The Covid-19 pandemic has accelerated the transition to a more digital workplace. Now, it is more convenient than ever before to store and process data, including personal information. With this transition comes a good opportunity to revisit an issue that all Canadian business owners should keep in mind: data privacy. This is part one of a three-part series.
Prior to collecting, using, or disclosing personal information in the course of a commercial activity, a business must take into account its obligations under the federal government’s Personal Information Protection and Electronic Documents Act (PIPEDA) and other mandates. PIPEDA describes a “commercial activity” as an act or conduct that is of a commercial character. This may include selling, leasing, or bartering. “Personal information” means information about an identifiable individual. Information will be “about an identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information [Gordon v Canada (Health), 2008 FC 258 (CanLII) at para 34].
It is important to note that this is an expansive definition and includes factual or subjective information about an identifiable individual, whether recorded or not. Less sensitive personal information includes ages, birthdates, and addresses. More sensitive personal information includes ethnic origin, religious or political beliefs, and medical and financial information. Some less intuitive types of personal information include opinions, evaluations, comments, and social status.
Two main exceptions to what would normally be considered personal information include: (1) employee information, such as telephone number and email used solely in relation to his/her employment, business, or profession; and (2) personal information collected, used, or disclosed by organizations solely for journalistic, artistic, or literary purposes.
Over the years we have helped companies of all sizes with their business law needs. We have a robust understanding of the legal intricacies and what it takes to stay on the right side of the law. If you would like to connect with our team’s certified Privacy Professional, please contact us by email or telephone.
 Including, potentially, the Ontario government’s Personal Health Information Protection Act as it relates to healthcare information received by health information custodians; and the European Union’s General Data Protection Regulation as it relates to data protection and privacy in the European Union.
Brian Wong is an associate lawyer with a focus on private equity, lending, IP/IT, and privacy law. Prior to joining Ross Rumbell , Brian worked at large Canadian law firms supporting a variety of corporate/commercial practice areas. He also has a background in life sciences and has worked at an international biotechnology company. In his spare time, Brian enjoys learning Mandarin, travelling, and playing golf.