The Covid-19 pandemic has accelerated the transition to a more digital workplace. Now, it is more convenient than ever before to store and process data, including personal information. With this transition comes a good opportunity to revisit an issue that all Canadian business owners should keep in mind: data privacy. This is part one of a three-part series.
Prior to collecting, using, or disclosing personal information in the course of a commercial activity, a business must take into account its obligations under the federal government’s Personal Information Protection and Electronic Documents Act (PIPEDA) and other mandates.[1] PIPEDA describes a “commercial activity” as an act or conduct that is of a commercial character. This may include selling, leasing, or bartering. “Personal information” means information about an identifiable individual. Information will be “about an identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information [Gordon v Canada (Health), 2008 FC 258 (CanLII) at para 34].
It is important to note that this is an expansive definition and includes factual or subjective information about an identifiable individual, whether recorded or not. Less sensitive personal information includes ages, birthdates, and addresses. More sensitive personal information includes ethnic origin, religious or political beliefs, and medical and financial information. Some less intuitive types of personal information include opinions, evaluations, comments, and social status.
Two main exceptions to what would normally be considered personal information include: (1) employee information, such as telephone number and email used solely in relation to his/her employment, business, or profession; and (2) personal information collected, used, or disclosed by organizations solely for journalistic, artistic, or literary purposes.
It should be clear by now that most, if not all, businesses may receive some of this information at any given moment. Therefore, it is required under statute for business owners to have a proactive plan (usually referred to as a “privacy policy”) in place to ensure that they are in compliance with their data privacy obligations. Part two of this series will outline the importance of privacy policies.
Over the years we have helped companies of all sizes with their business law needs. We have a robust understanding of the legal intricacies and what it takes to stay on the right side of the law. If you would like to connect with our team, please contact us by email or telephone.
[1] Including, potentially, the Ontario government’s Personal Health Information Protection Act as it relates to healthcare information received by health information custodians; and the European Union’s General Data Protection Regulation as it relates to data protection and privacy in the European Union.