In Canada we have two types of Privacy acts. The first called the Privacy Act which gives individuals the right to access and request correction of personal information about themselves held by federal government organizations.
The second is the Personal Information Protection and Electronic Documents Act (PIPEDA) that sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.
Initially, PIPEDA applied only to personal information about customers or employees that was collected, used or disclosed in the course of commercial activities by the federally regulated private sector, organizations such as banks, airlines, and telecommunications companies. In the last year, the Act has been changed and now applies to personal information collected, used or disclosed by the retail sector, publishing companies, the service industry, manufacturers and other provincially regulated organizations.
Section 1 of PIPEDA states;
“An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance”
The methods of protection should include
(a) Physical measures, for example, locked filing cabinets and restricted access to offices;
(b) Organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) Technological measures, for example, the use of passwords and encryption.
In other words, if you collect information about your clients, you must keep that information safe, in accordance with PIPEDA. If you don’t, you are subject to penalties; including possibly being sued by your own clients should their information be stolen.