The federal privacy legislation that will usher in 2004 could catch many companies by unpleasant surprise. Just as you’re downing that flute of bubbly this New Year’s Eve, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) comes into effect for all companies and not-for-profit
organizations in the country’s private sector.
PIPEDA joins other private sector privacy legislation already in place in Quebec as well as imminent privacy acts in British Columbia and Alberta. Other jurisdictions have similar legislation in the works. This patchwork privacy quilt will cover the collection, use, and disclosure of personal information in Canada — with the force of law. Ignore it at your peril.
“”I get the impression most of the big boys in business are prepared for PIPEDA, but I think the majority of smaller businesses are vulnerable to being blindsided by it,”” says Sid Ridgley, president of Simul Corp., a small Ont.-based business that specializes in providing big companies with customer satisfaction and sales development consulting. Ridgley himself says he’s hoping a law firm seminar on PIPEDA he signed up for will untangle its meaning for him and Simul.
“”I admit my ignorance about PIPEDA, but I think I’m fairly typical,”” adds Ridgley. “”I’m not sure, for example, if someone happens to give me their e-mail address and I send them some information about my company as a result — whether that makes me vulnerable to the law.””
A primary principle of PIPEDA that Ridgley already understands is that if you’re going to gather information about someone you must first get that individual’s permission to do so and then, by explaining what their information will be used for, you must get a further explicit OK to share that data with anyone else. In many instances, you must also formally contract with the third party to ensure that the individual’s data will only be used for the purposes that he or she has agreed to.
This may be easy enough to do, for example, if you have a third party simply handling your mailings. But if you’ve outsourced a whole core function of your business that allows another outfit deep access into, let’s say, your customer or human resources databases, then you have a more complex task.
It’s a challenge big companies such as EDS and IBM, which are highly active in outsourcing, say they have met.
“”We don’t view the (PIPEDA) legislation as an impediment to outsourcing,”” says James Toccacelli, the director of marketing and communications for EDS Canada. “”We will only use the information for the purposes outlined by our customers, which is in both our interests. Our customers control the flow of personal information for their clients, quite rightly.””
Similarly, IBM Canada expresses confidence in its PIPEDA preparedness. Yim Chan, IBM Canada’s CIO as well as its chief privacy officer (CPO), says a half-page addition to IBM’s normal non-disclosure agreement with outsourcers will have both parties covered for PIPEDA.
Indeed, proponents of PIPEDA say its more about opportunity than impediment. The Government of Canada’s PIPEDA handout touts the Act will build customers’ confidence in business — thereby stimulating e-commerce and boosting everyone’s bottom line.
But Constantine Karbaliotis, an executive consultant for the outsourcing and consulting firm, CGI, and its resident PIPEDA expert, thinks there will be some major shocks along the way.
“”PIPEDA is going to be a big wake-up call for 80 per cent of the businesses out there,”” says Karbaliotis. “”Some won’t even know it’s coming. Others, because they are small, may think they can fly under PIPEDA’s radar. But that’s too optimistic, in my view.””
Karbaliotis likens PIPEDA’s seriousness to Y2K when it similarly ticked down to midnight nearly four years ago. “”PIPEDA will have a profound effect on information management generally,”” he says.