Saskatchewan Business and Privacy (updated)
The Office of the Privacy Commissioner of Canada (OPC) has issued a guidance document entitled Privacy Guide for Businesses. You may ask, “Does it apply to businesses or organizations in Saskatchewan?” The answer is yes, it does. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal statute that applies to businesses in Saskatchewan. If you are in business in Saskatchewan, I recommend you read the Privacy Guide for Businesses.
First let me summarize the main issues from the guide:
- PIPEDA sets out the ground rules for businesses in Saskatchewan.
- The OPC oversees compliance with PIPEDA by conducting independent and impartial investigations and audits.
- Businesses covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information.
- People have the right to access their personal information held by a business. They also have the right to challenge its accuracy.
- Personal information can only be used for the purposes for which it was collected.
- Generally, personal information must be protected by appropriate safeguards.
- PIPEDA applies to private-sector businesses across Canada and Saskatchewan that collect, use or disclose personal information in the course of a commercial activity.
- The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
- All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA.
- Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual.
- PIPEDA includes mandatory breach reporting requirements. Businesses must report to the OPC any breaches of security safeguards that pose a real risk of significant harm.
- Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. The principles are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
For more information on PIPEDA and Businesses, see the Privacy Guide for Businesses.
When the federal government makes changes (amendments), those changes will affect Saskatchewan businesses, whether Saskatchewan businesses like those changes or not. Alberta, British Columbia and Quebec have passed legislation provincially, which applies to businesses in their province and replaces the operation of PIPEDA to a certain extent.
I pose the question whether Saskatchewan should, like Alberta and British Columbia, develop its own legislation to ensure privacy protections are extended to all employees in Saskatchewan regardless of the type of employer they work.
Currently the parliament of Canada is considering Bill C-27 which would make changes to PIPEDA and would create an Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. The federal privacy commissioner has made 15 recommendations for changes to Bill C-27.
The government of Saskatchewan has embarked upon a consultation on The Saskatchewan Employment Act (SEA). My office has proposed amendments that would give employees of businesses and organizations in Saskatchewan greater access rights and privacy protection for personal information in the hands of their employer.