October 22, 2014

What Small Businesses Need to Know About Canadian Privacy Laws

“Dear Valued Customer: We still love you but to comply with Canada's new anti-spam law, we need you to love us back! We need your consent to continue to be in touch with information about our products and services. To confirm it, please click here...”

Sound familiar?

This is the kind of email message that small businesses in Canada have been sending out beginning last July when a new privacy law went into effect.

The Canadian Anti-Spam law or Bill C-28, was introduced to help stop unwanted e-mail and texts. Businesses selling or promoting products or services now have to prove they have express consent to contact past and potential customers using electronic messages. There are penalties up to $1 million for individuals and $10 million for businesses for non-compliance. 

“’Express consent’ requires disclosing the purposes for why consent is being requested and identifying who is seeking consent,” said Michael Geist, Canada Research Chair in Internet and E-Commerce Law at the University of Ottawa.

“This represents a significant change from current practice, where businesses have frequently relied upon ‘implied’ consent for their use of personal information.”

Canadian privacy laws also include the federal Privacy Act, which places limits on the collection, use, and disclosure of personal information by government departments and agencies.

But for small businesses in Canada (small and medium-sized enterprises represent 99.9% of all companies, according to organizers of the BDC Small Business Week), the Personal Information Protection and Electronic Documents Act (PIPEDA) is most important. It covers the collection, use, and disclosure of personal information in the course of commercial activity. It applies in most of Canada, according to the Office of the Privacy Commissioner of Canada. But Quebec, Alberta and B.C. have their own laws, and Ontario has a data protection law that focuses on personal health information specifically. 

Here is a checklist of different ways small businesses can safeguard the personal information in their workplaces – and comply with Canadian privacy laws.

  • Leadership. One of the 10 privacy principles of PIPEDA is accountability. Designate someone in the office to be accountable for the collection, usage, disclosure, retention, and disposal of personal information.
  • Security awareness. Create a comprehensive information security document that details security policies and procedures. Train employees about data protection including email policies, computer network access, Internet use policies, and customer information protection strategies.
  • Physical protection. Secure the office with locks and alarms. Introduce a Clean Desk Policy. Store paper records that contain sensitive information in a locking file cabinet; keep copies of system and database backups in a safe. Employee access should be on a need-to-know basis.
  • Technical security. Utilize available computer protection such as password protection, encryption software, firewalls, anti-virus software, and anti-spyware programs. There should be a specific security policy for the mobile workforce too.   
  • Document management. Collect only the personal information that is needed for a particular purpose. Then, PIPEDA requires businesses to develop a records retention schedule. When information is no longer needed, it should be securely destroyed. What’s most important: never just toss a business record into the trash or recycling bin. Partner with a document shredding company to securely shred records either on or off site and to receive confirmation that shredding was completed. Ask the company about hard drive destruction services too.

Learn more about protecting sensitive information in your workplace by implementing document security best practices.