Alberta’s new privacy legislation comes into effect January 1. To a large degree it’s been met with ignorance, apathy and confusion.

Here are three good reasons that businesses should be up to speed on Alberta’s Personal Information Protection Act (PIPA):

* It’s the law.

* Large organizations will comply and are telling service providers and sub-contractors to do the same, or possibly lose their business contracts. * Alberta citizens have a right to see every piece of personal information that a business has collected on them starting in the new year.

Photo courtesy Canadian Career Partners
Privacy consultants Kim Bechtel, back left, Jill Clayton and Rick Klumpenhouwer predict many companies will embrace rules.

It’s a tidy summary of the act’s ramifications, articulated in a round-table discussion this month with Kim Bechtel, Jill Clayton and Rick Klumpenhouwer, privacy consultants with the Calgary-based HR firm Canadian Career Partners.

It’s no secret that as January 1 draws closer, many business owners are unclear about the act, which is designed to protect the personal information of the public and employees.

Nevertheless, Bechtel says some organizations are ready for the act – and even embrace it.

“We are finding that our big customers are on board with this,” Bechtel says.

“There is a tremendous pressure to be ethical, and that an organization’s governance environment is absolutely pristine. There’s an expectation that everything is above board.”

The act regulates the way Alberta businesses and the not-for-profit sector handle privacy and personal information. It contains plenty of detail that businesses must evaluate and abide by.

But in a nutshell, the act simply says that a business must be accountable for the personal information it handles – whether it’s a one-person operation or a multi-national company.

Importantly, the legislation gives the individual citizen the right (free of charge) to access all the personal information a company has gathered on the citizen, have it corrected if need be, and if not satisfied, lodge a complaint with the privacy commissioner’s office.

The act does have some teeth: organizations face up to a $100,000 fine for not being compliant; $10,000 for individuals. (Klumpenhouwer suggests that maximum fines would reflect wilful non-compliance or significant negligence.)

The sky isn’t going to fall on January 1 if a company hasn’t developed a fully-functioning code of practice, Klumpenhouwer says.

While there are technical issues to consider, he believes that businesses should view the act as providing a “best practices” guideline for the company.

“You’ll be much further along if you incorporate the spirit of the legislation . . . make sure everyone understands it, that there is good training,” he says. “Be open and have good communication.”

Clayton adds that companies that haven’t developed a code of practice should identify the gaps in their policies.

Businesses must work around issues such as getting consent to gather information and documenting the personal information. They must know how information is used, shared, stored and how long it’s kept.

Businesses are also expected to have adequate administrative safeguards in place to protect information. This includes: creating policies; training staff and raising awareness; ensuring technical security around issues such as network access; and physical acts such as locking doors and file cabinets to positioning computer monitors so unauthorized people can’t see the screens.

Companies and individuals also must be concerned about e-mail, faxes, board-meeting notes and even the little scraps of information that managers keep in their desks. Employees, too, must safeguard items such as their own personal notebooks if it contains data on customers other than the basic information that’s found on a business card.

It’s difficult to say how Albertans will utilize the new act. Australia may serve as a parallel. It enacted privacy legislation for the business sector in December 2001.

Since that time, inquiries to its privacy hotline have tripled to 21,000, and the number of actual complaints has risen five-fold.

The financial sector, telecommunications companies and property-management firms were the subjects of most complaints.

Who would use the access provision in Alberta?

Certainly any employee, especially someone who’s had problems at work. Rural landowners may be keen to discover information that has been gathered on them by oil and gas companies. And anyone who has visited a medical lab, dentist, chiropractor or fitness centre might be interested because our health information is a sensitive issue.

“Organizations will have to be able to respond,” Clayton says.

“You have this increasingly sophisticated public coming to you. People know they have rights under this legislation and they will be exercising those rights.

“If someone comes to you January 1 and asks to see information that you have about them . . . you need to be able to retrieve that information.”

Bechtel, Clayton and Klumpenhouwer have spent considerable time speaking to local chambers of commerce about the act. It was created – in concert with the government of British Columbia – to override similar federal legislation that comes into effect January 1. The federal legislation, known as the Personal Information Protection and Electronic Documents Act will apply to federally-regulated industries such as banks and phone companies, and transactions crossing Alberta borders.

During the presentations to various business groups, Bechtel says that most leaders initially felt the act was costly, time-consuming and bureaucratic.

But then business people were asked how concerned they were, as individual citizens, about how other businesses handled their personal information.

“Every hand went up,” Bechtel recalls. “Citizens are sensitive to how their personal information is being used in private sector transactions.

“They (business leaders) got a different perspective, and really understand it is in their best interest to have their customers confident that they are handling their information in a good environment.”

Additionally, Bechtel expects business pressure will force the non-believers into line.

“That’s reflected in decisions of very large corporations in Alberta who are indicating to their service providers and sub-contractors that they expect they will be compliant with privacy legislation, or they will have to review their business relationship with those service providers and sub-contractors.”

Over time he expects there will be a ripple effect.

He says a good rule of thumb is to treat someone else’s private information the same way you’d like yours to be handled.

After all, privacy is everybody’s business.

Web Watch:
www.career-partners.com
ww.psp.gov.ab.ca