HOME  
     
 

FREQUENTLY ASKED QUESTIONS

Q. To avoid serious costs in terms of legal liability and brand and customer/employee relations, why is it important for an organization to seek advice from a privacy expert with a legal background?       [ANSWER]

Q: In a nutshell, what are the general principles behind privacy regulations applying to corporations, not for profit organizations, and associations operating in Canada?      [ANSWER]

Q: Does my organization need a privacy policy?      [ANSWER]

Q: What is "personal information?" Does my organization handle it?      [ANSWER]

Q: Apart from legal penalties, what “bottom line” effects is an organization likely to face if it does not adhere to general privacy principles?      [ANSWER]

Q: What legal penalties could an organization face if it does not comply with privacy requirements?      [ANSWER]

Q: Are there special requirements for personal information an organization collects from employees or job applicants?      [ANSWER]

Q: Should my organization’s staff be trained in privacy requirements?      [ANSWER]

Q: From a risk management perspective, what are critical basic first steps for all organizations to take?      [ANSWER]

 


 

Q. To avoid serious costs in terms of legal liability and brand and customer/employee relations, why is it important for an organization to seek advice from a privacy expert with a legal background?

Legislation applying to all private sector organizations, including all businesses and not for profit organizations, is now in place. There are serious penalties for non-compliance. Beyond penalties set out in the legislation itself, organizations have been sued for large amounts of damages where they have not exercised due diligence in protecting personal information. Class action law suits on this basis have occurred across North America. The requirements of Canadian private sector privacy legislation are complicated. Protecting an organization from liability with respect to its personal information practices requires in depth legal expertise and specific privacy implementation experience, including experience in training staff in privacy compliance.

Q: In a nutshell, what are the general principles behind privacy regulations applying to corporations, not for profit organizations, and associations operating in Canada?

The overriding principle is that an organization must not collect personal information from any individual without their prior knowledge and consent. In a nutshell, there are 10 key principles which organizations must adhere to. These are: accountability for the handling of personal information, identifying the purposes for the collection of personal information, obtaining consent, limiting collection, use, disclosure and retention, ensuring accuracy of records, providing adequate safeguards, developing information management policies and making them readily available, providing access to personal information, and putting in place complaint handling and access request procedures.

Q: Does my organization need a privacy policy?

Applicable legislation in Canada requires the broad spectrum of private sector organizations, including associations and not for profit organizations, to have organization-wide privacy policies in place. Beyond reasons of legal liability, having privacy policies in place benefits an organization from a business perspective – including with respect to brand, customer relations, public relations, investor relations, funder relations (in the case of not-for profit organizations) and human resources issues.


Q: What is "personal information?" Does my organization handle it?

Personal information is any information about an identifiable individual. It includes:

  • home address, phone number, and e-mail address
  • financial information including bankaccount information and credit card numbers
  • any health or medical information
  • the contents of a personnel file including performance reviews, letters of discipline, and biographical information
  • employment history and education
  • a photograph identifying an individual

Given the broad definition, it is virtually impossible for an organization to operate without the collection of some level of personal information. Accordingly, an understanding of privacy requirements is important for every organization.

Q: Apart from legal penalties, what “bottom line” effects is an organization likely to face if it does not adhere to general privacy principles?

Privacy protections are good business practice. Implementing them well will protect and increase the organization’s “bottom line”. Failure to implement them carries the serious risks of negative media coverage as well as negative customer relations, public relations, investor relations, funder relations (in the case of not-for profit organizations) and human resources effects.

Information management, and in particular, the implementation of policies and procedures for the management and protection of personal information, is also a “best practices” and a corporate governance issue.


Q: What legal penalties could an organization face if it does not comply with privacy requirements?

In Canada, Europe, and in the United States, class action lawsuits have been filed against organizations whose failure to implement adequate privacy and security protections have led to financial losses or other damage. Damage awards in the millions of dollars have been sought. As incidents of information theft and identity theft are rising across Canada at a rapid rate, organizations are increasingly at risk of facing litigation as a result of any failure to protect the personal information they have collected.

Under the privacy legislation applying to private sector and public sector organizations in Canada, the enforcement authority will investigate all privacy complaints received, and has the power to conduct an audit of an organization’s personal information management practices.  The enforcement authority may publicly release the results of a complaint investigation or an audit.

Recommendations made by an enforcement authority following an investigation or an audit are enforceable by court order. In addition to the authority to enforce, the court has the authority to award:

    * that an organization pay damages to persons affected by a violation of privacy requirements; and
    * that an organization’s violations of the applicable legislation be publicly reported.

There is no legislative limit on the amount of damages a court may award.


Q: Are there special requirements for personal information an organization collects from employees or job applicants?

Further to the British Columbia legislation, the Personal Information Protection Act, a business, not for profit organization, association, or trade union operating in British Columbia must have privacy policies and procedures in place for all personal information it collects from employees, job applicants, volunteers, and work placement students. The Freedom of Information and Protection of Privacy Act also requires provincial public sector organizations to have policies and procedures in place to safeguard all personal information collected about job applicants and employees.

Employee privacy protections are also a legislative requirement for federally regulated organizations (ie. organizations such as airport authorities, banks, shipping and telecommunications companies), as well as organizations operating in Alberta and Quebec.


Q: Should my organization’s staff be trained in privacy requirements?

Under applicable privacy statutes, training staff handling personal information in privacy requirements is legally required.


Q: From a risk management perspective, what are critical basic first steps for all organizations to take?

  • Designate and train a privacy officer
  • Undertake an organization-wide audit of personal information
  • Develop a legally compliant privacy policy for the handling of information collected from employees as well as for handling information collected from persons external to the organization (ie.clients, customers, investors, and donors)
  • Train all staff handling personal information