February 12 2016
How Privacy Legislation Affects Your Organization
What follows is an introduction to key principles that any person working in an organization must keep in mind day to day while performing his or her duties.
Someone sends you an email requesting an estimate; an exchange of communications follows. Another person calls you and leaves a voicemail; you call her back and she becomes a client. You exchange business cards with a potential client at a networking event; you later email him about your organization’s activities. These are just a few examples of situations that are quite commonplace but which nonetheless raise privacy issues. Does your organization comply with applicable laws when it comes to managing the personal information that it holds? Are there rules to follow?
First, the legal source of our personal information protection system in the private sector is based on federal and provincial laws. At the federal level, the provisions to be complied with come mainly from the Personal Information Protection and Electronic Documents Act (PIPEDA). This act applies to international and interprovincial activities. Activities limited to the province of Quebec are governed by An Act respecting the protection of personal information in the private sector (Quebec Act), as this act was declared substantially similar to PIPEDA, and the Civil Code of Québec (CCQ), mainly sections 35 to 40. Furthermore, since July 1, 2014, organizations must also comply with Canada’s Anti-Spam Legislation (CASL), applicable to commercial electronic messages, which are messages sent to an electronic address (email, SMS, messaging account on social media, etc.) to promote commercial activities, whether these activities are for profit or not.
Collection, Use, Communication and Storage of Personal Information
Any organization that wishes to collect personal information on individuals must first obtain their consent. This collection must be done directly from the individuals themselves, except in particular circumstances specified by law, and through legal means. This consent must be obtained before or during the collection of personal information. To be valid under the Quebec Act, consent must be manifest, free, and enlightened and must be given for specific purposes. When requesting consent from individuals, the organization collecting information must also inform these persons of the purpose of the file compiled on them, to what ends the personal information will be used, the categories of persons who will have access to the information within the organization, under which circumstances this information could be communicated to third parties and the identity of these third parties, where the information will be stored, and the persons’ rights to access and rectify the information.
It is important to keep in mind that an organization may only collect information necessary to achieve the purpose for which it is collected. If the organization wishes to use personal information for other purposes than those disclosed to individuals during collection, the organization must obtain these persons’ consent prior to such use.
Furthermore, an organization can only keep personal information for the time needed to fulfill the purposes for which it was collected. Subject to applicable laws, once these purposes are fulfilled, organizations must either delete or anonymize their databases.
Business Prospecting and Sending of Commercial Electronic Messages
However, the Quebec Act includes an exception to the principle of manifest, free, and enlightened consent in the case of “nominative lists” (lists of names, telephone numbers, geographical or technological addresses) used for prospecting purposes. Under this exception, an organization can do business prospecting based on a “nominative list” of its clients, members or employees without their consent, provided that these persons have had a valid opportunity to refuse that their information be used for these purposes. An organization may also share a “nominative list” of its clients, members or employees to third parties for business prospecting purposes provided that this type of communication is covered by an agreement between the organization and the third party and that those on the list were given a valid opportunity to refuse that their information be used by a third party for business prospecting purposes, before the list is shared.
Any organization doing business prospecting must identify itself to persons that it contacts, inform them of their right to withdraw their name from the list, and provide a geographical or technological address, depending on the communication method used, where they can send their withdrawal request.
CASL also provides exceptions to the manifest, free, and enlightened consent obligation in the case of commercial electronic messages. Under certain circumstances, a person’s consent is not required or is implied. For example, a person who provides you with his/her business card during a networking event has tacitly consented to receiving commercial electronic messages from you, unless he/she expressly instructs you otherwise, as long as the messages are related to the person’s position in his/her organization or job. This consent will be valid until the person informs you that he/she wishes to be unsubscribed from the list, if applicable.
However, CASL imposes certain formatting and content requirements with regard to messages sent.
Penalties in Case of Violation
Under the Quebec Act, any person who collects, uses, communicates to a third party or holds personal information in violation with the act is liable to a fine of $1,000 to $10,000 and, for a subsequent offence, to a fine of $10,000 to $20,000.
Under CASL, fines can go as high as $1 million for individuals and $10 million for businesses. A violation includes aiding, inducing or procuring, or causing to be procured, the doing of an act contrary to CASL.
There are countless situations where an organization may collect and use personal information regarding individuals whether they are clients or not. Caution is required on this matter and each organization should proactively implement personal information management practices in compliance with applicable laws to avoid any avoidable obstacles to the proper operation of the organization.