Doing Business in Canada (11th edition)

CHAPTER 10 E-Commerce, Data Protection and Privacy

A determination of substantial similarity requires that the provincial legislation be interpreted as containing PIPEDA’s 10 “fair information principles” (based on the international OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data). Consequently, all Canadian organizations are effectively required to establish an administrative structure to ensure that these 10 principles are implemented: – accountability – identification of the purpose for which the information is gathered – consent – limitations on collection – limitations on use, disclosure and retention – accuracy – ensuring appropriate safeguards are in place – openness – individual access – challenging compliance Under PIPEDA, private sector businesses are also required to implement privacy policies in respect of the collection, use and disclosure of personal information and to make those policies available to their customers. In addition, PIPEDA requires organizations to make the personal information collected about an individual available to that individual upon request and permit them to correct any inaccuracies. The substantially similar provincial laws each provide for similar obligations. PIPEDA does not apply to organizations with respect to the collection of employee information unless the organizations are federal works, undertakings and businesses. Employee information in Québec, Alberta and British Columbia is, however, protected under the applicable provincial privacy legislation.

Most provinces also have specific legislation governing the privacy of personal health information in the hands of healthcare providers (e.g., doctors, clinics and hospitals), their service providers and agents. The personal health information statutes in Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have been determined to be substantially similar to, and therefore apply instead of, PIPEDA in respect of the personal health information that is subject to those statutes. CONSENT Canadian private sector privacy laws are consent-based; there are no other independent legal bases permitting the collection, use or disclosure of personal information, as is the case in some other jurisdictions such as the European Union. Instead, there are exceptions to consent, which are generally narrowly interpreted by courts and regulators. PIPEDA requires informed consent to collect, use or disclose an individual’s personal information. Consent is valid only if it is reasonable to expect that the individuals providing it understand the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. The appropriate form of consent (e.g., express or implied) depends on the nature and sensitivity of the personal information involved and the circumstances of collection. For example, all sensitive information requires express consent. Any information can be considered sensitive depending on the context, but certain types of information are generally considered to be sensitive regardless of context (such as health information, financial information, biometric information and information about gender, sexual orientation, religion and ethnicity).

103

Davies | dwpv.com