While the topic of identity theft and the improper disposal of sensitive personal data has been getting a lot of ink as of late, data protection legislation in Canada and the European Union has been underway for a number of years, though its effects are only beginning to be felt by consumers and records management and document destruction firms.
Although Canada has had a law regulating personal data collected and used by the federal government for more than 20 years, regulation of data used by the commercial sector is relatively new.
FEDERAL CANADIAN LAWS
Two federal privacy laws protect the personal data of Canadian residents. The Privacy Act applies to data collected and used by the federal government, while the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the private sector. PIPEDA went into full effect Jan. 1, 2004, while the Privacy Act has been in place since July 1, 1983.
According to the Web site for the Officer of the Privacy Commissioner of Canada, http://www.pricom.gc.ca, the Privacy Act "imposes obligations on some 150 federal government departments and agencies to respect the privacy rights of Canadians by placing limits on the collection, use and disclosure of personal information. The Privacy Act gives Canadians the right to access and correct personal information about them held by these federal government organizations."
PIPEDA, which has been implemented in two stages, sets up similar guidelines for the private sector.
PIPEDA’s first stage of implementation began with the federally regulated sector in January of 2001, applying to personal information collected during commercial activities. The second stage began in January of 2002 and applied to personal health information. The law applies to all private sector organizations except those in provinces that have enacted similar legislation prior to PIPEDA. The provinces of Alberta, British Columbia and Quebec have legislation that has been deemed comparable to PIPEDA.
The directives of the law are as follows: Businesses need the consent of an individual to collect, use or disclose personal information in all but a few specific circumstances; information cannot be used for a purpose other than that for which consent was given; data collection, use and disclosure should be limited to the appropriate circumstances; individuals have the right to review and correct their personal data; and the Privacy Commissioner of Canada provides oversight and redress for individuals whose rights have been violated.
Under PIPEDA, personal information includes obvious data such as age, name, ID numbers, income, ethnicity, blood type and loan and credit records, as well as information on opinions and intentions to change jobs or to acquire goods or services, according to the Office of the Privacy Commissioner.
PIPEDA also calls for businesses to develop guidelines for retaining and destroying personal information. Renee Couturier of the Office of the Privacy Commissioner of Canada says the law stipulates that businesses must "destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement."
An electronic guide prepared by the Office of the Privacy Commissioner to assist businesses in implementing PIPEDA suggests that it could be less burdensome to destroy or erase data than to render it anonymous.
EUROPEAN DELAY |
When the Data Protection Directive was introduced in 1995, the European Commission directed each of the EU’s 15 member states at the time to pass national laws implementing the directive by October 1998; however, only four of the EU’s member states complied by the stated deadline. The commission took France, Germany, Ireland, Luxembourg and the Netherlands to the European Court of Justice in December of 1999 because of their continued inaction in implementing legislation in compliance with the Data Protection Directive. According to a European Commission report dated May 2003, the late implementation of the Data Protection Directive by some EU member countries has hampered the directive’s effectiveness, as have the different ways in which the member countries apply the principles dictated by the directive. However, there has been some movement among many of the member states since then. |
Rick Benson of Royal Shredding, Wilsonville, Ontario, Canada, says that neither PIPEDA nor the Privacy Act call specifically for the shredding of documents containing personal information.
"As it stands," he says of Canada’s data protection laws, "they are only just touching on the whole aspect of privacy legislation. PIPEDA does not deal with retention scheduling. It doesn’t discuss confirmation of destruction."
Couturier says, "The legislation talks about safeguarding the information. In the electronic kit that we created for businesses, we talk about the 10 principles for safeguarding information." She says the legislation talks about disposal in the context of protecting the information, though it does not specify shredding. "However you dispose of the information, the important thing is that it cannot be picked up by somebody and reused," Couturier says.
When it comes to data retention, the Office of the Privacy Commissioner suggests encrypting data, storing documents in a locked cabinet and restricting access only to the people who require it, Couturier says.
PIPEDA is up for legislative review in 2006, at which point industry and the Office of the Privacy Commissioner will make suggestions for amending or expanding the act, Couturier says.
While PIPEDA does not explicitly call for the shredding of obsolete data, Benson says that Ontario’s Personal Health Information Protection Act (PHIPA) does specify shredding.
PROVINCIAL LEGISLATION
Benson, who is also a chairman with the National Association for Information Destruction (NAID) Canada, says Royal Shredding has benefited from the Ontario law, which went into effect Nov. 1, 2004. "Once the provincial law came into effect, we starting getting more calls from physicians and labs in respect to it," he says.
PHIPA applies to personal health information that is collected by health care providers, hospitals, pharmacies, medical labs and ambulance services and stipulates that individuals have a right to access their information and to correct mistakes.
British Columbia and Alberta have legislation—called the Personal Information Protection Act (PIPA) in both provinces—that has the same stated purpose as PIPEDA: "To govern the collection, use and disclosure of personal information by private sector organizations in a manner that recognizes both the right of the individual to have his or her personal information protected and the need of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate," according to the Office of the Privacy Commissioner of Canada.
PIPEDA applies to the data collected in the course of commercial activity and across borders, while the PIPA legislation in British Columbia and Alberta apply to provincially regulated private sector organizations.
Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, which went into effect in 1994, has also been deemed similar to PIPEDA.
According to the Office of the Privacy Commissioner, the first part of PIPEDA does not apply to organizations in Quebec that are subject to the private sector privacy legislation for the collections, uses and disclosures of personal information within the province. However, PIPEDA does apply to federal works, undertakings and businesses in the province of Quebec. It will also apply to all trans-border movement of personal data for commercial activity.
The European Union also has a directive instructing its member states to safeguard the trans-border movement of data.
THE EUROPEAN UNION
The European Union introduced Directive 95/46/EC, also known as the Data Protection Directive, in the fall of 1995. The directive calls for EU member states to "neither restrict nor prohibit the free flow of personal data between Member States" to protect the rights and freedoms of citizens and "in particular their right to privacy with the respect to the processing of personal data." It applies to paper files as well as to "automated," or computer databases.
Dr. Rosa Barcelo of the European Commission Internal Market Data Protection Unit, Brussels, says the directive is horizontal and applies to any company or individual who collects personal data regardless of the purpose, with the exception of purely household activities, like Christmas Card lists.
The Data Protection Directive applies to "any operation or set of operations which is performed upon personal data," which includes the storage of such information in addition to its collection and disclosure.
Anna Snow, with the Delegation of the European Commission to the United States in Washington, says the key point of the directive is that it establishes principles for data collection. Snow says the data collected and processed must not be used for a secondary purpose different from the explicit purpose for which it was collected and that the scope of the information cannot exceed the relevant need. "It ensures that the processing is necessary for the transaction," she says.
Barcelo says, "Article 17 of the data protection directive imposes an obligation upon data controllers (those who collect personal data) to implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or unauthorized disclosure."
She adds that organizational measures can include keeping computers under lock and key and that technical measures may consist of requiring access codes for such information.
Companies disposing of personal information have to comply with article 17, Barcelo says. "It seems that ‘destroying’ the data is the only way to ensure that unauthorized disclosure doesn’t take place." However, she says that directive does not specify the means of destruction, though she says shredding is probably the easiest method.
"I am not aware of any implementation of Article 17 which may have gone further and prescribed the way companies must ‘destroy’ information (e.g. shredding)," Barcelo says.
The Data Protection Directive also stipulates for a consumer’s consent to collect data— particularly sensitive information concerning race, color and religion—the consumer’s right to access his or her personal data and his or her right to correct inaccurate personal information, Snow says.
Despite the education required to put effective data protection legislation in place and the room for interpretation that exists with laws that do not expressly call for the secure shredding of personal data, the laws in place in Canada and in the European Union member countries should help to reduce the number of times identity theft makes the headlines in the future.
The author is managing editor of Secure Destruction Business and can be contacted via e-mail at dtoto@gie.net.
Get curated news on YOUR industry.
Enter your email to receive our newsletters.

Explore the March 2005 Issue
Check out more from this issue and find your next story to read.
Latest from Recycling Today
- Buy Scrap Software to showcase its software at Scrap Expo in September
- LG details recycling activities
- Algoma EAF is up and running
- Toyota-Tsusho completes acquisition of Radius Recycling
- CATL, Ellen MacArthur Foundation aim to accelerate circular battery economy
- Commentary: Expanded polystyrene is 98 percent air, 2 percent plastic and 100 percent misunderstood
- AMCS appoints general manager for North America
- How tariffs, regulations affect LIBs recycling in US, EU