As a small or medium-sized business, you collect a significant amount of information about your customers. What you do with that data isnÕt necessarily up to you Ð in fact, in many cases itÕs very much up to them.

Privacy is the right of an individual to determine when, how and to what

extent they will share their personal information with others. Personal information means any information about an identifiable individual, and it includes things such as banking information, buying habits, health information, address and location.

The Federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to your business, unless your home province has its own similar legislation. Alberta, British Columbia, and Quebec have their own privacy legislation and some provinces have passed privacy legislation relating only to health information. The fundamental principles are the same.

Compliance with privacy legislation can bring an SMB many advantages, including:

  • avoidance of costly and time-consuming Privacy Commissioner investigations;
  • less chance of damages to your companyÕs reputation, particularly through Òheadline riskÓ in the press;
  • a clear indication to your customers that you take privacy seriously; and
  • an edge over competitors that have failed to embrace privacy

So, what are your business’s privacy obligations?

  • Your business must appoint a privacy officer.
  • You must identify the use for any information at the time of collection. For example, purporting to collect information for a survey, then later trying to sell a product to that person based on the survey answers, is a violation.
  • Information unnecessary for your described purposes cannot be collected.
  • Consent must be obtained from the individual to collect, use and disclose their personal information.
  • Security measures commensurate with the sensitivity of the data must be in place. This might include locked filing cabinets, restricted access to offices, and access controls and encryption on computer networks.
  • Individuals are entitled to obtain access to all of the information you have about them, and to change their minds about consents.

Compliance is more than simply copying someone elseÕs privacy policy. Each businessÕs policy must be tailored to its own needs. A common mistake is to draft the policy too tightly and unduly restrict your business.

Here are six basic steps to PIPEDA compliance:

  1. Appoint a privacy officer.
  2. Perform a privacy audit that looks at how the business collects and uses personal information; to what third parties is it sent; how uses are explained and consents obtained; how the information is stored and what security is in place; and when and how information is disposed of when it is no longer required (for example, are paper documents shredded rather than put in the trash?).
  3. Consider every way your business touches personal information and all opportunities for the information to get into the wrong hands.
  4. After the audit, compare to the applicable privacy law to determine what changes are needed to your processes and documentation. A privacy policy should be drafted that reflects privacy principles and the practical business requirements of your organization.
  5. Publish the policy and train employees.
  6. Legal assistance should be sought before starting the diligence process, to assist in comparing the audit results to legal requirements and to draft a policy.

For a detailed privacy compliance checklist, see

Even if you have only other businesses as direct customers, you may have information on individuals within those companies, such as personal details about sales staff. Maybe you have personal information about your customersÕ customers. Conversely, you must obtain privacy assurances from third parties to whom you provide customer information. You are responsible if your subcontractor misuses personal information that you supplied.

If you are a service provider, you should take a proactive approach and create privacy language for your contracts. You might include in your service contracts that your business will not use information provided by a customer for any use other than that contracted for by that customer, that you will keep the information secure, and that you will flow these privacy obligations through to any subcontractor.

David Canton is a business lawyer and trademark agent with a high-tech/e-business focus at Harrison Pensa LLP, a London, Ont.-based law firm. This article contains general comments only, not legal advice. David can be reached at (519) 661-6776 or through his law and technology blog at

Share on LinkedIn Share with Google+