Organizations often only become aware of their privacy obligations after a complaint is made to the Privacy Commissioner or a privacy breach has occurred. All British Columbia organizations should proactively ensure that their privacy policies and procedures are in compliance with the Personal Information and Protection Act (“PIPA”). PIPA applies to the collection, use and disclosure of personal information by all private sector organizations in British Columbia as well as organizations responsible to safeguard personal information in its possession. Personal information includes any information about an identifiable individual.
Three key steps to ensuring your organization is privacy compliant are:
1. Appoint a designated privacy officer. The privacy officer is the individual responsible for ensuring that your organization complies with PIPA and is a contact for anyone who has questions with respect to your organization’s privacy policies.
(a) What personal information do we collect?
(b) For what purposes do we collect personal information?
(c) Do we only collect personal information that we really need for our purposes?
(d) How do we collect personal information and what do we tell individuals the purpose for collection is?
(e) What do we use personal information for and are those uses reasonable and appropriate? Do these uses match what we tell individuals?
(f) How do we obtain consent for collecting, using and disclosing personal information?
(g) How do we ensure that the personal information is correct, complete and current?
(h) Where do we keep personal information and how is it secured?
(i) Who, within our organization, has access to or uses the personal information, and for what purposes? Are we limiting access on a need-to-know basis?
(j) Who is personal information disclosed to outside our organization and why?
(k) Should we be disclosing personal information to others for the purposes we disclose it?
(l) How long do we retain the personal information? When is it disposed of and how? Is it disposed of securely?
(m) How do we respond to complaints or questions from individuals about our information practices?
(n) In light of PIPA, should we change any of our practices?
3. Ensure that the necessary safeguards are in place to protect your organization from privacy breaches and policies in place to quickly respond in the unfortunate event of a privacy breach.
We would be pleased to assist you in drafting or revising your privacy policies to ensure PIPA compliance. For more information, please contact Nicole K. Skuggedal at firstname.lastname@example.org or a member of Privacy & Data Management Group.
Lawson Lundell's Labour and Employment Blog provides updates on the most recent legal developments impacting the Canadian workplace and offers practical tips for employers. We cover a range of topics, including labour relations, employment law, collective bargaining, human rights, employment standards, employment equity, workers' compensation, business immigration, privacy, occupational health and safety and pensions and employee benefits.