Written By Stephen D. Burns

Effective January 1, 2004, most organizations operating in Canada are required to ensure that they collect, use and disclose "personal information" in accordance with the applicable federal and provincial privacy legislation.

"Personal information" refers to any information about an identifiable individual. Personal information does not include information about a corporation nor does it include the name, title, business address or telephone number of an employee of an organization when such information is used or disclosed for business communications (federal and provincial definitions differ).

The federal Personal Information Protection and Electronic Documents Act ("PIPEDA") applied to most organizations effective January 1, 2004. Where a province enacts substantially similar legislation, the provincial legislation is expected to apply to activities within that province. PIPEDA is already in effect for federally regulated industries. Alberta, British Columbia and Quebec have enacted private sector privacy legislation.

The federal and provincial legislation are very similar, but do differ in a number of areas, resulting in a complex patchwork of privacy obligations that need to be addressed.

How does Privacy Impact Your Business?

Subject to certain exceptions, the privacy legislation requires an organization, in part:

• to appoint a person within the organization to be accountable for the organization's privacy activities;
• to disclose the purpose and obtain the consent of an individual for the collection, use and disclosure by the organization of his or her personal information;
• to only use or disclose such personal information for the disclosed purpose unless it has obtained the individual's consent for the new purpose;
• to allow the individual to access his or her personal information, challenge the accuracy of same and to withdraw his or her consent to the collection, use and disclosure by the organization of his or her personal information;
• to safeguard the personal information in its custody or control;
• to implement privacy polices and practices; and
• to only retain personal information for as long as is reasonably necessary to fulfill the disclosed purpose.

The legislation impacts personal information already in existence, regardless of when, or where, it was collected.

The personal information of employees is subject to different requirements than non-employee related personal information and the federal and provincial legislation differ in their treatment of employee personal information.

Where an organization undertakes activities with respect to personal information outside of a single jurisdiction, the organization will need to determine in which jurisdictions it conducts its activities, the obligations (if any) under the privacy legislation in such jurisdictions and how the organization will develop its policies and practices to address those varied obligations.

Privacy Compliance can be a complex task requiring the organization to balance the need to comply with multiple privacy obligations with the need to adopt practical and manageable policies and practices.

How does Your Business Become Privacy Compliant?

While every organization's approach to privacy compliance will need to be tailored to its specific activities and needs, at a minimum, an organization should consider:

• appointing an individual to be accountable in respect of the organization's privacy activities (often this individual is referred to as a Privacy Officer);
• assessing the organization's activities in respect of personal information; establishing policies and practices to govern the organization's activities in respect of personal information; and
• training the organization's staff in respect of its privacy policies and practices.

How does The Privacy Legislation Impact Your Dealings With Third Parties?

Many organizations exchange personal information with other organizations and individuals. These exchanges can include the outsourcing of certain activities to third parties (such as benefits administration or data processing), the exchange of information between business partners and the transfer of information as a result of the purchase or sale of a business.

Each organization will need to review how and why it exchanges personal information with third parties and the agreements governing those information exchanges to determine if the privacy legislation will permit such activities to continue and if those agreements will need to be amended.

Outsourcing Risks

In addition to being responsible for its own compliance activities, organizations that use the services of third parties in their handling of personal information may be held responsible for the activities of such third parties. The federal legislation provides that an organization is responsible for personal information in its possession or control, including personal information that has been transferred to a third party for processing. The federal legislation goes on to mandate that the organization use contractual or other means to provide a comparable level of protection while the third party is processing the personal information.

British Columbia's private sector privacy legislation provides that an organization is responsible for personal information under its control, including personal information that is not in the custody of the organization. It is not limited to only information that a third party is processing.

The privacy legislation in Alberta provides that an organization is responsible for personal information that is in its custody or under its control and that, where an organization engages the services of a person, whether an agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person's compliance with this Act.

As a result, organizations are well advised to ensure that they have fully reviewed the activities of their service providers with respect to the organization's personal information and to ensure that their agreements properly protect the organization by requiring their service providers to be compliant with the legislation and to ensure that the organization can look to its service providers for indemnification should a problem arise.

Some organizations are already amending their agreements and / or imposing privacy obligations onto the organizations with which they deal. Accordingly, where the organization is the one providing the services, it should be vigilant and ensure that it does not accept such obligations until it understands the nature of the obligations being imposed.

Transaction Risks

The obligation to only collect, use or disclose personal information when the organization has the consent of the individual to such collection, use or disclosure extends to any disclosure or collection activity related to any purchase, sale, merger, amalgamation, securitization or other transaction involving the organization (a "business transaction").

The federal privacy legislation does not include an exemption from the requirement of consent to the disclosure of personal information in the context of a business transaction. The British Columbia and Alberta legislation each contain exemptions from such a requirement provided that certain conditions are met.

British Columbia's exemption is only available for personal information related to employees, customers, directors, officers and shareholders of the organization and requires that such individuals be notified that the business transaction has taken place and that the personal information was disclosed. The legislation also requires that the parties to a prospective transaction who wish to rely upon the exemption enter into an agreement that limits the use of such personal information.

Alberta's exemption is not limited to the personal information of certain categories of individuals and instead applies to all personal information to be transferred in the course of the business transaction. The Alberta legislation does not require that the individuals be notified of the transaction but does require that certain agreements be entered into by the parties to a prospective transaction and the parties to the transaction should it proceed.

In both Alberta and British Columbia, should the business transaction not proceed, the personal information disclosed must be either returned or destroyed. In addition, the legislation in each province restricts the purposes for which the transferred personal information may be used or disclosed. Accordingly, where the organization wishes to rely on an exemption, care must be taken to ensure that the organization complies with these requirements.

Organizations are well advised to consider the need for consent to the transfer of personal information as part of a business transaction and the requirements of the various exemptions to such consent requirement when designing the structure of the transaction. Careful planning to take advantage of one of the exemptions to the consent requirement can significantly reduce the costs of privacy compliance associated with a business transaction.