Privacy is important to everyone. Clients and customers often take safekeeping of their personal information into account when choosing and approaching businesses. In order to be trustworthy to clients, and more importantly, compliant to law, it is important to understand an organization’s obligation under privacy laws when collecting and storing its clients’ personal information.
There are two (similar) privacy laws that apply to private sector organizations in British Columbia. The applicability of each will depend on the nature of the organization’s business.
Broadly, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to organizations in British Columbia that operate commercially across provincial or national borders; and the provincial Personal Information Protection Act (PIPA) applies to all other private sector organizations in British Columbia.
For example, PIPA applies to VALC because our firm is a private organization in British Columbia. However, PIPEDA does not apply to VALC unless our firm undertakes commercial activities across borders.
There may also be circumstances where these laws apply to British Columbia organizations concurrently. While there are important differences between PIPEDA and PIPA, they both regulate organizations’ collection, use, disclosure and storage of personal information.
The applicable privacy laws regulate four key ‘operations’ in relation to personal information: collection, use, disclosure and storage. Organizations, including law firms and other businesses, have certain obligations under privacy law when performing any one of these operations with personal information.
So, what is personal information? Personal information is the type of information regulated by PIPA (and privacy laws generally), and broadly means information about an identifiable individual, other than “contact information,” such as an individual’s name or title, and business phone number or email address.
In order to identify personal information before collection, the organization should ask: “does this information identify an individual?” and if not, “could this information, when combined with other information, identify an individual?” If the answer to either question is “yes”, that information is the personal information of that individual.
It is essential that businesses are conscious about its obligations under the applicable privacy laws. Some of the key obligations for an organization in handling its clients’ personal information include:
- obtaining the client’s express consent before collecting their personal information;
- collecting, using, and disclosing personal information only for a purpose that is reasonable and that fulfils the purpose for which the information was collected;
- making reasonable effort to ensure that personal information is accurate and complete;
- protecting the personal information in its custody; and
- destroying personal information in its custody when the purpose for which that information was collected has been fulfilled and its retention is no longer necessary.
This blog only contains general discussion of privacy related issues. Privacy law in Canada is nuanced, complex and highly fact-specific. Please seek legal advice in respect of your privacy practices, policies, and procedures.
Written by: Olivia May Jang (June 1, 2022)