COVID-19 and Collecting Personal Information The COVID-19 pandemic changed the way people do business. For many businesses, government regulations currently require operators to record the name and contact information of every person who enters the establishment and to maintain these records for at least one month. The purpose of this is to assist with contact tracing should a COVID-19 outbreak occur at an establishment. For other businesses, collecting personal information is a by-product of increasingly doing business online. Business owners must be aware of the implications when collecting this sort of private information and the laws that govern its collection. In particular, the federal Personal Information Protection and Electronic Documents Act SC 2000, c5 (PIPEDA), sets the ground rules for handling personal information in the course of commercial activities. This act applies whether businesses are collecting personal information in person or online. The following are best practices that businesses should adopt in order to be compliant with PIPEDA and other applicable privacy laws: Understand and identify the purpose for collecting private information. Do not collect more information than is necessary.Adopt privacy policies and procedures that set out the reason for collecting information, the length of time the information will be stored and its destruction procedure. Do not collect any information contrary to these procedures.Appoint someone to be responsible for privacy issues.Make information about your privacy policies and procedures available to customers.Inform customers of the purpose for collecting this information and obtain consent.Keep the information only for as long as is necessary and then destroy it using proper procedures.Use proper safeguards when storing the information. Do not leave the information in plain sight and keep it safe.Develop a simple and easily accessible complaint procedure. If a customer contacts you about a privacy concern, the customer should be informed about avenues of recourse. If you have further questions regarding collecting personal information during the era of COVID-19 or regarding your obligations under Canada’s privacy laws in general, or if you require assistance in developing effective privacy policies and procedures, please contact Esther Abecassis, lawyer at Devry Smith Frank LLP at esther.abecassis@devrylaw.ca or 416-446-3310. “This article is intended to inform. Its content does not constitute legal advice and should not be relied upon by readers as such. If you require legal assistance, please see a lawyer. Each case is unique and a lawyer with good training and sound judgment can provide you with advice tailored to your specific situation and needs.” By Fauzan SiddiquiBlog, Corporate Law, COVID-19March 15, 2021March 15, 2021
How Canada’s Privacy Legislation Affects the Use of Third Party Information and Payment Processors Businesses often use third party entities to process customer information or transactions and to then relay portions of that information back to the business. Businesses using third parties in this manner should be aware of the provisions of Canada’s privacy legislation in this regard. Overview of Canada’s Privacy Legislation Canada’s two predominant privacy statutes are the Privacy Act, RSC 1985 c P-21 and the Personal Information Protection and Electronic Documents Act, SC 2000, c5 [“PIPEDA”]. The former applies to actions of the federal government, while PIPEDA applies to every entity that collects, uses or discloses personal information in the course of commercial activities. Alberta, British Columbia and Quebec have provincial privacy legislation which is, for the most part, substantially similar to PIPEDA. Compliance with PIPEDA Any entity collecting personal information for the purpose of a commercial activity must first obtain the consent of the individuals whose information is being collected. It is important to note that personal information includes the names and contact details of individuals, as well as their credit card and other financial information. PIPEDA provides that “the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” Therefore, whenever personal information is collected in a commercial context, the individuals whose consent is sought must be informed of the manner in which their personal information will be used and disclosed. The transfer of information to third parties for processing is considered to be a disclosure of information. It therefore follows that when seeking someone’s consent for collection of his or her personal information, the entity collecting the information should outline that the information will be shared with third parties for processing. Furthermore, if the third party is in another country, specific risks such as the possibility of foreign officials obtaining the information, should be disclosed to the individuals whose consent is being sought. In summary, a business seeking to use third party processors of customer information or payments should so advise any individuals whose personal information will be collected and should outline for those individuals the potential risks of the collection and disclosure of the personal information by and to, the third party. The third party processor should ensure that the necessary consent has been obtained and that its contract with the business provides for indemnification by the business should issues arise as a result of the collection and processing of the personal information. For questions regarding compliance with Canada’s privacy legislation in a commercial context, please contact Elisabeth Colson of Devry Smith Frank LLP at 416-446-5048 or elisabeth.colson@devrylaw.ca. “This article is intended to inform. Its content does not constitute legal advice and should not be relied upon by readers as such. If you require legal assistance, please see a lawyer. Each case is unique and a lawyer with good training and sound judgment can provide you with advice tailored to your specific situation and needs.” By Fauzan SiddiquiBlog, Corporate LawAugust 15, 2019April 30, 2021
Uber Data Breach Affecting 815,000 Canadians, Investigation Launched As much of the world has heard, Uber has had a data breach that affected people worldwide. Now, after several demands from a number of levels of Canadian governments, Uber finally disclosed that 815,000 Canadians were affected by this breach, resulting in the Canadian Privacy Commissioner opening a formal investigation into the breach. Uber has said that only names, emails and mobile phone numbers were taken by the hackers and that no credit card information, bank accounts or dates of birth were compromised. Unlike the U.S. and U.K., Canada has no laws in place requiring Uber to disclose data breaches and under the license agreement with the city of Toronto, the city council had to vote in order to demand information on the breach. The Privacy Commissioner “gave little detail in announcing the formal investigation, noting confidentiality provisions under the Personal Information Protection and Electronic Documents Act (PIPEDA)”. PIPEDA entitles individuals to certain protections for personal information that is collected in the course of commercial activity. “Personal information” is broadly defined by PIPEDA, and includes any information about an identifiable person (s 2). “Commercial activity” is also broadly defined and includes: any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists (s. 2). These sections form the basis of the protection of personal information under federal law. When a complaint is filed with the Commission, PIPEDA confers wide-ranging investigative powers to the Commissioner to investigate alleged breaches, make corrective orders to organizations, and assign penalties if a breach is found. Luckily, to address the lengthy process required to obtain information from businesses such as Uber, Federal privacy laws are being developed that would require businesses to disclose if a data breach occurs. Under the revision, the Privacy Commissioner would be limited to issuing a maximum fine of $100,000 for not disclosing a breach. “This article is intended to inform. Its content does not constitute legal advice and should not be relied upon by readers as such. If you require legal assistance, please see a lawyer. Each case is unique and a lawyer with good training and sound judgment can provide you with advice tailored to your specific situation and needs.” By Fauzan SiddiquiBlog, Intellectual PropertyJanuary 3, 2018June 17, 2020