PIPEDA sets out ground rules for the management of personal information in the private sector in Canada. Organizations covered by the PIPEDA must obtain an individual’s consent when they collect, use or disclose an individual’s “personal information”. This extends to information of employees. An individual has a right to access his personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.
Employers are responsible to:
• Comply with all 10 of the principles of Schedule 1 to PIPEDA.
• Appoint an individual (or individuals) to be responsible for the organization’s compliance.
• Protect all personal information held by the organization or transferred to a third party for processing.
How to fulfill these responsibilities
• Give the designated privacy official senior management support and the authority to intervene on privacy issues relating to any of the organization’s operations.
• Communicate the name or title of this individual internally and externally (e.g. on Web sites and in publications).
• Analyze all personal information handling practices including ongoing activities and new initiatives to ensure that they meet fair information practices.
• Include a privacy protection clause in contracts to guarantee that the third party provides the same level of protection as the organization.