The COVID-19 pandemic changed the way people do business. For many businesses, government regulations currently require operators to record the name and contact information of every person who enters the establishment and to maintain these records for at least one month. The purpose of this is to assist with contact tracing should a COVID-19 outbreak occur at an establishment. For other businesses, collecting personal information is a by-product of increasingly doing business online.
Business owners must be aware of the implications when collecting this sort of private information and the laws that govern its collection. In particular, the federal Personal Information Protection and Electronic Documents Act SC 2000, c5 (PIPEDA), sets the ground rules for handling personal information in the course of commercial activities. This act applies whether businesses are collecting personal information in person or online.
The following are best practices that businesses should adopt in order to be compliant with PIPEDA and other applicable privacy laws:
- Understand and identify the purpose for collecting private information. Do not collect more information than is necessary.
- Adopt privacy policies and procedures that set out the reason for collecting information, the length of time the information will be stored and its destruction procedure. Do not collect any information contrary to these procedures.
- Appoint someone to be responsible for privacy issues.
- Make information about your privacy policies and procedures available to customers.
- Inform customers of the purpose for collecting this information and obtain consent.
- Keep the information only for as long as is necessary and then destroy it using proper procedures.
- Use proper safeguards when storing the information. Do not leave the information in plain sight and keep it safe.
- Develop a simple and easily accessible complaint procedure. If a customer contacts you about a privacy concern, the customer should be informed about avenues of recourse.
If you have further questions regarding collecting personal information during the era of COVID-19 or regarding your obligations under Canada’s privacy laws in general, or if you require assistance in developing effective privacy policies and procedures, please contact Esther Abecassis, lawyer at Devry Smith Frank LLP at firstname.lastname@example.org or 416-446-3310.
“This article is intended to inform. Its content does not constitute legal advice and should not be relied upon by readers as such. If you require legal assistance, please see a lawyer. Each case is unique and a lawyer with good training and sound judgment can provide you with advice tailored to your specific situation and needs.”