The Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information & Privacy Office Commissioner for British Columbia have released a self-assessment privacy tool for organizations to assist in complying with Canada's requirements for securing personal information. It includes the following privacy laws:

  • the Personal Information Protection and Electronic Documents Act—PIPEDA (Canada);
  • the Personal Information Protection Act (Alberta); and
  • the Personal Information Protection Act (British Columbia).

PIPEDA applies to personal and health information that is collected, used or disclosed in the course of commercial activity that takes place across the Canadian border, between provinces and within a Canadian province that has not enacted “substantially similar” legislation. The provincial privacy laws of Alberta and British Columbia apply unless the organization is a federal department, work or business and/or the information is disclosed outside of the originating province throughout the course of the commercial activity.

Survey research professionals and their sub-contractors or agents are obligated to obtain consent in order to obtain the personal information of respondents and adhere to rules regarding the collection, use and disclosure of personal information or they will be in violation of PIPEDA. The Personal Information Protection Act applies to the private sector in Alberta to all commercial activity, with a limited exception provided for non-profit organization and applies to the personal information of customers, non-customers and employees of an organization. The Personal Information Protection Act applies to the private sector in British Columbia (both for profit and non-profit organizations), and covers customer, non-customer and employee information.

The self-assessment tool focuses on either a full assessment or personalized assessment component that is designed to specifically assist with assessing an organization by posing a series of questions within a defined category of security risk. The overall goal for the self-assessment results is for each organization to achieve a “yes” response to each question.

The information provided in this document is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any given laws/legislation and their impact on your particular business.