Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) now extends to most businesses in Canada. PIPEDA changes the way businesses and other organizations are permitted to collect, use, and disclose personal information in the course of commercial activities.
What Is PIPEDA?
PIPEDA is a federal law that prohibits most businesses (wherever located) from collecting, using, or disclosing personal information about an individual in Canada in the course of commercial activities, unless the individual's informed consent is first obtained. PIPEDA also creates mandatory operational standards for the handling of personal information.
What Is "Personal Information"?
"Personal information" is broadly defined. Essentially, it is any personal information about an identifiable individual, including a person's address, birth date, identification numbers, income, ethnicity, blood type, passwords, interests, hobbies, habits, etc.
"Personal information" does not include the name, title, business address, or telephone number of a person. This "business card information" exception exists to permit day-to-day commercial activity. For example, an employer may post the business card information about an employee on its website (e.g. as a representative that the public, customers, or suppliers can contact). Such information is public information.
Personal information in a professional or business directory is publicly available only if it is used for the purpose for which it appears. Therefore, a business could use the personal information in a professional directory to hire a professional, but could not market vacations to them without their prior consent.
What Is The Scope of PIPEDA?
PIPEDA does not apply to governments or to personal information collected, used, or disclosed for personal, domestic, journalistic, artistic, or literary purposes. For example, a parent may obtain a reference from a third party about a prospective nanny without the nanny's consent. Likewise, a journalist may collect, use, and disclose personal information about a subject without the subject's consent. Furthermore, PIPEDA does not apply to the personal information of employees of provincially regulated businesses (but does apply to the personal information of employees of federally regulated businesses). It also does not apply to charitable or not-for-profit organizations (such as schools or hospitals), except when they collect, use, or disclose personal information for commercial activities (e.g. selling donor lists).
Accountability Research Corporation's Privacy Principles
In the course of its commercial activities and, in particular, providing services to its clients, Accountability Research Corporation (ARC) collects personal information about its clients, its employees, and others. This information may be used for contact purposes, for general human resources purposes, and, more broadly, to communicate with our clients and others respecting the services that we provide.
ARC recognizes the importance of protecting the personal information that has been entrusted to us. This policy outlines the framework of ARC's policies and procedures regarding its collection, use, retention, and disclosure of personal information in respect of its clients and others. This policy supplements, where applicable, our professional obligations of confidentiality.
Why Does ARC Collect Personal Information?
ARC collects personal information in order that we may provide professional services and products to our clients.
How Do We Collect Your Personal Information?
ARC only collects personal information by lawful and fair means, and only that information which is reasonably necessary for the purposes identified. Whenever possible, we collect personal information about clients and other individuals directly from those parties or through referrals by persons who such parties have requested to provide us with such information.
How Do We Use Your Information?
ARC may use your personal information for purposes such as, but not limited to, providing professional services, billing, record-keeping, and other client contact and service matters, managing and developing business and operations, learning about the needs of current and potential clients, developing or offering services and products tailored to our clients' needs, communicating with clients regarding current and future products and services, and responding to client comments and suggestions.
Updating Your Information
Since ARC uses personal information to provide professional services, it is important that the information be accurate and up-to-date. If any information changes, we may require the individual to inform us so that we can make any necessary changes.
ARC uses appropriate security measures to protect against loss, theft, unauthorized access, disclosure, use, or modification of personal information. Such measures will vary depending on the sensitivity, amount, format, nature, and storage of the personal information, and will involve, as applicable, physical, organizational, and electronic security measures, including premises security, restricted file access to personal information, technological safeguards including security software and firewalls to prevent unauthorized computer access, and password and security policies. In communicating with us, individuals should be aware that e-mail is not a fully secure medium.
ARC requires that third party service providers to whom personal information may be transferred provide a level of security for such personal information that meets standards established by ARC.
If ARC holds information about an individual and the individual advises us that it is not accurate, complete, or up-to-date, we will take appropriate steps to correct it.
Questions and Requests for Access
Any questions or concerns with respect to access to personal information, requests to change preferences regarding our use of information, or any other privacy matter should be directed to: firstname.lastname@example.org