The New Canadian Privacy Law: What Does It Mean for Credit Granting Organizations?(The Personal Information Protection and Electronic Documents Act)

On January 1, 2001, The Personal Information Protection and Electronic Documents Act came into effect. It is based on the Canadian Standards Association's model code for the protection of personal information, CAN/CSA-Q830-96, which was developed in the early 1990s as a voluntary code. It is the work of a consensus committee of representatives from business, government and consumer advocates, as well as relevant organizations, such as unions and professional organizations.

The Credit Reporting Industry was represented on this committee by Equifax Canada. The Canadian Bankers Association and the Amex Bank of Canada were also present; however, there were no credit grantors from the retail industry present. This model code of practice is a unique attempt by a wide cross-section of different stakeholders in the privacy debate to agree on the practical application of fair information practices. The Canadian Government announced its intentions to legislate to protect privacy in 1996, and issued a discussion paper in 1998 to gather opinion on how best to do this. Most stakeholders advised the government to build on the work of the standard, despite the fact that this document had not been drafted with the intent to put it into legislation in that format. The resulting law is the first time that a data protection statute has been based on a standard and is a unique attempt to combine the best of self-regulation with light oversight in the form of the Federal Privacy Commissioner. The C ommissioner has a suite of new powers, which can best be described as those of an Ombudsman, but he can take cases to the Federal Court for a binding decision and damage awards, so the new law is not without teeth.

The law applies immediately to all federally regulated industries, such as the telecommunications carriers, banks and transportation companies. Parliament went further, however, and included within the scope and application of the bill all information that is collected, used or disclosed by organizations in the course of commercial activities. This aspect of coverage becomes effective in 2004. This represents only the second such exercise of the trade and commerce powers in over 60 years, and should be interpreted as a very strong statement about the importance Parliament has placed on protecting personal privacy, ensuring trust and confidence in electronic commerce and providing fair and harmonized rules for all in the new information economy. If provinces move to pass substantially similar legislation in the next three years, the organizations subject to the provincial legislation will be exempted from the coverage of the federal legislation with respect to transactions within the province; interprovincial and international transactions remain under federal jurisdiction.

What does this act mean for businesses granting credit? It would be wise for all businesses in Canada to get on board and comply with the legislation, for a variety of reasons, whether they are actually subject to it now or in 2004. Business benefits from a harmonized approach to regulation, and since all interprovincial dataflows will remain under this law, it makes sense to meet this standard at a minimum. Secondly, consumers are blissfully ignorant as to whether a company is federally or provincially regulated, and are likely to demand their privacy rights as soon as there is some coverage in the media. It is hardly good customer relations to have to tell them your company is not going to comply until it has to. Thirdly, the credit reporting industry is covered immediately because it sells information across borders, so customers who have exercised their new and broader rights with respect to their credit reports may come looking to credit grantors for similar access to their personal information.

What this means is that businesses must understand the ten fair information practices of the standard, contained in the schedule of the act, and put them into practice. Here is a brief outline of what the standard means and how it will apply.

1. Accountability -- An organization is accountable for the information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. This involves publishing the information about who is to be held accountable, which is easier to do if your company has already named a CPO and has a privacy policy. It involves training staff and ensuring compliance with the policy. Clause 4.1.3 of this section contains the only transborder dataflow requirements, which states that the organization must provide, through contractual or other means, a comparable level of protection for information that is transferred for processing.

2. Identifying purposes -- The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. These purposes have to be documented, and the organization has to be able to explain them to the individual. If a company gathers information to ensure it can track a bad loan, this purpose should be made explicit.