BY CRAIG GILBERT
A lot of organizations are going to have to change the way they do business for 2004.
Federal privacy legislation that will go into effect Jan 1, 2004, is designed to establish new rules to govern the collection, use and disclosure of personal information.
In a nutshell, the days of companies selling and swapping customer or client lists, and keeping your personal information on record forever and for any reason they choose, are over.
Senior Gatien-Braitwaithe legal firm partner Brian Gatien gave about 40 Greater Sudbury Chamber of Commerce members an overview of the new legislation over lunch Thursday.
The law will affect the way organizations deal with personal information both externally and internally.
It will be binding in all provinces unless, Gatien said, the province comes up with a law of its own similar enough to federal legislation.
To give an idea of the law?s scope, Gatien noted personal information collected can not be disclosed without consent until 20 years after the person?s death or 100 years after information is collected.
When information is collected by an organization, whether at a point of sale, through a charitable donation, telephone survey or other means, the purpose of collection must be made clear to the person, said Gatien.
That information, in turn, can only be used for the purpose that is given before or at the time the information is
collected.
So, a company may collect information at point of sale for warranty purposes. The company would have to make that clear, and couldn?t use the information for any other purpose or disclose the information to any other
organization. In short, if the marketing division of the company wants the information, they will need consent as
well.
Where the legislation may confuse a lot of organizations relates to where it applies to databases and lists they already have.
A charity, for example, can no longer keep a master list of donors year in and year out, under the new legislation. Once the individual has been sent a letter of thanks and a receipt, no further communication can take place. An exception is for information kept in case of an audit, or for other legally binding purposes.
Once the time required to hold information has elapsed, say three years for argument?s sake, the information must be destroyed.
?And you will have to have a good reason for keeping that information,? Gatien warned.
Loyalty programs also came up in Gatien?s discussion. Programs like Airmiles, Aeroplan and Petro Points will have to get new consents to keep the personal information, if they haven?t already, from each and every person on their master list.
Another sticky point may be the disclosure of personal information of an individual absent from a meeting.
All organizations will have to appoint a member of their staff as what could be called a chief privacy officer, responsible for keeping the organization in compliance with the law and to that end, ensuring all staff are aware of their responsibilities and liabilities under the law.
Another principle under the law requires organizations to protect personal information with safeguards appropriate to its sensitivity. Loss or theft, unauthorized access for disclosure, use, modification or copying of the information must be prepared for.
Passwords and data encryption are two examples Gatien used to illustrate the point.
There are also requirements under the new law dealing with accuracy. Data must be kept as accurate and up to date as is necessary for the application at hand.
Out of date credit information with a wrong address, Gatien said, is an example of information breaching the law?s accuracy requirements.
Organizations must allow a person to see what personal information of theirs is on file, and the person must be allowed to make changes to improve the file?s accuracy.
A monetary charge for the information may be levied, but the cost has to correspond to the amount of work it took to carry out the request for information.
There are some exceptions to the law.
Police collecting information in the course of an investigation do not need the consent of the individual.
Information used for journalistic or artistic purposes, or provided to a lawyer representing an organization in
litigation, similarly may be collected without the person?s consent. As far as enforcement goes, there are no fines or jail time outlined in the law except in the case of a refusal to comply with a judge?s orders stemming from a complaint to the privacy commissioner. But don?t worry about collecting names for a Christmas card list or car pool registry.
Personal information for domestic or personal use is permitted, said Gatien.
