Saskatchewan Business and Privacy
The Office of the Privacy Commissioner of Canada (OPC) has issued a guidance document entitled Privacy Guide for Businesses. You may ask, “Does it apply to businesses or organizations in Saskatchewan?” The answer is yes, it does. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal statute that applies to businesses in Saskatchewan. If you are in business in Saskatchewan, I recommend you read the Privacy Guide for Businesses.
First let me summarize the main issues from the guide:
- PIPEDA sets out the ground rules for businesses in Saskatchewan;
- The OPC oversees compliance with PIPEDA by conducting independent and impartial investigations and audits;
- Businesses covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information;
- People have the right to access their personal information held by a business. They also have the right to challenge its accuracy;
- Personal information can only be used for the purposes for which it was collected;
- Generally, personal information must be protected by appropriate safeguards;
- PIPEDA applies to private-sector businesses across Canada and Saskatchewan that collect, use or disclose personal information in the course of a commercial activity;
- The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists;
- All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA;
- Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual;
- PIPEDA includes mandatory breach reporting requirements. Businesses must report to the OPC any breaches of security safeguards that pose a real risk of significant harm;
- Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. The principles are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
For more information on PIPEDA and Businesses, see the Privacy Guide for Businesses.
When the federal government makes changes (amendments), those changes will affect Saskatchewan businesses, whether Saskatchewan businesses like those changes or not. Alberta, British Columbia and Quebec have passed legislation provincially, which applies to businesses in their province and replaces the operation of PIPEDA. Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation. Ontario is currently consulting on similar legislation. See the Ontario Private Reform Discussion Paper.
I pose the question whether Saskatchewan should, like Alberta and British Columbia and as Ontario is considering, develop its own legislation to replace PIPEDA.