The Top Ten Principles of Canadian Privacy Law For Business

It's funny how people like lists of ten. Like David Letterman's Top Ten List that started in 1985 with Top Ten Things That Almost Rhyme With Peas. It seemed not such a promising beginning, but it certainly appears to have worked for him.

Type TOP TEN LISTS into Google, and you get such oddities as Top Ten Unusual But Fascinating Cloud Formations, Top Ten Superstitious Hockey Players, and my personal favourite: Top Ten Rescuers Made to Regret it By the Rescued.

And so in this long tradition of august knowledge enhancements, I give you Top Ten Principles of Canadian Privacy Law for Business. Perhaps not as amusing as some other lists, but hopefully more useful.

For personal information to be validly collected by a business under Canadian law, you've generally got to comply with the following top ten principles:

1. Accountability – must designate individual(s) within your organization as responsible for privacy.

2. Identifying Purposes – at or prior to time information collected.

3. Consent – must be informed and can be withdrawn, but may be granted through various means.

4. Limiting Collection – to that which is necessary for identified purposes of collection.

5. Limiting Use, Disclosure, and Retention – to purposes for which collected, except with consent or as required by law.

6. Accuracy – only as necessary for purpose.

7. Safeguards – appropriate to sensitivity of information.

8. Openness – about organization's policies on personal information management.

9. Individual Access – to existence, use, disclosure and content of own personal information that has been collected, including ability to challenge accuracy and completeness of information.

10. Challenging Compliance – create accessible procedure to receive and respond to complaints.

They're all based on principles developed by the Canadian Standards Organization, and were later incorporated into the Protection of Personal Information and Electronic Documents Act.

The bottom line is, regardless of how small of a business you are running, if you're collecting personal information - and it' s almost impossible to run a business without grabbing some kind of personal information - you should have a policy that accords with the above ten principles. It can be a really simple policy, but you need something. If you've got a larger business - or a smaller one that collects a lot of personal information - you should probably be speaking with a lawyer or consultant about your obligations. Check out the site of the Privacy Commissioner of Canada for more details.