KerrLaw Logo JAMES D. L. KERR
TO:           Business Clients FROM:   James D.L. Kerr Lawyer
            17 – 151 Merton St.
, Ont., M4S 1A7
            Tel 416 485-4254
            Fax 416 485-8836

            Certified Specialist Civil Litigation
DATE:      August 28, 2003


The federal Personal Information Protection and Electronic Documents Act ("PIPEDA") will:

PIPEDA refers to businesses as “organizations” and provides that "every organization shall comply with the obligations set out in Schedule 1”.

"Personal information" means information about an identifiable individual and will include such things as age, identification numbers, income, ethnic origin, employee files, evaluations, credit and loan records, medical records and perhaps even e-mail addresses. "Personal information" does not include the name, title, business address or telephone number of an employee of an organization.

Schedule 1 of PIPEDA is a MODEL CODE FOR THE PROTECTION OF PERSONAL INFORMATION. The Model Code contains 10 principles of privacy developed by the Canadian Standards Association relating to the following:

The primary obligations in Model Code are:

1.      An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.

2.      The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

3.      The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

4.      The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected.

5.      The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

6.      Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.

By way of example, businesses that collect, use or disclose personal information, such as the following will be affected by PIPEDA:

There is no "grandfathering" of personal information collected prior to
January 1, 2004.

Businesses are obliged, under PIPEDA, to designate a Chief
Privacy Officer.

Non-compliance with the provisions of the PIPEDA may result in civil
liability for an organization and its directors and officers as well as the
imposition of fines.

For constitutional reasons, PIPEDA, a federal law, stops short of imposing privacy obligations on all workplaces. It grants privacy rights only to employees in federally regulated workplaces. Until
Ontario passes its own privacy legislation, there are no mandatory requirements. Nevertheless, given an increasingly privacy-conscious public, it will be advisable to ensure that your employees’ personal information is being adequately protected.


1.                  Designate an employee to assume responsibility for privacy.

2.                  Give your privacy officer the resources needed to meet the new requirements.

3.                  Your privacy officer should familiarize him or herself with the requirements of the Act. The Web sites of the Privacy Commissioner of – and of the Information and Privacy Commissioner of – provide good starting points.

4.                  Assess the impact of the privacy principles on your employees and customers. Not all businesses will be affected in the same way.

5.                  Develop a privacy policy that sets policies and procedures for protecting privacy and addressing complaints.

6.                  Train staff to adhere to the privacy policies and procedures, and develop your public positions on privacy.

7.                  Track data flow. Identify your personal information holdings. Track how personal information is collected. What sensitive information do you have on clients or third parties? How is it circulated internally? What is personal information used for? Is it ever sent outside your business? Map data flow within your business to identify vulnerabilities. Rationalize personal information handling practices.

8.                  Revise your contracts. PIPEDA requires that privacy is protected when data leaves your business. In your forms of contracts, you must ensure that the other individuals and businesses who receive or process personal information provide the same protection that you do and will not disclose this information to others. An example of a clause that might appear in a customer or supplier contract is as follows:

Personal Information Protection and Electronic Documents Act ("PIPEDA")

You agree to the following:

1. You will receive from us, "personal information" (as defined in PIPEDA) about your customers.

2. Your web site shall advise your customers that:

(a) Personal information is being collected, and may be provided by and to third parties, for the purpose of verifying the customer's billing address.

(b) By placing an order, the customer shall be deemed to have consented to the collection, use and disclosure of the personal information for the purpose of verifying the customer's billing address.

A sample clause for an employment contract is as follows:



The Employee agrees to the following:


(a)  All communications (including telephone communications, faxes and e-mails) made, sent or received by the Employee in the course of his/her employment or using telecommunication or computer equipment belonging to [EMPLOYER] may be intercepted or accessed by [EMPLOYER] and he/she has no expectation of privacy in this regard.


(b)     [EMPLOYER] will receive "personal information" from the Employee as defined in the Personal Information Protection and Electronic Documents Act. By commencing and continuing employment with [EMPLOYER], the Employee is consenting to the collection, use and disclosure of his/her personal information (including to third parties) for the purpose of [EMPLOYER]’s business and that his/her consent may not be revoked.


9.                  Ensure consent. Ask for consent when you collect information. Review all your documentary consent provisions to ensure they satisfy PIPEDA. Make consent meaningful. The form and manner of consent that is required will depend on the sensitivity of the information and the surrounding circumstances.

10.             Ensure computer security so that personal information is secure, by keeping it physically and, where applicable, electronically protected. Design or change existing information management systems. Check firewalls of your computer system for vulnerability. Test and evaluate systems and processes.

11.             Support staff training. Train your staff on the changes that are being implemented.

12.             Allow access. Establish procedures to allow individuals access to their personal information, and to correct or update information when appropriate.

To assist my clients and others, I will, on request, provide a Sample Company Privacy Policy - please e-mail your request to me at


DISCLAIMER: The foregoing is not intended to be a comprehensive guide to the applicable law. General Client Memoranda and mailings from James D.L. Kerr ● Lawyer are intended to inform clients and acquaintances with respect to current issues that may be of interest to them. Memos are current to the date shown on the Memo. The law is constantly changing, however, and for that reason a Memo may not be completely accurate after it's stated date. Where circumstances warrant, the advice of a lawyer or other qualified professional should be obtained.

2005 James D.L. Kerr