Sandra Richmond is a partner in the Toronto law firm

of McMillan Binch LLP and a member of the firm’s KNOWlaw Group.

It doesn’t have quite the same cachet or sense of urgency as Y2K, when many predicted the world’s computer systems would crash at the turn of the century.

But Jan. 1, 2004 – the date the federal privacy law comes into effect for most businesses – could pose much more of a problem than Y2K ever did if you’re not ready for it.

Federal law

The broadcasting and telecom sectors have been living with the Personal Information Protection and Electronic Documents Act for some time now. But on Jan. 1, 2004, privacy laws will extend to every Canadian business, whether a multinational or a mom-and-pop, that handles personal information. The new law will regulate the collection, retention and use of personal information, which means any factual information about an ‘identifiable individual,’ recorded or not.

This includes name, age, home address, personal telephone numbers, work/education history, income, ethnic origin, family information, credit records and medical records. It does not include an employee’s name, title or business address or phone number.

The law does not apply to collecting, using and disclosing personal information for journalistic, artistic or literary purposes.

Provincial ‘equivalents’

The provinces were given the option of embracing the federal law or enacting their own legislation, as long as it was ‘substantially similar.’

Quebec has had its own privacy legislation for a decade, one which the Privacy Commissioner says is substantially similar to the federal law.

Ontario circulated a draft bill for consultation, but in 2003, the initiative was suddenly shelved. Don’t look for Ontario to enact any legislation until after the election, if at all. As with most provinces, the federal law will apply in Ontario.

B.C. and Alberta have each introduced privacy bills, but before his resignation in June, Privacy Commissioner George Radwanski made it clear he didn’t think either met the ‘substantially similar’ test.

Neither bill requires express consent – they allow for implicit consent and opt-out consent (i.e., you’re deemed to have consented to have your personal information collected unless you actively opt out of the process).

In addition, both address the problem of old information – they deem personal information collected before they come into force to have been collected with consent. However, previously collected information will be subject to the new law in terms of access, security, withdrawal of consent and using the information for new purposes.

The Alberta bill lets employers collect, use and disclose employment-related information about employees and potential employees without consent. In B.C., employers won’t need to obtain consent, but they will need to notify employees about how they’ll use the information they collect.

Expect a political fight – and perhaps litigation – if there’s a conflict between the federal legislation and provincial legislation that has not passed the ‘substantially similar’ test. But it’s unlikely that Ottawa is going to fight tooth and nail on this issue. Expect some true Canadian compromises.

Being prepared

You’re probably safe if you comply with the federal law and, if you haven’t already started preparing, it’s time.

* Know your obligations: Make sure you fully understand just what personal information is and how you are required to treat it. If you have questions, the website of the Privacy Commissioner of Canada (www.privcom.gc.ca) is a good place to find more information.

Generally, you must ensure that your organization’s collection, use and disclosure of personal information is for appropriate purposes and is done with the individual’s consent, that the personal information is as accurate, complete and up to date as necessary, and that it is protected from unauthorized use or disclosure.

* Do a privacy audit: Track what personal information you actually collect and how you collect and use it. Follow the path of personal information through your business – who collects it, who has access to it, how secure it is, how it’s used and whether it’s ever disclosed outside your business.

* Ensure compliance: Implement any changes you need in order to comply with your obligations, such as ensuring you have consent. Do privacy audits periodically to make sure you’re still in compliance.

* Use a privacy policy: Develop and write policies and procedures for protecting privacy and addressing complaints, and make sure your staff are fully trained to follow the procedures. Post your website privacy policies and procedures for visitors to your site.

* Appoint a privacy officer: Choose someone in your business who can assume responsibility for ensuring compliance with the privacy policy and legislation and who can deal with questions and complaints well. Make sure he or she has the resources to do the job.

(For a fuller discussion of steps you can take to prepare, see the Binchmarks column entitled ‘Private I – Are you ready for privacy legislation?’ in the April 1, 2002 Playback.)

Non-compliance

So, what’s the penalty if you don’t comply?

Under the federal law, the Privacy Commissioner can investigate someone’s complaint or initiate his or her own complaint, audit your organization’s personal information practices, and publicly report abuses.

There are fines (ranging from $10,000 to $100,000) for destroying personal information that an individual has requested, for retaliating against an employee who has filed a complaint or for obstructing an investigation or audit by the commissioner.

The commissioner can’t award damages, but in some cases after the commissioner has issued a report, a complainant may apply to court for damages (including damages for humiliation) and a court order that the organization correct its information practices. The commissioner may also apply to the court on his or own behalf or on the complainant’s behalf.

All of these sanctions are theoretically possible, but they aren’t the most serious. As the Privacy Commissioner has shown, privacy complaints make great media stories. Businesses can suffer much more from damaged reputations than from the actual amount of the fine or damage award.

What to expect in 2004

It’s not clear how much work the new privacy law will cause for business, but the Privacy Commissioner in Australia reported that when their privacy legislation was extended to private-sector businesses, they underestimated the increase in the number of complaints, expecting them to go from 200 to 400. They now have 1,000 complaints and a six-month waiting list to open a file.

Some Canadian businesses that have been subject to the law since 2001 report that they spend more time than they would have predicted answering questions and responding to complaints and requests from people for their personal information held on file.

Roll up your sleeves. The regulators are coming.

(This article contains general comments only. It is not intended to be exhaustive and should not be considered as advice in any particular situation.) *

-www.privcom.gc.ca

-www.mcmillanbinch.com