Privacy laws apply to every business that knows any information about individuals.
Here are 11 things you should know about privacy.
- There are many privacy statutes that may apply depending on the nature of the information, the nature of your business, and what province your customers are in. Health information, for example, is usually subject to different statutes than other personal information.
- In general, if you want to use someone’s personal information for something they would not think is necessary to provide your services, you need their permission.
- Mandatory breach notification is becoming more common. Some provincial statutes require it, PIPEDA now includes breach notification provisions that are coming into effect soon. The notice requirements include some rather subjective tests, and must be reviewed carefully if you have a privacy breach.
- The definition of personal information is fairly broad. It includes things like an IP address, and depending on the jurisdiction, may include car license plates.
- You must have a privacy officer who is accountable and available to your customers.
- A privacy audit may be in order. Make sure you understand what information you actually do collect, use and disclose. A disconnect between reality and what your policy says is a recipe for disaster.
- Privacy, anti-spam legislation (CASL), and Don Not Call legislation complement each other, work together, and shouldn’t be viewed in isolation.
- Some privacy laws (in particular some provincial laws dealing with public sector or health information) say that data can’t reside outside of Canada.
- Having processes and protections in place to keep personal information out of the wrong hands is crucial. It is equally crucial to deal with a privacy breach appropriately to reduce legal, customer, and headline risk.