1. What is "personal information"?
2. Does PIPEDA apply to the employer/employee relationship?
3. What is consent?
4. How do we decide if we need particular personal information?
5. What is the risk if we don't have a Privacy plan?
6. We are a small company (37 employees). Does PIPEDA apply?
7. My company is headquartered in Alberta. What Privacy Act applies?
8. I understood that Ontario municipalities were covered under their own Act and would not be     effected by PIPEDA. Is that true?

• The definition of "Personal Information" contained in PIPEDA is very broad: "information about an identifiable individual".
  
  Any information of a personal nature, including a range of items, from employee files to credit records. In addition, it encompasses more esoteric ideas, such as the existence of a dispute between a consumer and a merchant.
  
  There are some exclusions. Personal Information does not include:

  •  Name, title or business address or telephone number of an employee     of an organization;
  •  Your opinions if given in the course of employment.

  Neither business email nor business facsimile numbers are specified in the legislation and a recent Privacy Commission decision has held that business email IS personal information.  The rational that was applied in that case would also seem to apply to FAX numbers, so until that decision is reversed – likely by a revision of PIPEDA, we recommend that you view both email and fax as personal information, and therefore subject to PIPEDA Rules.  That means that you must have consent to use them.

  [ back to top ]

• No, not directly, unless your organization is a "federal work". BUT, moving personal information across provincial or national borders, and moving it to third parties (benefit carriers, payroll services, banks, unions, etc) may be covered. It is situational.

[ back to top ]

3. What is consent?

• An individual from whom you wish to collect personal information should be told what information is desired, and to what specific uses it will be put.

• An individual's consent should be based on their complete knowledge of WHAT (information you are collecting), WHY (the purpose to which it will be put), and WHEN (for how long you estimate that you need the information).

[ back to top ]

4. How do we decide if we need particular personal information?

• The important test is: "would a reasonable person say that an organization needs this personal information and that it was handled appropriately?"

[ back to top ]

5. What is the risk if we don't have a Privacy plan?

• The intent of PIPEDA and the federal Privacy Commissioner is not to establish a penalty based program. They want to resolve complaints. That said, the Federal Court could levy personal fines and jail time. Keep in mind that all of these proceedings will be public, so the negative publicity may be the worst result of an unresolved complaint.

[ back to top ]

6. We are a small company (37 employees). Does PIPEDA apply?

• Yes, PIPEDA applies to any organization of any size.

[ back to top ]

7. My company is headquartered in Alberta . What Privacy Act applies?

• The Alberta legislation was passed in December 2003 and came into force January 1, 2004 (as did the BC law). Both the Alberta and BC laws have bee recognized as "substantially similar", meaning that the Alberta legislation applies within Alberta.  Inter-provincial issues may still be best resolved by reference to PIPEDA..

[ back to top ]

8. I understood that Ontario municipalities were covered under their own Act and would not be effected by PIPEDA. Is that true?

• No, both the Minister for Municipal Affairs and AMCTO are advising Ontario municipalities that their "commercial activities" - that is, recreational programs, hydro, etc - may well be covered by PIPEDA and that they should seek legal counsel.

[ back to top ]