Canadian Legislation Affecting Private Information

Federal and Provincial Legislation regarding the care of private information

Collection, retention and eventual destruction of personal information by private organizations in British Columbia is governed primarily by two pieces of legislation (government entities are also governed by the Federal Privacy Act):

1. The Province of BC: Personal Information Protection Act (PIPA)

On January 1, 2004, the Personal Information Protection Act (PIPA) came into effect in British Columbia

PIPA regulates the way private sector organizations collect, use, secure and disclose personal information. This act is in place to ensure that organizations holding personal information handle that information responsibly.

Some highlights of the Act:

Personal information means information about an identifiable individual and includes employee personal information

3 (1) Subject to this section, this Act applies to every organization.

4 (2) An organization is responsible for personal information under its control, including personal information that is not in the custody of the organization.

5 An organization must

(a) develop and follow policies and practices that are necessary for the organization to meet the obligations of the organization under this Act

35 (1) Despite subsection (2), if an organization uses an individual’s personal information to make a decision that directly affects the individual, the organization must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it.

(2) An organization must destroy its documents containing personal information, or remove the means by which the personal information can be associated with particular individuals, as soon as it is reasonable to assume that:

(a) the purpose for which that personal information was collected is no longer being served by retention of the personal information, and

(b) retention is no longer necessary for legal or business purposes.

The above information is copied directly from the Personal Information Protection Act; [SBC 2003] CHAPTER 63, Copyright (c) Queen’s Printer, Victoria, British Columbia, Canada

We at IDSS strongly recommend that you make yourself familiar with PIPA. In addition to basic rules regarding the destruction of personal information, PIPA also outlines the requirements and rules governing the collection of such information.

The Province of British Columbia website has a collection of tools to help you understand and comply with the Personal Information Protection Act.

2. Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA has been in effect since 2001 (with additional items being released through to 2004) and all businesses in Canada are subject to its terms. The act regulates the use and disclosure of private information by entities engaging in commercial activities.

Some highlights of the act:

4.1.3

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
4.5 Principle 5 — Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

4.5.2

Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.
4.5.3

Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
4.7.5

Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).

A complete copy of PIPEDA can be found here.

Both federal and provincial law mandate strict control and secure destruction of private information held by organizations in Canada.