Simon Chester and Sandra Richmond are partners in the Toronto law firm of McMillan Binch and members of the firm’s KNOWlaw Group.

Air Canada just had its reputation shredded – again. Perhaps it wasn’t paying attention a few years back when Rogers Cable got slammed over its negative option billing practices.

This time the issue is privacy. Federal privacy czar George Radwanski has made Air Canada his first target in a war to wake up Canadian business. The negative option approach to obtaining consent is not an option for Air Canada, or for anyone else that collects, uses and discloses personal information.

The incident concerned Air Canada’s Aeroplan Frequent Flyer Program. The complaints centred on Air Canada’s practices of sharing personal information about its members with external organizations.

Initially, Air Canada did this without consent. When it did decide to obtain consent, it sent brochures to only approximately 1% of its members and asked in such a way that consent was assumed unless the member took the initiative to check off the boxes indicating refusal and returning the brochure.

The commissioner found that this was inadequate under the federal privacy laws, which mandate how businesses may use, collect and disclose information about individuals. He said he intended to restrict the negative option approach to very limited situations. In most cases, employers and businesses will have to actively obtain consent when they want to collect, use and disclose personal information.

Does the law apply to you?

Right now the legislation applies only to a few federally regulated industries, but these include the telecommunications and broadcasting sectors.

Within two years every Canadian business will be covered. Ontario is on the brink of a huge legislative debate on how to balance business and privacy interests. (Watch this space.)

While the law might seem targeted at companies whose main business is trading or selling personal information, any business that has employees or customers, or even a business that collects personal information through a website, must be concerned.

What is personal information?

‘Personal information’ means information about an identifiable individual, not including the name, title, business address or telephone number of an employee of an organization.

But personal information can be factual or subjective and does not have to be recorded. It is not limited to information that can be used directly or indirectly to identify an individual. Rather, it concerns information about an identifiable individual.

Organizations that collect, disclose or use personal information must obtain the individual’s consent in most circumstances. Likely, that means your organization.

Any business that has employees has personal information.

Any agency that sends photos and resumes to a casting director collects and discloses personal information.

Any production company that sends a broadcaster or distributor bios of the cast and crew of its production – and the broadcaster and distributor who use that information for promotion – are collecting, disclosing and using personal information.

Any website that asks for users’ names and e-mail addresses or sells products or services collects personal information.

What does your business

need to do?

Even if privacy legislation does not yet apply to your business, there are a number of things you can do now to get ready:

* Designate a staff member to be responsible for all privacy matters. Make sure that person has the resources necessary to understand and meet the legislative requirements.

* Establish policies and procedures for protecting privacy and addressing related complaints. Train staff to adhere to privacy policy and procedures, and develop public explanations of your policy and procedures. Keep these current – make sure your procedures follow your policy and, if you change your procedures, make sure your policy reflects that.

* In your contracts and agreements, ensure that the other parties who receive or process personal information provide the same protection that you do.

* Document the purposes for which all personal information is collected. Collect only the information that is required for that purpose.

* Incorporate a method for obtaining consent to collection, use or disclosure of personal information into application forms, standard contracts or other such documents. Make sure that you accurately and clearly describe what information is being collected, how you are going to use it and whether you will share it with third parties.

The form and manner of consent that is required will depend on the sensitivity of the information and the surrounding circumstances. In some cases, individuals may consent orally over the phone, by marking a check-off box on an application form or in a formal contract. In other cases, consent may be implied – if a customer orders something for delivery to his or her home, there is implicit authorization for you to record that information and use it to deliver the item (but not to sell that information to add to a mailing list).

* Establish procedures for obtaining further consent if information is needed for a purpose other than that originally stated. (As the Privacy Commission’s Air Canada report makes clear, the negative option approach likely won’t wash. Nor will describing the purpose so broadly in the first place that it is not really clear what use might be made of the information.)

* Establish procedures for dealing with circumstances in which an individual withdraws his or her consent. Make sure that if you have given the information to third parties, you let them know that consent has been withdrawn.

* Develop and implement guidelines for retaining and disposing of personal information. Personal information may be held only for as long as necessary to meet the stated purpose. Where information is used to make a decision about someone, however, the company must hold onto the information long enough to allow the person access to the information after the decision is made.

* Make sure personal information is secure, by keeping it physically and, where applicable, electronically protected. If you keep information on your computer system, check firewalls for vulnerability. Hire programmers to test your security system against hackers.

* Develop a policy for making personal information available to subsidiaries and other related organizations.

* Establish procedures to allow individuals access to their personal information, and to correct or update information when appropriate.

Employees

There are additional steps you can take with respect to employees.

As with other personal information, you will need to ensure that your personnel files are both physically and electronically secure. You will need also to safeguard health information about your employees and protect the identity of those who take advantage of employee assistance programs.

Ensure that your employees understand the importance of privacy. Develop clear written policies for your employees about how you, as their employer, treat privacy issues.

In some cases, your company may feel that other concerns override employees’ privacy. If, for example, your company reads employees’ e-mails and monitors and restricts their Internet use, your employees should know in advance that you do this.

Websites

Don’t forget about your company’s website. Many businesses do not have an adequate privacy policy on their websites.

Your policy should accurately describe what your website does, and does not do, with personal information. When drafting your policy, set out clearly what information is collected and how it is used – check with your tech people to make sure you’ve described it accurately and completely.

Even if you only collect aggregate, and not personal, information (for example, the number of times a page is looked at without identifying who accessed it), it’s good corporate policy to let people know what your privacy policies and practices are.

(This article contains general comments only. It is not intended to be exhaustive and should not be considered as advice in any particular situation.)

-www.mcbinch.com