Canadian privacy laws have continued to evolve to protect the personal information of individuals. In 1983, the Canadian Government enacted the Privacy Act which imposed privacy obligations on some 150 federal government departments and agencies with respect to the collection, use, and disclosure of personal information. On January 1, 2004, the Canadian Government's Personal Information Protection And Electronic Documents Act (PIPEDA) was extended to apply to all organizations engaged in commercial activities. On November 1, 2004 the Ontario Government enacted the Personal Health Information Protection Act (PHIPA) which governs the collection, use and disclosure of personal health information.

The basic premise of PIPEDA is that, if an organization is subject to PIPEDA, the knowledge and consent of the individual are required before personal information about that individual may be collected, used or disclosed by the organization. The purposes for which the organization wishes to collect, use and disclose personal information must be identified to the relevant individual (preferably at or before the time such information is collected) and such purposes must be documented by the organization.

The form of consent required from the individual depends upon the sensitivity of the personal information involved. In some cases express consent must be obtained while in others implied consent may be sufficient. Consent can be obtained in writing or orally.

Consent should be obtained by the organization just before the personal information is collected. In other cases, consent can be obtained after collection but before use or disclosure occurs – for example when personal information will be used for a different purpose than the purpose for which it was collected.

There are also a number of limited circumstances set out within PIPEDA where consent need not be obtained. For example, consent is not required when disclosure is to a lawyer representing an organization. However, there is no exception for disclosure to accountants, bankers, or other third-party service providers.

In practical terms, PIPEDA requires that every organization must draft and issue a formal privacy policy and appoint a chief privacy officer to oversee the organization's compliance with PIPEDA . Most organizations will also need to conduct a complete audit of what personal information the organization already has in its databases and file cabinets and develop privacy procedures not only to obtain consent to use previously obtained personal information but also to obtain consent when dealing with new customers. In addition, organizations must be prepared to respond effectively to requests from members of the public for access to their own personal information within the control of the organization.

We have legal Counsel who can guide you through the myriad of privacy laws and regulations. Our services include:

Privacy

  • Conducting privacy law audits of organizations
  • Advising how to comply with PIPEDA, PHIPA, and provincial privacy statutes
  • Drafting privacy policies and privacy consents
  • Advising with respect to requests by individuals for access to their personal information
  • Drafting privacy terms and conditions to be contained in third party disclosure agreements
  • Drafting privacy terms for websites
  • Advising with respect to the transfer of personal information to the US or the EU


Enforcement

  • Responding to complaints asserted by the Privacy Commissioner
 
 
Affiliated with
HARRIS BEACH
One of the top 250 law firms
in the U.S.
 
© 2007 Macdonald Sager Manis LLP All Rights Reserved
 site designed & maintained by AdeptVision