The Western Jewish Bulletin about uscontact ussearch
Shalom Dancers Dome of the Rock Street in Israel Graffiti Jewish Community Center Kids Wailing Wall
Serving British Columbia Since 1930
homethis week's storiesarchivescommunity calendarsubscribe
 


home > this week's story

  

special online features
faq
about judaism
business & community directory
vancouver tourism tips
links

Sign up for our e-mail newsletter. Enter your e-mail address here:

Search the Jewish Independent:


 

  

archives

October 24, 2003

Privacy act will change business

New legislation will govern the collection, use and disclosure of a broad spectrum of personal information.
RYAN BERGER AND HOWARD EHRLICH SPECIAL TO THE JEWISH BULLETIN

A new topic has percolated to the top of the agenda of small businesses and large multinational corporations alike: the protection of personal privacy. What's a company or charity to do about the legislation headed their way?

What is going on?

British Columbia's newly drafted privacy legislation, the Personal Information Protection Act (PIPA), was introduced in the British Columbia Legislature on April 28, 2003, as Bill 38. The bill was passed during the fall session of the legislature and its provisions are expected to come into force on Jan. 1, 2004.

The impetus for this new B.C. legislation comes from Europe, where, in the past two years, the European community has made plans to restrict the activities of companies doing business in countries without strict privacy laws, essentially forcing countries who want their companies to operate in Europe to adopt Euro-style privacy laws. Canada signed on and the federal government has, in turn, required that the provinces enact their own, equivalent standards, or operate by Ottawa's rules beginning on Jan. 1, 2004.

PIPA will govern the collection, use and disclosure of a broad spectrum of personal information, including information about employees, volunteers, customers, contractors, suppliers, donors and members, among others. It will apply to businesses and not-for-profit organizations alike. PIPA will also provide any individual, including employees and volunteers, with the right to access, and reasonably correct, personal information held about them, subject to certain exceptions.

PIPA defines "personal information" broadly to include nearly any information about an identifiable individual. Subject to certain exemptions, in order to collect, use or disclose personal information, an organization must have a reasonable purpose for the collection, use or disclosure, that purpose must be stated up front and the individual giving the information must consent to its collection, use or disclosure.

If the sweeping import of this legislation hasn't quite sunk in yet, it might help to take a few minutes and actually think about every aspect of your business in which personal information is used. Think beyond the employment files to all kinds of marketing and other information collected at point of sale. Think about the donor lists and outreach and marketing information collected and shared by community organizations.

Good for business

People take their privacy seriously. British Columbians have rated the protection of personal information as the second most important issue in the province, ahead of the environment or crime. This public unease is costing businesses dearly: it's been estimated that as much as $15 billion in e-commerce sales are lost annually as a result of customer concerns over the security of their personal information.

Consumers and donors are likely to be drawn to companies with clear and effective privacy policies, while organizations that refuse to properly address concerns about the protection of personal information may be hurt, and hurt badly, through lack of consumer or donor confidence, negative customer comment (itself a blossoming Internet phenomenon) or from fines for failing to comply with the legislation.

All businesses and not-for-profit organizations, especially those for whom the collection, use or disclosure of personal information are part of their core operations, are strongly encouraged to discuss this legislation with professional advisers familiar with this emerging field.

Where to begin?

Here are some practical steps that organizations can take in order to be properly prepared by the Jan. 1 deadline.

Designate a privacy officer or individual who will bear the responsibility of dealing with privacy matters for the organization. The name, position and contact information of this person must be made available to the public. Depending on the size of the organization, the individual may be employed solely to deal with privacy or may be a manager or other individual with knowledge of and access to the organization's information.

Take an information inventory. The privacy officer should catalogue all of the personal information handling practices, including ongoing activities and new initiatives. The officer should identify, among other things, the types of information collected and their sources, how and why the information is collected and what it is used for, where the information is stored, who has access and what security measures are in place.

Develop policies and procedures. After completing the inventory of current privacy practices, organizations should develop and implement privacy policies and procedures. These will include readily available and transparent policies and practices that deal with principles of information practices; obtaining consent for the collection, use and disclosure of personal information; how, when and why personal information is collected, used and disclosed; limiting use and disclosure; dealing with appropriate retention and destruction; dealing with requests for access to personal information; accountability; maintaining accuracy and correcting personal information; and implementing safeguards.

In addition, organizations must, on request, provide any individual (including an employee) with the information the organization holds about that person, as well as an explanation of the manner in which that information has been used and to whom it has been disclosed. It is vital that organizations develop and maintain an effective internal system of tracking the collection, use and disclosure of personal information, including employee personal information.

Get the message out. Develop appropriate documents for disseminating information on privacy policies and obtaining consent, such as customer brochures, a public customer policy, an employee policy and forms for responding to enquiries and complaints.

Train staff to manage and protect the privacy of personal information. It is crucial that front-line staff understand and are able to communicate the purposes for collecting personal information, as individuals must know the purposes for which the information will be collected, used or disclosed in order to give proper consent for its collection, use or disclosure.

Follow up. Regularly monitor and review the privacy compliance system of your business or organization to ensure that it is working effectively to secure privacy of personal information and reduce risks to the organization.

These are of course general suggestions. It may sound self-serving coming from a lawyer, but it needs to be said: If your organization doesn't have a plan in place for dealing with PIPA, you should consult with your professional advisers soon, as 2004 is just around the corner.

Howard Ehrlich and Ryan Berger practise in the labor and employment group with the Vancouver law firm of Bull, Housser and Tupper. Berger also practises in Bull, Housser and Tupper's commercial litigation department. For more information on privacy issues, you may contact Berger at 604-641-4956 or Ehrlich at 604-641-4901. More information is also available on Bull, Housser and Tupper's Web site at www.bht.com. A version of this article was originally published in Business in Vancouver.

^TOP