In a flurry of activity reminiscent of last year’s Y2K scramble, some businesses are scurrying to implement new measures to ensure their compliance with Ottawa’s new privacy regulations.

The federal government’s Personal Information Protection and Electronic Documents Act (PIPEDA) — the first Canadian privacy legislation to affect the private sector — enshrines significant new rules for personal information that will alter the way businesses operate, both on the Web and off.

In short, the act sets forth rules to govern the collection, use and disclosure of personal information in a manner that attempts to balance the rights of the privacy of an individual’s personal information, and the need for organizations to collect, use or disclose personal information for purposes “that a reasonable person would consider appropriate in the circumstances.” (Section 3 of the act).

The legislation defines “personal information” as information about “an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.”

PIPEDA principally applies to organizations that collect, use or disclose personal information in the course of commercial activities. “Commercial activity” means any particular transaction, act or conduct that is of commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists.

The legislation will be phased in over a period of four years. Beginning on Jan. 1 this year, PIPEDA will apply only to the personal information of customers and employees of Canada’s federally regulated private sector, which includes industries such as airlines, banking, broadcasting, shipping and telecommunications.

Of particular note, the act will also apply to all organizations that disclose personal information for profit or gain outside a province or the country. As a result, any Canadian company — regardless of whether or not it is federally regulated — will be subject to the act if it transmits personal information for consideration between provinces.

On Jan. 1, 2002, the law will apply to personal health information for the organizations and activities already covered in the first year.

In January 2004, the law will extend to every organization that collects, uses or discloses personal information in the course of a commercial activity within a province, regardless of whether it is a federally regulated business.

However, if a province has passed comparative privacy legislation, that legislation would supersede PIPEDA. To date, only Quebec has passed comprehensive private-sector privacy legislation.

PIPEDA was established to harmonize data-protection practices and laws with the European Union, which has passed its own directive restricting the transfer of personal data from member states to any non-member state that does not provide similar legal protection.

The key principles include:

* Accountability: An organization is responsible for personal information under its control.

* Identifying principals: The purposes for which personal information is collected shall be identified at or before the time it is collected.

* Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

* Limiting collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization, and shall be collected by fair and lawful means.

* Limiting use, disclosure and retention: Personal information shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or as required by law.

* Accuracy: Personal information shall be as accurate, complete and up to date as necessary.

* Safeguards: Personal information shall be protected by security safeguards appropriate to its sensitivity.

* Openness: An organization shall make readily available to individuals information about its personal information management policies and practices.

* Individual access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and given access to that information.

* Challenging compliance: An individual shall be able to address a challenge concerning the above principals to the designated individuals accountable for the organization’s compliance.

Perhaps the most important principle of PIPEDA is that affected organizations must obtain a person’s consent when they collect, use or disclose his or her personal information. An organization may be exempted from this requirement only if:

* The collection is clearly in the interest of the individual and consent cannot be obtained in a timely manner.

* Collection with the knowledge or consent of the individual would compromise the availability or accuracy of the information, and the collection is reasonable and relates to investigating a breach of an agreement or contravention of law.

* The information is publicly available as specified in the regulations to the act.

In a future column, I will discuss some of the ways an organization can ensure compliance with the legislation, and the consequences for not meeting its standards.

(Anthony Morris is the practice group leader of McCarthy Tetrault’s Technology Law Practice Group in Calgary, and can be reached at 260-3527 or amorris@mccarthy.ca. The comments herein should not be construed as legal advice, and the reader is encouraged to seek the advice of counsel for any specific question.)