Information Privacy in the Canadian Marketplace

With Ven Seshadri, President and CEO of The SPi Group Inc.

In recent years, Canada has become a place of interest for US-based energy companies looking to expand their businesses. Canada is a dynamic market for new generation construction, green energy resources, smart metering, conservation and energy marketing. Many US-based companies are now setting up shop in Canada.

Information privacy is an important aspect of doing business in Canada. Recently, the collection and use of personal information has come under intense scrutiny. Information privacy legislation has been enacted in Canada just as it has in the US.

When a foreign company enters the Canadian market, there are a number of important aspects of this country’s information privacy policy that must be understood in order to successfully operate in Canada. This is especially true for those companies that deal directly with individual consumers and collect and manage their personal data.

NGPE. What is the relevant information privacy legislation in Canada?
VS. Canadians are protected by federal and, where applicable, provincial privacy legislation. At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) controls the collection, use and disclosure of personal information across virtually all private-sector companies doing business in Canada. Some provinces, notably Québec, Alberta and British Columbia, have enacted their own privacy legislation. These have been deemed ‘substantially similar’ to the federal PIPEDA, and therefore supplant PIPEDA in those provinces. In all other provinces and territories, PIPEDA is now the privacy law of general application in the private sector.

Oversight of PIPEDA rests with the Privacy Commissioner of Canada, an office that can audit the privacy practices of organizations suspected of a breach of PIPEDA, and has the power to investigate complaints of non-compliance. Complaints that are upheld may be referred to the Federal Court of Canada, which has wide remedial authority, including the ability to award damages to a plaintiff. Those provinces with provincial legislation have similar bodies that oversee compliance and investigate breaches of their laws.

NGPE. What do US-based companies need to be aware of with respect to information privacy when operating in Canada?
VS. First and foremost, there are legal and cultural considerations. Legally, organizations must be compliant with PIPEDA (or its provincial equivalent). PIPEDA requires compliance with the 10 ‘fair information management principles’ of the Model Code for the Protection of Personal Information formed by the Canadian Standards Association. The 10 principles result in an extensive list of requirements that organizations must satisfy in order to be compliant.

Under PIPEDA, a company may only collect personal information with the individual’s consent, and may only use this information for the stated purposes. To be compliant with PIPEDA, a company must appoint a privacy officer who is accountable for the company’s privacy policies and activities. The company must have written, public information privacy policies, and train its staff on these policies. In addition, the company must have a complaints process to investigate violations of its privacy policies and be able to support an audit of these activities.

A US company must also be aware of the cultural differences between Canadians and Americans. According to a report provided to the US Department of Homeland Security by the Office of the Privacy Commissioner of Canada, Americans and Canadians view their privacy rights quite differently, with Canadians being less accepting of government infringement of their privacy rights in the name of national security.

NGPE. Practically speaking, how does the Canadian information privacy landscape impact US-based companies operating in Canada?
VS. The companies that will be most affected are those that deal directly with individuals, and collect and manage personal data (for example, name, address, energy consumption information, etc.).

Organizationally, a company must appoint a Privacy Officer trained in the Canadian legislation, create policies, and institute controls around access to and use of personal information collected in the course of the company’s business activities. They must also disclose to these individuals (i.e. their customers) the purpose for which their information is collected and the extent to which it will be disclosed and used. Finally, they must obtain consent from these individuals before collecting their personal information. Generally, this means that any vehicle through which an individual provides personal information to the company (contracts, websites, etc.) will require an information disclosure and consent section.

One very important consequence of Canadian privacy legislation relates to the outsourcing and offshoring of data processing and data management infrastructure. The cultural considerations mentioned earlier are very relevant when considering cross-border information flow from Canada to the US, in particular where such data is subject to access under anti-terrorism provisions in the USA PATRIOT Act. Such concerns exist even when the data remains in Canada, but is managed by a US-controlled entity. In such circumstances, companies need to disclose to the Canadians whose information is being collected and managed that their personal information may be accessible by US law enforcement agencies. In order to mitigate any issues raised by sending personal information offshore, many companies operating in Canada use Canadian-based service providers to store and access their data entirely within Canada.

NGPE. The SPi Group is a transaction management and billing services provider to the energy industry. What role do service providers play in supporting their clients’ compliance with Canadian privacy laws?
VS. Any company operating in Canada that is subject to Canadian privacy laws will require its suppliers to be, at a minimum, as compliant as they are, with the appropriate policies, staff and IT controls in place to protect the confidentiality of their information. Outsourcing data management functions is a particularly sensitive area. Service providers need to be sensitive to the privacy issues raised by offshoring data storage and allowing client data to be accessed by personnel located out-of-country. Increasingly, companies are requiring strict contractual provisions regarding the protection of personal information managed by their service providers, and even requiring their data to be stored and managed entirely within Canada.

NGPE. Where can companies find further information?
VS. US-based energy companies can find more information about the Canadian information privacy landscape by visiting The SPi Group’s website at www.thespigroup.com.

Ven Seshadri has been the President and CEO of The SPi Group Inc. since 2006, and was Chief Operating Officer prior to that. He has been instrumental in defining SPi as a leading provider of transaction management, billing and settlement, and other IT services to the energy market.

With expertise spanning custom software development, system integration, consulting, managed services and market operations, SPi offers a broad range of professional services to address all business and technology needs. The breadth of the company’s services and solution portfolio, market knowledge and success in delivering reliable, large-scale systems are key factors in ensuring that clients achieve their business and IT objectives.