Background
In 1995 the European Union directed its member states to conduct business only with countries that had adequate privacy protections in place. In response, the federal government enacted PIPEDA in an attempt to regulate the collection, use and disclosure of personal information and thereby promote and enforce "a unified privacy principle" across Canada.
In January 2001 PIPEDA became law for federally regulated organizations. This legislation anticipated that PIPEDA would also apply to provincially regulated organizations in provinces that failed to enact provincial legislation in the spirit of PIPEDA. Ontario has been unable to meet this deadline and, as a result, most provincially regulated organizations, including universities, must comply with PIPEDA effective January 1, 2004.
General Principles
Anticipating the absence of provincial legislation, the Council of Ontario Universities and the Association of Universities and Colleges of Canada obtained a legal opinion on the applicability of PIPEDA to universities. The opinion found that because most university activity is educational rather than commercial, PIPEDA is likely(1) to have only limited applications in universities. At Waterloo, PIPEDA appears to apply to those activities where personal information (only name, business address and business telephone number are not considered personal information) is provided to a third party for the purpose of generating income/profit (e.g., affinity programs, personal benefits providers) for a commercial rather than educational purpose. Before Waterloo can make such personal information available to the third party, PIPEDA requires that UW must secure the individual’s informed consent.
Interpretation and Implementation
UW’s Commissioner for Protection of Privacy and Freedom of Information shall be responsible for the interpretation and implementation of these guidelines which are to be used in concert with UW policies, procedures and guidelines. The Secretary of the University will be responsible for receiving complaints arising from the interpretation or implementation of PIPEDA.
Before engaging in a "PIPEDA activity," the University administrative officer responsible for that unit shall submit the reporting form to the University Commissioner, following which a consultation will occur. That officer must ensure the unit: identifies the purpose for which the personal information is collected; obtains consent from the individuals; limits collection to what is required for the purpose; limits use and disclosure to the purpose for which it was collected/consented to; retains personal information only for so long as necessary to fulfil the purposes for which it was collected; ensures accuracy; safeguards/protects personal information; provides an individual access to his/her own information.
(1)Until such time as PIPEDA legislation is tested in the courts, it is not possible to make definitive statements about its applicability to activities.
November 25, 2003