Windsor-Essex County Privacy Lawyers Advising on Compliance With Privacy Legislation
In Ontario, privacy law is a complex web of provincial and federal legislation and regulations. Many businesses are subject to multiple privacy statutes, and it can be challenging to identify which laws and regulations apply to different parts of a company’s operations.
Willis Business Law provides comprehensive, trusted advice to private and public sector businesses and institutions on their statutory obligations under provincial and federal privacy laws. The firm’s experienced business lawyers develop personalized, innovative systems and procedures to ensure compliance with all applicable laws and regulatory requirements, helping clients reduce the risk of privacy breaches and avoid unnecessary exposure to liability.
The Personal Information and Protection of Electronic Documents Act (PIPEDA)
What is the PIPEDA?
The Personal Information and Protection of Electronic Documents Act (PIPEDA) is a federal law that oversees the collection, use, and disclosure of personal information in the course of a commercial activity. “Personal information” is defined by the PIPEDA as “information about an identifiable individual”.
What businesses or organizations fall within the PIPEDA?
Private-sector organizations and federally-regulated organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity fall within the PIPEDA. Organizations that operate in a province with substantially similar provincial private-sector privacy laws (Alberta, British Columbia, and Quebec) are often exempt from the PIPEDA’s application.
What responsibilities do businesses have under the PIPEDA?
The PIPEDA sets out several requirements for businesses regarding the collection, use, and disclosure of personal information, including:
- Obtaining proper consent for the collection, use, and disclosure of personal information;
- Limiting collection of personal information to that which is needed for the organization’s purposes;
- Collecting information by fair and lawful means;
- Limiting the use, disclosure, and retention of personal information to only what is needed to serve the organization’s purposes;
- Keeping personal information accurate, complete, and up-to-date;
- Protecting personal information using appropriate security safeguards; and
- Facilitating access to information upon request, in compliance with the PIPEDA.
The Freedom of Information and Protection of Privacy Act (FIPPA)
What is the FIPPA in Ontario?
The Freedom of Information and Protection of Privacy Act (FIPPA) of Ontario is a provincial privacy law that provides a right of access to information under the control of “institutions” (as defined or listed under FIPPA). The FIPPA also protects the privacy of individuals whose personal information is held by an institution.
A similar statute, the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), protects the privacy of, and facilitates access to, personal information held by Ontario municipalities.
What bodies are covered by FIPPA?
The Ontario FIPPA applies to:
- The Ontario Legislative Assembly;
- All Ontario government ministries;
- Designated service provider organizations;
- Community colleges and universities;
- Hospitals and Local Health Integration Networks; and
- Any agency, board, commission, corporation, or other body designated as an “institution” in the FIPPA’s regulations.
What obligations do institutions have under the FIPPA?
Institutions falling with the FIPPA’s mandate must:
- Design systems to protect personal information records;
- Assess and respond to requests for disclosure of information, including determining whether disclosure would impact any third parties (and allow those parties to make representations about the possible disclosure);
- Respond to disclosure requests within 30 days by making the requested records available or providing written reasons for denying disclosure; and
- Inform any person denied access to records of their right to appeal the decision within 30 days to the Information and Privacy Commissioner of Ontario.
The Personal Health Information Protection Act (PHIPA)
What is the PHIPA in Ontario?
The companion Act to the FIPPA, the Personal Health Protection Act (PHIPA), sets out rules for protecting, using, disclosing, and accessing an individual’s personal health information (PHI).
What bodies are covered by the PHIPA?
The PHIPA applies to various individuals and organizations defined by the Act as “health information custodians”. Custodians are those who have custody or control of personal health information and include (but are not limited to):
- Health care practitioners (e.g. doctors, nurses, dentists, laboratory technicians, and more);
- Hospitals and psychiatric facilities;
- Long-term care homes and retirement homes;
- Medical officers and health boards; and
- The provincial government (the Ministry of Health and Long-Term Care).
What obligations do health information custodians have under the PHIPA?
Health information custodians’ obligations under the PHIPA include:
- Ensuring personal health information (PHI) is kept accurate and up-to-date;
- Taking reasonable steps to protect PHI in their custody against theft, loss, unauthorized use, disclosure, copying, modification, and disposal;
- Ensuring records containing personal health information are retained, transferred, and disposed of securely; and
- Keeping records containing personal health information for as long as needed to facilitate access requests (including exhausting any legal recourse a requestor may have regarding the handling of their access request).
Canada’s Anti-Spam Legislation (CASL)
What is Canada’s Anti-Spam Legislation (CASL)?
The legislation commonly referred to as “Canada’s Anti-Spam Legislation” (CASL) protects individuals and businesses from cyber threats, the misuse of digital technology, and deceptive or unethical digital marketing practices. It sets strict rules around obtaining consent to receive electronic commercial or digital marketing messaging.
What businesses or organizations fall within CASL?
Instead of applying to a prescribed list or class of organizations, CASL applies to all electronic messages (including email and text messages) sent in connection with a commercial activity. Any organization within Canada or globally that sends commercial electronic messages (CEMs) within, from, or to Canada must first receive consent from the recipient. In most circumstances, consent must be explicitly provided, orally or in writing.
What best practices can businesses follow to comply with CASL?
Businesses should consult an experienced business lawyer to review their marketing platform and digital messaging to ensure all aspects of a company’s marketing operations comply with CASL. Generally speaking, however, businesses sending commercial electronic messages (CEMs) within, from, or to Canada should:
- Identify all methods used to send CEMs;
- Develop a strategy to collect and document consent from recipients;
- Ensure all CEMs follow the guidelines and content requirements of the CASL (for example, the ability to “unsubscribe” from CEMs;
- Document all consent protocols and keep policies and procedures up to date to establish a “due diligence” defence in case of prosecution under the CASL.
Willis Business Law: Providing Windsor-Essex County Businesses With Robust Guidance on Compliance With Privacy Legislation
The privacy and business law lawyers of Willis Business Law provide multi-faceted, experienced advice on privacy legislation to businesses across all industries in Windsor-Essex County. The firm is passionate about educating business owners, board members, senior management, and staff about privacy laws and best practices for ensuring compliance. After assessing the extent of the business’ obligations under various privacy laws, the firm also ensures those duties are incorporated into the client’s contracts, policies, and procedures to safeguard against breaches.
Equipped with its established mastery of Ontario business and privacy law, Willis Business Law provides innovative, trusted advice to help clients minimize privacy risk and liability across Windsor-Essex County and all surrounding areas. Located in the heart of Windsor’s financial district, the firm combines a big-firm level of professionalism with a community-driven approach. To schedule a consultation, call 519-945-5470 or reach out online.