Are you ready for PIPEDA? It hardly rivals Y2K as a hard deadline, but that doesn't mean you can put compliance off any longer. Jan. 1,2004, is almost here and the clock is ticking. What does your company need to know to be ready?

Whenever Murray Long gives a seminar, the Ottawa-based privacy consultant and author of The Canadian Privacy Law Handbook, asks his students if they remember Bob and Doug McKenzie. The infamous Canadian brothers who coined words such as "hoser" and "take off, eh" were often portrayed looking for a cigarette butt in the bottom of a fresh bottle of beer. They wanted a free case out of it. And Long says, they're actually a good illustration of what may become increasingly common in today's electronic privacy landscape.

Put simply, they were looking for the big payoff. Effective January 1,2004, all private sector organizations, from small mom-and-pop drydeaners, to behemoth corporations like IBM, must become compliant with the Canadian Personal Information Protection and Electric Documents Act (PIPEDA), which brings with it new rules for protecting the privacy of personal information. If your company collects personal information from clients for almost any reason, you must demonstrate that you are protecting that information and using it the way you say you are.

Quebec businesses have had to comply with their own provincial legislation for years, and federally regulated companies such as banks and airlines have bad to comply with the federal government's PIPEDA since January 1, 2001. British Columbia and Alberta have similar legislation in the works.

There are any number of reasons why compliance is important from a business point of view: avoiding damage to your company's reputation; bad press; damage to your brand or business relationships; or employee or customer distrust. But one of the most compelling reasons remains that by having a privacy policy in place--and even more important, a procedure to back it up--you can keep people who are using PIPEDA as a leverage to challenge a company's decision or gain financial compensation for breach of privacy at bay, Long" says.

"There might be a class of people out there who are looking at this law from that point of view. Here's a way I can make some money. If I can find something that this company is doing wrong, there could be some financial reward in it for me," he says, stating many of the banks have already discovered this fact. He says there might come a time when lawyers will also use PIPEDA in class action suits where multiple clients feel their privacy has been violated.

So how can companies protect themselves?

"Do the right thing," says Long. "Be as transparent as possible." And become compliant with PIPEDA.

Nine easy steps to compliance

If only it was that easy. Unfortunately, becoming compliant with PIPEDA takes time, resources and expertise. Even small business owners aren't exempt if they collect data on their customers. But Terry McQuay, president of Toronto-based Nymity Inc., a company that helps its clients become PIPEDA compliant, says the best way to cut your risk is to be thorough and follow these steps:

1. Assign an employee responsible for the PIPEDA compliance project or for privacy in general. This is often called the privacy officer. This person learns more about PIPEDA and privacy issues by attending conferences, seminars and becoming self-educated.

2. Set up a task force to help the privacy officer. These people should be stakeholders from different business units who, together, can give him or her a bird's eye view of the entire company. The task force members must become educated too, then identify where personal data is stored.

3. Create a questionnaire. This 30- to 40-question document should cover everything from how the company collects information, to what kind of consent clients are giving. (See sidebar, Privacy Principles, for more information.)

4. Look through all of the information collected to get an honest sense of how privacy has been handled to date--as opposed to how it was supposed to be.

5. Develop a gap assessment and compare it to the PIPEDA legislation, your own company policy or a combination of both.

6. Do a risk assessment. Ask yourself, what would happen to this company if we mishandled privacy? How would it affect our business? How would it affect our clients?

7. Develop company policy and procedure from all the information and implement it. This could involve changes to what information is collected or how your organization obtains consent. It may involve changes to customer and third-party contracts and to your e-commerce data collection processes.

8. Educate employees using the new material.

9. Think long term and develop a privacy office. In fact, assigning a privacy officer is a regulatory requirement. In 2004, an organization will require a privacy office to handle customer access to information requests.

It's also important to ensure that all suppliers you do business with are also compliant with PIPEDA. Your contracts should require this to ensure liability stays where it belongs.

"Many organizations are trying to shift the liability for mismanaging customer information," McQuay says.

And in some cases, not only do you have to say you're compliant, but you must prove it. Some contracts even state that Company A can conduct an audit on Company B before the contract takes effect.

Becoming PIPEDA compliant is a complex process and while some companies do try to handle it on their own, many more turn to their lawyers, consultants and companies like Nymity to get the job done.

"Companies can do all these things themselves, but they often need expertise in certain areas," McQuay says.

Following through

One of the biggest mistakes companies can make is to develop a privacy policy and not back it up. Without procedure, says Bradley Freedman, a lawyer with Borden Ladner Gervais LLP in Vancouver, a policy is next to useless. In fact, some companies publish their unsubstantiated policy on their Web site.

"But they don't make sure they themselves comply with it. They haven't established the internal procedures to ensure that there is compliance. That approach presents risks," he warns.

There are other risks that go beyond PIPEDA. In the past, there have been U.S. cases in which companies were slapped with complaints about misleading advertising. These companies claimed they were handling their clients' personal information in one way, then turning around and doing something else.

But following through can mean something else entirely. A new California law that went into effect on July 1, 2003, requires organizations to give notice of computer security breaches that result in the unauthorized disclosure of certain unencrypted personal information. While there is no law like it in Canada, there are some instances in which Canadian companies have statutory, and in some cases common law duties to also disclose security breaches, says Freedman.

The fact that the California law is only applicable to unencrypted material is telling. While there is no law in Canada today that tells companies what kind of software technology they should put in place to protect their data, the California law comes very close.

"Really, what it's meant to do is say to organizations, 'If you want to avoid the shame of disclosing that there's been a security breach, you can avoid that obligation simply by ensuring the information is encrypted," he says, before recommending that Canadian businesses follow suit.

PIPEDA and the public

While industry can hardly admit to loving PIPEDA--in the short term it means cutting into the bottom line and tying up personnel--some are wondering if PIPEDA will even be enough to keep the public happy. Some experts say it will hardly make a difference. Most people simply won't know the law even exists.

But Long isn't so sure. People fit into three categories, he maintains. There are the "privacy fundamentalists" who are paranoid about how their personal information is being used. There are also the "privacy unconcerned" who don't care what happens to their data. And then there's the rest of the population--the "pragmatists"--who are becoming increasingly concerned about their privacy. Long says it's this group that is growing--and that can only mean more complaints to the Privacy Commissioner and more requests of companies to see their files (something that is granted under PIPEDA).

"With this law in place, I think you'll find there are enough people challenging information use by businesses to keep the Privacy Commissioner's office very, very busy--and keep a lot of businesses on their toes," says Long.

McQuay agrees, remembering when the Privacy Commissioner of Canada presented its PIPEDA marketing campaign in March 2001. These ads let the public know they could check their information held by federally regulated businesses in order to verify and correct them. The result was that the banks saw an increase in the number of costly enquiries.

"Is PIPEDA helping (quell fears), or creating more visibility?" he asks.

There is something positive from a company's standpoint, however, he says. While PIPEDA may not do much to keep the public happy ultimately, it does help businesses build customer trust through their compliance program.

The deadline connection

Although PIPEDA is driven by deadline, few experts think there will be a mad rush at the end to try to be compliant before the ball drops on New Years Eve like there was for Y2K. For starters, the deadline is soft. The legislation is dependant on a complaint-driven process, so if a company avoids being fingered, they can probably keep humming along for some time before there are repercussions.

"It's always going to be either a marketing or regulatory issue," says Shane Mason, the principal security consultant for Guardent, a security, services and consulting company with an office in Toronto. "Am I going to be hurt in some way or am I going to benefit? It's the carrot and the stick."

Unfortunately it will be crisis situations where clients become complainants that will force some companies to comply with PIPEDA, says Long. And this inaction could make for a very costly oversight.

"To what extent should an honest mistake only require an honest apology and a correction of it? For some people, that's fine. For others that's simply not enough--and they'll be wanting some money on the table as well," he says.

Privacy Principles

The privacy provisions in PIPEDA are based on the Canadian Standards Association's Model Code for the Protection of Personal Information, recognized as a national standard in 1996. Does your company follow them today?

The code's 10 principles are:

1. Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate.

4. Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfillment of those purposes.

6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

9. Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization's compliance.

Kira Vermond (kira@vermond.ca) is a Toronto-based freelance writer.

COPYRIGHT 2003 Society of Management Accountants of Canada
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	Canadian Personal Information Protection and Electric Documents Act
Author:	Vermond, Kira
Publication:	CMA Management
Geographic Code:	1CANA
Date:	Oct 1, 2003
Words:	2026
Previous Article:	Corner stones: internal audit looks for its rightful place in Canada's new corporate governance model.
Next Article:	For the public good: CMA Michael McLaughlin brings clarity of purpose and astute financial management to air transport and public performance...
Topics:	Privacy, Right of Laws, regulations and rules Regulatory compliance Management Right of privacy Laws, regulations and rules