In British Columbia, there is legislation regulating every business’s rights and responsibilities with respect to the personal information it collects, uses and discloses. Every business that has employees and keeps a customer list needs to understand the rules relating to personal information.
What is personal information? Personal information is information about an identifiable individual. This means that the information would allow someone looking at it to figure to whom the information relates (name, address, phone number, social insurance number, photographs, and similar) and the information relates to a human being. This includes customer lists, credit card and debit transaction receipts, purchase histories, employee files and any other information your business uses which relates to people. Further, there is a special category called “employee personal information”, with special rules relating to the use and disclosure of information of your employees.
What is excluded? Information about organizations, like companies and societies, is not covered by the legislation, but information about the people who work for organizations is covered. There is an exception in the legislation which says that contact information of a person at their place of business is not considered personal information. You can think of this as the “business card exception”. If in doubt as to whether the legislation applies to the information you collect, discuss your situation with your privacy lawyer.
Consent. The legislation requires that your business obtain consent from the individual about whom you are collecting personal information to all purposes for which you intend to use and disclose the personal information. Do you intend to us the information to create a mailing list? Send birthday wishes? Forward along recall notices? Sell the information to a third party? You have to let the individual know why you need the information and give the person an opportunity to consent. Further, if the individual does not consent, you must still do business with that individual unless way you plan to use the personal information is fundamental to the service being provided. Consent can be implied if it is obvious what you will be using the personal information for when you collect it; however, that implied consent will not allow you to use the personal information for anything else.
Retention. The legislation requires that you do not keep the information any longer than is required for your legitimate business purposes. You can’t just keep the information forever, but instead you must consider when you will not longer need the information. Once it is no longer needed, you need to destroy it. However, if you are using the information for making decisions about an individual, you must keep the information for a set amount of time so that the individual has an opportunity to request access to or correction of their information.
Safeguards. If you collect, use and disclose personal information, you are responsible for safeguarding that information from uses and disclosures which are outside the scope of the consent you received. This means you need to have the infrastructure in place to protect the personal information, both in its printed and electronic forms. You will need locks on files, firewalls, password protection and other systems to ensure the personal information is safe. If you fail to do so, you can be sued for the damages caused to an individual for failing to safeguard their information. Losses related to identify theft can be substantial and this is a risk that your business needs to protect itself against.
Access and Correction. The legislation requires that you allow an individual to access their own personal information that you have collected about them, and correct that information upon request. If you receive an access or correction request, there are rules relating to the time you have to respond and the fees that you are allowed to charge. If you do not comply, the Privacy Commissioner of BC may become involved.
Privacy Officer. You need to designate someone in your business as the “go to” person for privacy concerns. This person is your “Privacy Officer”, or any other title you would like to use. The contact information for the privacy officer must be made available to the public.
Privacy Policy. You need to develop a privacy policy that sets out how you will manage the collection, use and disclosure of personal information, and responding to privacy complaints. You must provide copies of these policies to the public upon request, such as by publishing the policies on your website.
Andrea East is a business lawyer at Pushor Mitchell LLP. She advises businesses regarding their obligations under the Personal Information Protection Act and assists businesses in preparing privacy policies. You can reach Andrea at 250-869-1245 if you would like help in reviewing your personal information management practices or preparing a privacy policy.