The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the use, collection and disclosure of personal information by federal institutions and commercial organizations in the course of commercial activity. Commercial activity includes any transaction, act or conduct that is of a commercial nature. The term “organization” includes private businesses, associations, partnerships, people and trade unions. PIPEDA generally does not apply to not-for-profit and charity groups, associations or political parties unless that organization engages in commercial activity.
If a province has enacted legislation that is substantially similar to PIPEDA, the provincial statute will apply instead. Currently, PIPEDA applies in Saskatchewan.
Organizations must obtain a person’s consent when they collect, use or disclose the individual’s personal information. Personal information includes the following information about an identifiable individual:
- Age, name, ID numbers, income, ethnic origin or blood type;
- Opinions, evaluations, comments, social status or disciplinary actions; and
- Employee files, credit records, loan records, medical records, existence of a dispute between a buyer and a seller, or intentions (to buy goods and services, to seek other employment, etc.).
Before the information is collected, the organization must identify the reason for the collection. For example, a business may request a customer’s email address to add him or her to its mailing list. The organization must obtain informed consent from that individual for the collection, use or disclosure of the information, and must explain how the information will be used and with whom it will be shared. This explanation needs to be clear and comprehensive.
Personal information can only be used for the purpose for which it was collected. If the organization is going to use an individual’s information for a different purpose, it needs to obtain consent from that individual again. For example, if the organization plans to provide the customer’s email address to a third party, the organization must then obtain consent from that customer for the new use.
There are several exceptions to the requirement of obtaining informed consent for the collection, use and disclosure of personal information. McKercher LLP can assist in determining whether privacy laws are applicable and whether the organization is complying with the relevant requirements.
