Authored by: Jessica Proudfoot and Susan Fridlyand
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is a federal privacy law that sets out the ground rules for how personal information must be handled in the course of employment and commercial activities, and may apply to First Nations’ governments and businesses.
“Personal information” is data about an identifiable individual. Put simply, it is information that, on its own or combined with other pieces of data, could be used to identify someone. This may include their name, age, social insurance number, email address(es), credit record(s), etc.
The overarching principle in PIPEDA is that the collection, use and disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.
The “10 fair information principles” form the ground rules for the collection, use, disclosure, and access to personal information:
- accountability for personal information under an organization’s control;
- identifying purposes for which information is collected;
- consent is required to use, collect or disclose personal information in most circumstances;
- limiting collection to what is needed for the identified purpose;
- limiting use, disclosure and retention to the identified purpose (except with consent or where required by law);
- accuracy to satisfy the identified purpose;
- safeguards relative to the sensitivity of the information;
- openness of privacy policies and practices to the public;
- individual access to their information upon request; and
- opportunity to challenge compliance with these principles.
While these principles may sound simple enough, the reality is that privacy issues are often complex and navigating the legislation and related jurisdiction questions can be difficult. To assist, the First Nations Information Governance Centre (“FNGIC”) has recently created two helpful resources for First Nations and First Nations business owners to better understand their responsibilities under PIPEDA:
- PIPEDA and First Nations: Application and Reform is an Issue Paper detailing the application of PIPEDA to First Nations businesses, governments, and organizations, while providing an overview of the Act.
- A First Nations Guide to the Personal Information and Electronic Documents Act (PIPEDA) is a plain language guide to PIPEDA designed specifically for First Nations businesses. The guide outlines the responsibilities of business owners under PIPEDA and explores how this may intersect with local First Nation laws and processes.
Key Takeaways for First Nations
Using the tools provided by the FNGIC is a great first step to take, to understand your organization’s obligations under PIPEDA. However, to avoid unwanted legal actions, we also strongly encourage all First Nations and First Nation business owners to:
- develop (and maintain) a clear, written privacy policy; and
- provide staff with regular training on the privacy policy to assist your staffs’ understanding of their obligations when acquiring, using, and disclosing personal information.
If you have questions about PIPEDA or if your organization requires support developing or updating its privacy policy and preparing a draft form of consent, we can assist.