Thursday, May 20, 2010

Personal Information - Use with Caution

Databases are the backbone of twenty first century enterprise. Some well publicized gaffes and changes in policies on the part of Google and Facebook have generated a renewed interest in the fact that the social media and search engine industries have access to, and use, the significant amount of personal information about individuals that are in their databases. But let's not forget that banking, other financial services and large retail also have enormous databases of personal information.

This post is not going to debate the “goodness” or the “evilness” of this situation: the broader media are having a field day with that. I am going to set out a quick refresher about the basic situation governing the collection and use of personal information in Canada.

No private enterprise operating in Canada has free rein in its use of personal information. There are variations on a theme in the provincial legislation of Alberta, B.C. and Quebec and there are additional laws regarding health information in most of the provinces, but the basic tenets of privacy legislation affecting private enterprise in Canada are very simple. They are outlined in Schedule 1 to the Personal Information Protection and Electronic Documents Act [the legislation can be found at: http://laws.justice.gc.ca/eng/StatutesByTitle ]. I am summarizing the guiding principles below, but you should, at a minimum, actually read Schedule 1.

Organizations are accountable for the personal information that they have in their possession or within their control. They have to have policies, procedures, guidelines and training regarding the handling of personal information. An organization must inform the public about these policies, procedures and guidelines. It must provide access to the personal information within its possession or control regarding an individual to that individual. The organization must have a complaints procedure (more details below) to handle individuals’ concerns with respect to their personal information.

With limited exceptions, companies have to have the individual’s consent to collect and use personal information. The consent has to be for the specific use for which the information is being collected. An organization cannot use the personal information it collects for a specific purpose for another purpose unless it obtains consent for that other purpose.

The personal information collected has to be accurate, complete, safeguarded and retained only for the period of time necessary to fulfill the purpose for which it was collected. When it is no longer required for the purposes for which it was collected, it must be destroyed or made anonymous.

Individuals have the right to find out what personal information an organization has about them and who has access to it. Individuals may request access to their own personal information held or controlled by an organization, and are entitled to require that any corrections be made to the information to the extent it contains any inaccuracies or is incomplete.

To the extent individuals believe their information is being misused or that their access is being improperly denied, they can utilize the organization’s complaints procedure, which procedure must note how the individual can make a complaint to the Privacy Commissioner of Canada.

Seems pretty simple, doesn’t it?

However when you introduce the Internet into the equation, with its ability to proliferate and disseminate information globally and exponentially, complicated issues emerge.

If I terminate a social media service, how am I assured that they do eradicate the personal information that I no longer consent be made available? Why when I want access to a specific service such a cell phone service do I have to consent to them sharing information with their affiliates? What happens if there is a breach in the safeguards exposing my personal information? This is what businesses and privacy watchdogs are struggling with now in real time.

Privacy laws are constantly being tweaked to address recurring issues: e.g. mandating certain notifications in the event of actual and potential exposure of personal information; requiring companies to advise persons if their information is going to be transferred outside of Canada (May 1, 2010 Personal Information Protection Act (Alberta)).

So, with the current attention on the problems associated with data breaches you want to minimize the bad publicity that ensues. If you operate a business in Canada understand what your current obligations are, keep up with the legal developments and review and revise your use and handling of personal information policies and procedures on a regular basis.

No comments: