March 16, 2022
By Mark Lahn
Each year, more businesses are leveraging a variety of tools to collect and store personal information about their customers. In light of the increasing prevalence of data breaches, how and why a business collects personally identifiable information is becoming more important.
In this article, we discuss frequently asked questions about privacy policies and what your organization can do to implement the best privacy practices.
One of the core principles of privacy law is that an individual has knowledge and consent of the information a company stores about them. Privacy policies are one piece in the toolkit to allow an organization to meets its obligation under relevant privacy legislation.
What laws govern privacy in Ontario?
In Ontario, privacy is currently governed under the following pieces of legislation:
- Provincial Legislation:
- Freedom of Information and Protection of Privacy Act (FIPPA)
- Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
- Personal Health Information Protection Act (PHIPA)
- Acts of the Federal Government:
- Personal Information Protection and Electronic Documents Act (PIPEDA
Each of these pieces of legislation imposes differing obligations on an organization and is only applicable to certain entities, so identifying the applicable legislation is key.
Yes, privacy policies are required by law in Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) depending upon the type of organization. This Act applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.
An organization is not limited to an incorporated entity and also applies to partnerships and persons acting as a sole proprietor who are engaging in the above listed activities.
Non-compliance with PIPEDA or another privacy legislation may result in a complaint being made to the Privacy Commissioner. The Privacy Commissioner may investigate the practices of an organization and initiate court proceedings. This could result in damages being awarded or compelling an organization to comply with the Act.
PIPEDA and other pieces of privacy legislation also do not prohibit private court actions being commenced by an individual.
- How personal information is defined
- What personal information an organization collects
- Why the information is collected
- How this information is safeguarded from misuse and theft
- Which third parties personal information may be shared with and why
- Who to contact with any questions or complaints
This document should be written in plain language and be easy to navigate so that the average customer is generally aware of how information about them will be used.
If you contact Weilers, a lawyer at our firm will sit down with you to understand why and how your business collects personal information and which third parties you may share information with. Once you have retained our services, we can draft a policy for you that is perfectly suited to your needs.
Visit our contact page to schedule a consultation with one of our experienced business lawyers.
About the Author
Mark Lahn is an associate lawyer at Weilers. Prior to becoming a lawyer, he worked in the technology sector and assisted businesses with the implementation of the EU General Data Protection Regulations (GDPR) framework. Mark is focused on providing practical and solutions focused legal advice across a variety of business matters including employment, privacy, litigation, and general corporate affairs. Click here to schedule a consultation with Mark.