Many consumers are concerned about how their personal information is used, protected, and shared in commercial transactions. The loss of consumer confidence related to privacy fears has been particularly detrimental to e-commerce. Ann Cavoukian and Tyler J. Hamilton's book, Privacy Payoff: How Successful Businesses Build Customer Trust, suggests tens of billions of dollars in e-commerce growth have been forgone as a result.

However, privacy is also a business-to-business (B2B) requirement, because businesses should hold their customer information secure and confidential during interactions with suppliers, resellers, employees, and others. Given these concerns and their economic implications, many jurisdictions such as Australia and the European Union have enacted privacy protection legislation aimed at restoring confidence in e-commerce transactions. Often such legislation extends the public sector's personal privacy protection requirements to the private sector.

The origin and ongoing development of Canada's private sector privacy legislation is a case in point, as it embodies principles of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

The Evolution of Canada's Private Sector Privacy Legislation

In Canada, interest in regulating privacy protection arose in the mid-1990s when the Canadian Standards Association drafted a generic privacy code (Model Code for the Protection of Personal Information) based on Organisation for Economic Cooperation and Development (OECD) international guidelines for fair information practices. That code was used subsequently as the basis for Canada's federal privacy statute, PIPEDA, which became law in April 2000. Divided into five parts, the first part of PIPEDA governs the collection, use, and disclosure of personal information in commercial activities by organizations of all types, including associations, partnerships, trade unions, and the Canadian offices or subsidiaries of foreign companies.

In recognition that privacy is both a consumer and a B2B concern, PIPEDA broadly defines the terms "personal information" and "commercial activity." Personal information is defined as factual or subjective information in any form about an identifiable individual, such as customers' credit/loan records and employee information such as medical conditions and disciplinary actions. (Personal information does not, however, include an employee's name, title, business address, telephone number, or publicly available information such as names, addresses, or telephone numbers published in directories or court records.) Commercial activity consists of any transaction, act, or conduct of a commercial nature, including the selling, bartering, or leasing of donor, membership, or other fundraising lists. A January 2003 article in the Canadian newspaper The Globe and Mail noted that privacy in Canada's private sector likely will be "covered by a crazy legal quilt" because requirements may differ across federal, provincial, and territorial boundaries. (See sidebar on page 36.)

Many organizations that will become subject to PIPEDA on January 1, 2004 (See sidebar above), are taking a wait-and-see approach, given the possibility that the provinces in which they operate may pass "substantially similar" legislation later this year. However, getting ready now may give organizations a competitive edge because concerns about privacy rank high with Canadian consumers and employees. Further, implementing privacy protection now will not be a wasted effort - even if an organization becomes subject to a provincial privacy statute - because a provincial statute must adopt the same basic principles as PIPEDA to secure an exemption. In fact, it is recommended that organizations begin to plan their compliance based on PIPEDA's requirements and adjust their business practices to comply with any substantive differences in provincial legislation that may be enacted before January 1, 2004, in the provinces in which they operate.

PIPEDA's 10 Principles

PIPEDA's goal is for organizations to have open and transparent relationships with their customers and employees by recognizing an individual's right to privacy and by establishing rules for collecting, using, and disclosing personal information in commercial activities. The 10 principles that organizations must follow are:

1. Accountability

The requirements are two-fold. First, an organization is responsible for protecting both personal information in its possession and any personal information that it transfers to a third party for processing (e.g., when an employer transfers personal information to the provider of an employee benefits plan). Second, accountability for an organization's PIPEDA compliance rests with a designated individual or individuals.

Compliance with this principle requires an organization to appoint a privacy officer responsible for developing and implementing a compliance program. An integral part of the program will be policies and procedures to standardize personal information-handling practices such as disclosing personal information and processing personal information access requests. Training also will be essential to ensure that employees - particularly front-line workers who collect and process personal information - are aware of their responsibilities. Periodic reviews by the privacy officer and/or external auditors also are required to assess the organization's ongoing compliance with accountability and other principles, to identify any corrective action required, and to monitor the implementation of corrective action to ensure compliance breaches do not reoccur.

In addition, an organization should contractually obligate each third party with whom it does business and to whom it transfers personal information to protect that information to the same degree that any personal information received by the organization from a third party was lawfully collected and disclosed.

2. Identifying Purposes

This principle requires an organization to identify the reasons for which personal information is collected, either prior to or at the time of collection. An organization may collect personal information for many reasons, such as opening an account, verifying creditworthiness, providing employee benefits, sending out membership information, or establishing customer eligibil-ity for special offers or discounts. Other purposes may be equally valid - the key to compliance is ensuring that the reason for data collection is reasonable and is communicated either verbally or in writing (e.g., on a registration form, in a brochure, on a Web site).

To satisfy this requirement, an organization should define as narrowly as possible the reasons for which it collects personal information and the intended uses of that data, and then review personal data holdings to ensure that collected information meets the stated purposes. Keep in mind that an organization that collected personal information for one purpose cannot use it for a new purpose unless the new purpose is identified prior to use and the individual's consent is obtained (unless, of course, the new purpose is required by law).

3. Consent

An organization is responsible for collecting, using, or disclosing personal information only with the concerned individual's knowledge and consent, subject to a few exceptions. Defined as voluntary agreement with what is being done or proposed, con-sent may be implied (i.e., reasonably inferred from the individual's action or inaction) or expressed (i.e., given explicitly, either orally or in writing). In either case, the consent must be informed - the individual must be told why the personal information is being collected, how it will be used, and when, why, and to whom it will be disclosed.

PIPEDA is retroactive in its application. An organization does not need to re-collect personal information; however, t must obtain consent to contin-ue using or disclosing that information no matter how long ago it was collected. In other words, it is legal for an organization to have information without consent, but it is illegal to make any use of it or to disclose it to anyone else without first obtaining consent.

Compliance with this principle requires an organization to document all consent given as well as any consent withdrawn. Such documentation will be required if any individual requests an accounting or if complaints or investigations arise. Organizations must develop ways to document consent (e.g., check-off boxes on a form) and to organize and store consent and withdrawal information for easy retrieval in the future.

4. Limiting Collection

This principle prohibits organizations from collecting personal information indiscriminately or through deception or misrepresentation. To demonstrate compliance, the amount and type of personal information collected should be limited to what is necessary to fulfill the identified purposes. By reducing the amount of information gathered, organizations can lower the costs of collecting, storing, retaining, and ultimately destroying personal information. Also, collecting less personal information reduces risk; what is not collected in the first place cannot be used or disclosed inappropriately.

5. Limiting Use, Disclosure, and Retention

This principle obligates organizations to use or disclose personal information only for the purposes for which it was collected unless the individual consents to other uses or unless laws authorize other use or disclosure. This principle also requires that organizations keep personal information only as long as necessary to fulfill the identified purpose(s).

To achieve compliance with this principle, organizations should document any new use or disclosure purpose and obtain consent prior to implementing the new use or disclosure. Developing and implementing a records retention schedule that sets out how long personal information will be kept to satisfy an intended purpose or a legal requirement will accomplish compliance with the limited retention aspect. The sched-ule should give direction on retaining and disposing of duplicate copies of personal information and address retention in any media format. Care also should be taken to ensure that personal information used to make decisions about an individual is kept for a reasonable period after the decision-making process to allow individuals to have access and pursue redress, if applicable.

6. Accuracy

The objective is to ensure that personal information is accurate, complete, and up-to-date so that incorrect information is not used to make decisions or third-party disclosures. Compliance requires organizations to

* identify where personal information is kept so that it can be readily accessed for updates

* document when personal information was collected or updated

* document steps taken to verify the information's accuracy, completeness, and timeliness

Another key compliance component is an organization's ability to limit duplication, because duplication greatly increases chances that personal information will become inaccurate, be used or disclosed inappropriately, or be kept long after the official record is destroyed according to a retention schedule.

7. Safeguards

This principle requires organizations to provide adequate security to protect personal information against loss or theft and safeguard it from unauthorized access, disclosure, copying, use, or modification. The requirement also calls for organizations to ensure that personal information is securely destroyed when no longer needed.

Compliance can be achieved by developing an information security policy to specify how personal information will be protected. The policy should address the safeguards provided at each step in the personal information life cycle, from creation or receipt to final disposition. To ensure that personal information is secure in any format, storage location (including off-site locations), or transmission medium such as facsimiles, organizations should implement or supplement security by using

* physical measures, such as locked file cabinets

* technological tools, such as password protection

* organizational controls, such as limiting access to a "need-to-know" basis or requiring individuals to sign confidentiality agreements

8. Openness

Under this principle, organizations must make their information management policies readily available to employees and customers. In addition to publicizing policies in brochures and Web site notices, an organization should identify its privacy officer and provide his or her contact information. Employee training is also required, particularly for front-line employees who collect personal information, process transactions, and respond to inquiries. They must understand and be able to communicate the purposes for which personal information is collected, help individuals understand the organization's policies, and appropriately route access requests and complaints.

9. Individual Access

Individuals are entitled to request access to their personal information held by organizations. Individuals also are entitled to determine the uses to which the information was put and the names of any third parties to whom the information was disclosed.

Because organizations are expected to respond with due diligence within 30 calendar days after receiving a request to access, it is imperative that personal information be organized to allow quick retrieval. Regardless of whether an individual's personal information is kept in one or several locations, it must be stored in a logical and easily accessible manner to minimize delays and eliminate the risk that data will be overlooked.

Similarly, organizations need procedures for processing access requests that allow sufficient time to

* review a request to ensure it is complete and clear

* locate the personal information relevant to the request

* review the personal information in detail to determine any exemptions prohibiting its release (e.g., information subject to client/solicitor privilege)

* determine any permissions required (e.g., to release information in the record pertaining to a third party)

* decide whether to grant or deny the request

Because incorrect or incomplete information may be found when processing requests or responding to requesters' reviews of their own personal information, organizations should also develop procedures for updating deficient information and informing third parties to whom it was previously disclosed.

10. Challenging Compliance

This principle sets out parameters under which individuals may challenge an organization's PIPEDA compliance. Penalties for non-compliance include fines of up to $10,000 Canadian ($7,158 U.S.) for a summary conviction or $100,000 ($71,584 U.S.) for an indictable offense and the possibility that courts may award damages. However, many organizations likely consider bad publicity the greatest possible penalty because receiving negative media coverage and becoming the focus of Internet chats and Web sites can undermine public confidence.

To achieve compliance with the recourse principle, organizations should develop complaint filing and processing procedures, promptly investigate all complaints, and document all investigations undertaken. In addition, any deficiencies or non-compliance identified during an investigation should be corrected and later audited to ensure they do not reoccur. By taking such actions, organizations will reduce the likelihood of investigation by Canada's privacy commissioner, who is responsible for overseeing and enforcing PIPEDA's privacy provisions. The privacy commissioner also is empowered to make public any organization's personal information practices in the hope that public opinion will force compliance.

The Information Management Connection

George Radwanski, the privacy commissioner of Canada, has stated, "What the act is really about is good information management practices, and every organization benefits from those." Indeed, the ease with which an organization can achieve compliance with PIPEDA or substantially similar provincial legislation is related to the organization's existing information management framework. For example, organizations that have classification and indexing systems in place will find it much easier to locate personal information, both to audit current practices against PIPEDA's requirements and to respond to access requests. Similarly, organizations that have retention schedules and procedures for securely destroying obsolete records will find it much easier to comply with the requirements to limit retention and safeguard personal information.

For those organizations with little or no formal information management practices, it is not too late to begin a program. Achieving PIPEDA compliance provides an opportunity to establish information management practices for personal information while also laying a foundation on which to build efficient practices for managing all of an organization's recorded information in the future.