Canada’s PIPEDA act becoming more prominent

Published: October 9th, 2008

With everyone concerned about privacy these days and fearing the loss or theft of critical business or personal information, Canadian organizations need to adhere to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), otherwise they risk facing legal actions.

At this year’s second annual SecTor event conference held here in Toronto, an IT security education event, Tracy Ann Kosa, privacy impact assessment specialist for the Ministry of Government and Consumer Services for Ontario, explained how PIPEDA is regulated by the Office of the Privacy Commissioner (OPC) and why it’s important to safeguard information.

PIPEDA, Kosa explains, is an act that protects personal information that’s collected, used, or disclosed. This applies to all personal information, whether it’s located provincially or nationally. OPC, the regulating body that oversees the act, is an independent office that governs and enforces this private sector privacy law.

“The privacy commissioner is the one who receives all of the complaints,” Kosa said. “Their role includes investigating complaints, conducting audits and public reporting, and more.”

Because PIPEDA is a complaints-driven act, a written letter or the filing of an online complaint is all it takes to enforce. Once a complaint is received, the OPC will begin a privacy investigation or an audit, both of which Kosa warns are lengthy processes and sometimes can throw a wrench into any business’s finances, if they are found to be non-compliant.

“People are more and more worried about the issue of identity theft and are worried about who the company is disclosing or selling the information to,” she said. “People don’t feel any trust.”

In order to first collect personal information, Kosa says the knowledge and consent of the end-user are required before any data is disclosed. End-users should be more aware about what the organization is then using and collecting the personal data for.

“Ask questions like, ‘Where is the information going, who’s going to keep it, what happens when that information is purchased by another company and ask why they’re asking for and collecting this information in the first place,” she advises.David Senf, director of research for security and infrastructure software at Toronto, Ont.-based research firm, IDC Canada, said where the channel’s concerned, many Canadian firms are looking at purchasing solutions for content management and e-mail archiving to stay compliant.

“PIPEDA is the number one act that Canadian firms indicate that they’re working towards being compliant,” he said. “PIPEDA can also be used as a means to generate brand or product awareness, but don’t expect lead generation or closing the deal to be very easy. Our public sector (still) believes that there is more work to be done to safeguard both employee and citizen data.”