Creating a Privacy Policy: Everything Canadians Employers Need to Know

  • HR Policies
Creating a Privacy Policy
Francis Ibana

Francis Ibana, Employment Law Content Specialist

(Last updated )

In today’s digital age, protecting personal information is of utmost importance. As an employer in Canada, you are responsible for safeguarding the personal information of your employees, customers, and other individuals with whom you do business.

One way to fulfill this responsibility is by creating a privacy policy that outlines how you collect, use, and disclose personal information. If your business collects personal information from customers for commercial purposes, you are required by law to have a privacy policy. Besides being the law, a privacy policy also protects you from liability claims.

Your privacy policy must inform your customers of the personal information you’re gathering, how it’ll be used and how you’ll safeguard it. In this article, we will provide some employer advice and tips on creating a privacy policy that complies with Canadian privacy laws.

Familiarize Yourself with Privacy Laws in Canada

The first step in creating a privacy policy is to familiarize yourself with Canadian privacy laws. The most important law in this regard is the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates the collection, use, and disclosure of personal information in the private sector. PIPEDA applies to all organizations that collect, use, or disclose personal information in the course of commercial activities.

In addition to PIPEDA, some provinces in Canada have their own privacy laws that may apply to your organization. For example, British Columbia has the Personal Information Protection Act (PIPA), and Alberta has the Personal Information Protection Act (PIPA). Make sure to review the relevant privacy laws and regulations that apply to your organization to ensure that your privacy policy is compliant.

Identify the Types of Personal Information Collected

The second step in creating a privacy policy is to identify the types of personal information that your organization collects. This could include information such as name, address, email address, date of birth, social insurance number, and credit card information.

It is important to be specific and transparent about the types of personal information you collect so that individuals can make informed decisions about whether they want to provide that information to your organization.

Explain the Purpose of Collecting Personal Information

The third step in creating a privacy policy is to explain the purpose of collecting personal information. This could include purposes such as fulfilling orders, providing customer service, conducting marketing activities, and complying with legal requirements.

It is important to be clear about the purposes for which personal information is collected so that individuals can understand why their information is being collected and how it will be used.

Describe How Personal Information is Used and Disclosed

The fourth step in creating a privacy policy is to describe how personal information is used and disclosed. This could include information such as who has access to personal information, how it is stored and protected, and under what circumstances it may be shared with third parties. It is important to be transparent about how personal information is used and disclosed so that individuals can make informed decisions about whether they want to provide their information to your organization.

Provide Information on Consent and Withdrawal

The fifth step in creating a privacy policy is to provide information on consent and withdrawal. This could include information on how individuals can give or withhold consent to the collection, use, and disclosure of their personal information, as well as how they can withdraw their consent if they change their mind. It is important to provide individuals with clear instructions on how to exercise their rights with respect to their personal information.

Establish Procedures for Responding to Privacy Concerns

The final step in creating a privacy policy is to establish procedures for responding to privacy concerns. This could include information on how individuals can contact your organization if they have privacy concerns, as well as how your organization will investigate and respond to those concerns. It is important to have clear procedures in place to address privacy concerns and demonstrate your organization’s commitment to protecting personal information.

What are my responsibilities under PIPEDA?

Your privacy policy must cover the 10 fair information principles set down in PIPEDA. These are:

Principle 1: Accountability

You are responsible for protecting all personal information collected by your business. This includes any data transferred to a third party for processing. You must appoint someone to ensure your compliance with PIPEDA and develop a privacy policy based on the 10 principles.

Principle 2: Identifying purposes

Your policy must inform customers of the purposes for which the personal information is gathered. This should be done before or at the time of collection, preferably in writing. You’ll need to get their consent again should you identify a new purpose. The purposes should meet the criterion of “what a reasonable person would consider appropriate under the circumstances”.

Principle 3: Consent

You must obtain informed consent from customers for the collection, use and disclosure of personal data. They must understand what they are consenting to, why you are collecting the data and what you’ll do with it.  For non-essential data gathering, people must be given a choice on whether to provide consent.

Principle 4: Limiting collection

You must only collect information that is needed for a “legitimate identified purpose”. You must not deceive the customers about the reasons for gathering personal data.

Principle 5: Limiting use, disclosure, and retention

Except in cases where a person consents or it is required by law, you must collect, use, or disclose personal data only for the stated purposes for collection. You should store the personal information for only as long as you need to fulfill those purposes. You must get fresh consent if you need to use or disclose personal information for a new purpose.

Principle 6: Accuracy

The personal information you collect must be accurate and up to date. Establish policies that govern what types of information need to be updated.

Principle 7: Safeguards

You must protect the personal data you collect against theft, unauthorized access, or disclosure, copying, use or modification. You must also educate your staff on the importance of keeping personal data confidential and the procedures developed to protect it.

Principle 8: Openness

Under this principle, organizations are required to make their privacy policies and procedures easily available and easy to understand for their customers. This can be achieved by providing a clear and concise privacy policy that outlines the organization’s practices for managing personal information. The privacy policy should be readily accessible on the organization’s website or available upon request.

Principle 9: Individual access

Under this principle, organizations must inform individuals if they hold any of their personal information and provide them with access to that information upon request. Individuals have the right to know what personal information is being collected about them, why it is being collected, and how it is being used or disclosed. They also have the right to request that any inaccurate or incomplete information be corrected.

Organizations must respond to an access request within a reasonable time frame and at minimal or no cost to the individual. The Canadian privacy law does not specify a specific time frame for organizations to respond to an access request made by an individual under Principle 9 (Individual Access). However, organizations are expected to respond to access requests in a timely manner and within a reasonable time frame.

Principle 10: Challenging compliance

Under this principle, you must have procedures in place for individuals to make inquiries or complaints about their personal information management practices. This includes providing contact information for the person or department responsible for handling privacy-related inquiries or complaints.

If an individual believes that their personal information has been mishandled, they can file a complaint with the appropriate privacy regulator. The regulator will investigate the complaint and determine whether the organization has complied with the privacy principles. The regulator may also make recommendations to the organization to address any non-compliance issues and may take enforcement action if necessary.

What else should I keep in mind when creating a privacy policy?

Your privacy policy must cover the 10 fair information principles set down in PIPEDA. You should also customize it to meet your specific business needs. Your company’s privacy policy must be easily accessible to your customers.

An effective way of doing so is to place a link to your privacy policy in the footer of your website (known as a browse-wrap agreement). The text should be legible and appear on every page of your website or mobile app.

It is also advised that you include a link to your privacy policy in your contact and registration forms. This is the clickwrap method, wherein a website visitor confirms they’ve agreed to the privacy policy before using your services.

Do you need more information on creating a privacy policy for your small business?

Creating a privacy policy is an essential step in protecting personal information in your organization. Privacy is a fundamental right, and protecting personal information is not only a legal obligation but also an ethical responsibility. By prioritizing privacy in your organization, you can help to create a culture of respect for personal information and promote privacy as a core value of your business.

Our experts can help you develop company policies as well as with any other HR and health and safety advice you need. See how we have helped other small and medium businesses get their business compliant with provincial legislation. Contact one of our experts today at 1 (833) 247-3652

Related articles

  • drugs weighing on a scale


    Olivia CicchiniEmployment Law Expert
    • HR Policies
  • Woman on vacation road trip


    Kiljon ShukullariHR Advisory Manager
    • HR Policies
  • cyber security


    Ming LeeVice President - IT
    • HR Policies
Back to resource hub

Try Peninsula Canada today

Find out what 6500+ businesses across Canada have already discovered. Get round-the-clock HR and health & safety support with Peninsula.

Speak to an expert 24/7

Sign up to our newsletter

Get the latest news & tips that matter most to your business in our monthly newsletter.