lock it up. Encrypt any laptops, hard drives, mobile devices and USB keys that may contain personal information.
9. Respond to access requests
Your customers (and your employees if you are a ‘federal work, undertaking or business’) are entitled to access any information you have that is related to them as an identifiable individual – within 30 days and at little or no cost. This includes written information, and video and audio records. When responding to access requests, you should protect the personal information of third parties and know there are some exceptions to the right of access.
10. Be up front about your collection and use of personal information
If you are not able to specifically explain why you need a particular piece of personal information, you increase the chances of your customers being wary of your practices.
Lastly, feel free to call us at 1-800-282-1376. The OPC is mandated to balance the protection of privacy with the legitimate needs of businesses – we’re here to help.
- Getting Accountability Right with a Privacy Management Program
- Privacy and Online Behavioural Advertising
- Your Customers’ Driver’s License – Do You Need It?
- Guidelines on Overt Video Surveillance in the Private Sector
- Securing Personal Information: A Self Assessment Tool for Organizations