to access the personal information held to ensure its accuracy. The CSA code also made organizations responsible for the information they collected and used. Finally, the CSA code stipulated that organizations should be open about their information management practices.
The CSA code provides the foundation for Canada’s new PIPEDA. While the CSA code was a voluntary measure organizations could enforce, PIPEDA is required by law.
The 10 principles can be broadly categorized by their purpose. Under the general purpose of the organization being “accountable” come the three categories of “collection, use, & disclosure”, “security and safeguards”, and “transparency.” Illustration 1 depicts these categories and which of the 10 principles applies within that category.
Some organizations believe they can meet the obligations of PIPEDA just by having a Privacy Code. This is not the case as PIPEDA contains rules that relate to “ongoing” management of personal information. An organization’s practices must evolve to meet changing business needs, customer expectations, information technology advances and interpretations of PIPEDA and other applicable laws by the courts and the Privacy Commissioner of Canada.
Most public sector privacy laws apply to “recorded” information only. This is not the case with PIPEDA. PIPEDA is not restricted to recorded information only. PIPEDA also requires that personal information be collected, used, or disclosed solely with the knowledge and consent of the individual to whom it pertains. Organizations must also comply with obligations regarding how personal information can be collected, used, and disclosed. These obligations are set out in the 10 principles for privacy compliance which are discussed in detail in the next section.
PIPEDA provides no “grandfathering” exemption so it applies equally to personal information collected prior to January 1, 2004. This means that personal information you already have on file will require the individual’s consent if you are going to use or disclose it for any purpose other than the identified purpose for which it was originally collected.
Certain information and activities are specifically exempted from the requirements of PIPEDA. These are:
The exemption for activities of organizations in provinces that have “substantially similar” legislation only applies to activities conducted “within” that Province. Any flow of personal information that is “inter-provincial or international” (meaning crossing Provincial or International boundaries) will still be covered by PIPEDA. In order for Provincial legislation to be “substantially similar” it must, at a minimum, contain the same type of provisions as PIPEDA. What this means is that the policies and procedures required under PIPEDA should generally be required for organizations in Provinces that have “substantially similar” legislation as well. Additionally, if you have any “inter-provincial and/or international” transfers and/or disclosures of personal information, they are subject to PIPEDA so it is in your best interests to establish a privacy regime based on PIPEDA even if you are in a Province that has “substantially similar” legislation. This will help ensure that your privacy requirements are met in all circumstances.
The principle of accountability is the overriding principle under which all the other principles are given effect. There are risks that the organization can face if it does not undertake to ensure that it meets the objectives of PIPEDA and its principles. If the organization does not have effective accountability regime personal information might be improperly managed. This can potentially result in damage to the organization’s reputation and other business relationships because it will be seen as an organization that does not protect the personal information it collects, uses, and discloses. It can also face an investigation by the Office of the Privacy Commissioner who can publish the fact that the organization is under investigation for alleged breaches. This can also damage the reputation of the organization and if the complainant or the Office of the Privacy Commissioner takes the matter to Federal court, it can result in fines.
You should limit the amount and type of personal information you collect to what is absolutely necessary for the identified purpose(s). By potentially reducing the amount of personal information you collect you may be able to lower your cost of collecting, storing, retaining and archiving that data. It may also reduce your risk of having personal information inappropriately used or disclosed.
Organizations should have brochures or other written material that describes their personal information policies. This will be the most efficient way to ensure that individual inquiries can be responded to in an efficient manner.
In either case, the organization must, no later than 30 days after the request is made, send a notice of extension to the individual advising of the new time limit, the reasons for extending the time limit and of the individual’s right to make a complaint to the Office of the Privacy Commissioner of Canada about the extension. If you fail to respond in the appropriate manner and in the required time frame, the organization will be deemed to have refused the request.
The information you provide to the individual must be understandable. The onus is on the organization to explain any acronyms, abbreviations or codes used. To make it easier for the organization to respond to such requests, it is advisable to keep all personal information in one location or have a record of where the information is stored so retrieval is easier. Never disclose personal information unless you are certain of the identity of the requester and that person’s right to access it.
In certain situations you may deny access to all or some of the personal information held. Exceptions should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, contains references to other individuals, cannot be disclosed due to legal, security or commercial proprietary reasons, could reasonably be expected to threaten the life or security of another individual, the information was collected with respect to investigating a breach of an agreement or a contravention of law, the information was generated in the course of a formal dispute resolution process, or is subject to solicitor-client or litigation privilege.
The answers to these questions may be different in each organization dependent upon particular policies and procedures. As such, you need to establish these policies and procedures before training staff in how to respond to these questions.
The circumstances under which consent is not required for the use of information (Clause 7(2)) are:
The circumstances under which consent is not required for the disclosure of information (Clause 7(3)) are:
Investigative body status
PIPEDA has provisions for the granting of investigative body status. The exceptions to the general consent obligations of PIPEDA permit the collection or use of personal information without the knowledge or consent of an individual if it is reasonable to expect that the collection or use with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection or use would be reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province. Collection or use of this information without the individual’s knowledge and consent is of limited use unless the information can be disclosed to the parties that need the information. Under PIPEDA such disclosure can be made to organizations that have investigative body status.
Public practitioners who are duly registered with their provincial or territorial CGA Association are now provided with the lawful authority under PIPEDA to carry out investigative services under the investigative body status of their respective provincial or territorial affiliate.
The significance of this status is that public practitioners can collect, use, and disclose certain information without an individual’s knowledge and consent if the information concerns a breach of an agreement, or a contravention of a federal, provincial, or foreign law. This would generally relate to matters of forensic accounting, litigation support, due diligence investigations, and certain assurance services.
Due to the Civil Penalties, public practitioners now have a positive obligation to ensure that their clients are providing full and accurate disclosure in their personal and corporate tax returns. A failure to do so could mean that the client is in breach of the Federal Income Tax Act or their respective Provincial Income Tax Act. In light of the Federal Income Tax Act, a potential breach may allow, in certain limited circumstances, a designated investigative body to collect, use, or disclose personal information without the knowledge or consent of an individual. Additionally, many corporation and personal tax returns contain personal information regarding the client as well as other individuals that may not be your clients. Examples of this would include additional property owners on a rental property statement, additional partners on a business or professional statement of income, or shareholders (including their SIN numbers) on a corporate tax return. In certain circumstances a CGA may be asked to disclose these tax returns, that contain personal information of individuals who you do not have consent from, to bankers or other professionals. If this disclosure is to be made in the context of a suspected breach of an agreement, for example a loan agreement, the disclosure could normally only be made if you had the consent of each of the individuals whose personal information was contained in the return. However, in such cases a designated investigative body may make certain disclosures without the knowledge or consent of the individuals to whom the information relates.
Many audits or reviews are done for regulatory purposes and disclosure must be made to an association or organization that is not considered a government institution. In such circumstances, the disclosure can normally only be made with the consent of all individuals whose personal information may be contained in the statement. If such statements were prepared by a CGA and were prepared in order to ensure the client is not in breach of an agreement or other legal obligation, the disclosure may be made without the knowledge and consent of such individuals due to the investigative body status, but only in circumstances where it relates to investigating a breach of an agreement or a contravention of the laws of Canada or of a province.
Many CGAs perform forensic accounting, due diligence, and other types of litigation support services. These types of investigations normally require the collection, use, and disclosure of personal information. Although the collection and use of personal information obtained during these types of engagements would likely fall under the “exceptions to consent” provisions relating to collection and use contained in PIPEDA, the disclosure of the information can only be made either to or by a designated investigative body. This would mean that the organization or individual that retains you to perform the engagement can only disclose the information to you and you can only disclose the information to other parties if you are operating under the authority of an investigative body.
As long as the CPA is duly registered as a public practitioner with their respective provincial or territorial CPA Association, they may generally operate under the authority of such entities as an investigative body. If the CPA registers this year and begins to conduct such an investigation, but in the subsequent year does not register and has not already made disclosure of the information collected or used, the CPA would no longer be permitted to act under the authority of an investigative body status to allow for disclosure of that information without the knowledge and consent of the individuals to whom the information applies. The designated investigative body status will only be applicable for periods during which the CPA is duly registered and meets all the registration requirements.
It is advisable that all CPAs consult legal practitioners with an expertise in privacy law to ensure that their specific activities meet all legal requirements relating to privacy law compliance including, but not limited to, their reliance on the foregoing examples and the investigative body status. The forgoing does not constitute legal advice and is provided for general informational purposes only.
I hereby further acknowledge that disclosure of this information may be made to the following third parties:
I acknowledge that Kemp Harvey Group owes me a professional duty to maintain the confidentiality of my personal information as well as to protect my personal information pursuant to PIPEDA. In light of these obligations I hereby consent to the use of Kemp Harvey Group’s professional judgment regarding the use of other professional(s) or third-party processors that may be required to complete the engagement I have retained them for. Disclosure to other parties, including my bank manager, legal counsel, or insurance agent may be made when directed by me to do so.
The above list and separate references in the closing paragraph would be modified by the CGA dependent upon what types of services they perform and to whom they expect disclosure may be made. You could allow for each service offered or potential disclosure to be made to be consented to separately or not consented to by using a “check the box” (opt-in) type of consent. Keep in mind that all other aspects of the Privacy principles should be embodied in your privacy regime so you may want to add statements regarding the limiting of collection, etc.
For more information, please contact our Privacy Officer at email@example.com
Unlike many other professionals, anyone can call themselves an accountant. The term accountant is not reserved or in any way restricted.