E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: National Post

Posted on September 13, 2001

      By 2004, every time a Canadian company or organization asks an employee, customer or even John Q. Public to fill out a written questionnaire, it will be placing itself at risk.

      Under the terms of Canada's new Personal Information Protection and Electronic Documents Act (Bill C-6), any organization collecting personal information can be fined and sued for damages if it fails to do something as simple as acquire the correct consent form.

      IT also faces stiff penalties if it collects information it does not immediately need or if it shares that information with a third party or uses it for purposes not originally intended. It can even open itself to serious damages if it does not keep the information gathered in a secure depository.

      "The new privacy act has become an economic issue on a large scale," says Karen Smith, director of employee benefit plans for the Saskatchewan School Trustees Association in Regina. "In terms of impact, it is easily as big as Y2K was. Only this time it is a continuing issue. Day in and day out you have to make sure you comply with the terms of the legislation."

      The aim of the privacy legislation is to protect personal information in the face of intrusive technology. Nor is privacy strictly a domestic issue. The European Union now requires countries wanting to do business with its members to have in place laws governing data protection. The upshot is a new and onerous responsibility for those men and women assigned the task of managing risk in corporations and organizations.

      Fail to comply with the provisions of the new privacy act and the penalties can be troublesome indeed. The federal privacy commissioner can levy fines of up to $100,000 for breaking the new law. Once a breach has been identified, the individuals or groups affected can seek damages in federal court.

      "The commissioner can also order his findings to be published and embarrass the company or organization in contravention of the act," adds Julie Thorburn, a partner in Cassels Brock & Blackwell LLP of Toronto.

      "This is legislation which has serious ramifications for any group collecting personal information in the course of business."

      The impact of Bill C-6 will come into play in stages. Starting on Jan. 1, 2001, any federally regulated organization that gathers personal information on an interprovincial basis is affected, as are any federal undertakings. On Jan1, 2002, the scope will be extended to the gathering of personal health information. Finally, in 2004, the act will apply to all companies in Canada gathering personal information within a province unless that province has already passed its own legislation.

      Any group or individual can make a case to the federal privacy commissioner claiming a company or organization has broken the law. The commissioner then has a year to investigate and issue a report. If the commissioner finds that an indictable offense has occurred, he or she can fine the offender and publish the results of the investigation.

      If the commissioner finds an offense has occurred, the aggrieved parties can file suite for monetary and punitive damages in federal court.

      The effect of this new law?

      "That is still very much a grey area," says David Griffiths, senior vice-president at Aon Reed Stenhouse of Toronto, a major international insurance brokerage. "Initially, it seems certain to affect insurance premiums. In the long run, however, insurance companies will need a body of statistical evidence before they can understand and price the risks involved."

      Whatever happens, insurance policies will only cover damages. Insurers will not be required to pay the cost of fines levied by the commissioner, but defense coverage could be available.

      "Let's just say it could be a big business," Mr. Griffiths says.

      Just how big will depend on the ability of risk managers to persuade employers to set in place policies and procedures to safeguard compliance with the provisions of the act.

      "Essentially, what the government wants is for companies to set in place procedures that take reasonable care to protect personal information of individuals," Ms. Thorburn says.

      "The first step is appointing one individual who has the overall responsibility to ensure the terms of the act are met and the creation of written guidelines for the treatment of materials collected."

      After that, it becomes a matter of creating detailed programs to meet the 10 tests included in the legislation. They cover things such as written consent forms.

      "It can't be a blanket consent," Ms. Smith says. "You must also make sure you are only gathering stuff you need right now. You can't stockpile information for the future. You also have to eliminate from the material gathered anything that might identify the individual, such as social insurance numbers."

      The material gathered must then only be used for the specific purposes set out in the consent form. It cannot be shared in any way with a third party. Once collected it must be safely stored whether it is in hard copy or electronic format. Finally, after use, it must be disposed of in an equally safe manner.

      "As far as the insurance industry goes, our first task is getting our clients to identify problem areas and then create protocols and processes to deal with them," Mr. Griffiths says. "The first step is often getting good legal advice."

      That is, of course, where risk managers come in.

      "The new privacy legislation demands good risk management," Ms. Smith says. "There is considerable liability involved here if things are not done properly. Think about it. There is risk if the consent form is not worded properly. There is risk if the material is not collected properly, if it is not used properly, if it is shared, if it is not stored properly and if it is not disposed of properly."

      "The impact of risk managers on the process will take a considerable time to be felt," adds Mr. Griffiths.

      Initially there will be the discomfort of the unknown for some underwriters, which can translate into higher premium demands and potentially new products with their costs.

      "Only once a better understanding of the true risk develops and the actual claims occur will we learn if this cover is a major business or of relatively small impact. Understanding this may take underwriters three to five years."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.