Three months after federal privacy legislation came into effect, experts point to a startling number of Canadian companies that don’t know how to comply with it.
The Personal Information Protection and Electronic Documents Act (PIPEDA), which became official on Jan. 1 of this year, is a minefield
for companies that don’t understand the difference between the confidentially of personal data and the collection of that data.
The Act extends rights to individuals who control the collection, use, and disclosure of their personal information by organizations in the course of commercial activity.
“”People are not aware of the depth, the breadth, the magnitude of it,”” said Ian Turnbull, executive director of the Canadian Privacy Institute, a consultancy that helps companies dealing with privacy compliance and the challenges of meeting the legislation’s requirements.
“”A lot of people are turning to their lawyers and their lawyers are giving them legal advice as opposed to practical advice . . . They’re not getting enough (information) and what they’re getting is confusing.””
A privacy tool developed by the Enterprise Wide Task Force of the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) aims to furnish Canadians with privacy information and put it in context.
The 70-page best practices guide, is designed to help companies comply with PIPEDA, as well as any relevant provincial and international privacy legislation.
“”It gives you the baseline best practices and then tells you where you have to supplement those to address unique specific requirements of one or more pieces of legislation,”” said Robert Parker, a partner with Deloitte’s enterprise risk practice and one of the guide’s contributors.
Using the guide, companies can prepare for PIPEDA, as well as privacy legislation like Bill 44 in Alberta, Bill 68 in Quebec and Bill 38 in British Columbia.
“”They’re kind of concerned about what they should do to make sure they’re meeting the requirements of the legislation. This (guide) is mapped with the legislation. We have completed a mapping in Canada with the assistance of the University of Waterloo,”” he said.
Even companies that believe they are compliant with PIPEDA may only be paying it lip service, said Parker. There is a difference between writing a corporate-wide privacy policy and having not just your employees but your back office systems adhere to it.
“”This (guide) walks them through the methodology to make sure they’re not going to get into the position where somebody’s going to say, ‘Your policy says you do this, yet you do not.’ That can be pretty damaging to an organization’s reputation,”” said Parker.
Ontario’s Privacy Commissioner Ann Cavoukian has endorsed the CICA guide. “”One thing that the commissioner has found as she’s spoken to businesses is that (they) are looking for ways to help them comply with PIPEDA,”” said Brian Beamish, director of policy and compliance in the commissioner’s office.
Ontario legislation in question “”PIPEDA sets down some general principles for managing personal information and it’s sometimes difficult to transfer those general principles in what can be a complex business situation,”” added Beamish.
Ontario-specific privacy legislation is currently in limbo. The Ontario Conservative Party released a consultation draft of such legislation in 2002, but it did not proceed. There has been no indication that it will go ahead, now that Ontario is governed by the Liberal Party.
Turnbull said it could be another year before such legislation exists. He said that he’s even heard that some Ontario companies are waiting for provincial legislation before proceeding with a privacy strategy — not knowing they should already comply with PIPEDA.
Turnbull emphasized the need for more practical solutions. “”Organizations just don’t have a good handle on the information they have,”” he said. The downfall of federal privacy commissioner George Radwanski, who resigned last year, hasn’t helpe, he said, along with a changing of the guard in the Prime Minister’s office and numerous provincial elections.
“”When the second hand swept by Jan. 1, 2004, it started privacy for the whole country, and privacy is not going to go away,”” said Turnbull.
While a federal court could levy fines and jail time as penalities of not complying with privacy legislation, agencies such as the Canadian Privacy Institute warn greater damage could be done. All court proceedings would be public, and negative publicity may be the result.