Recently, I was in a local brewery buying a keg, and they asked for a copy of my driver’s licence to write down the number on the deposit form. And then a few days ago, I was filling out an online form for a social network that required I specify my gender to create an account. It is cases like this that inspired me to write this article.
The Personal Information Protection and Electronic Documents Act (PIPEDA) handles protection of personal information in the private sector in Canada. This applies to small business owners as well as federal corporations. Today I will write on one of the 10 principles of the act, which refers to identifying the purpose for which the information is collected. Whenever a Canadian business asks you (a consumer) for your information, you should first ask yourself, “Was I notified either verbally or in writing, of the reason each piece of my information is being collected?” If not, you can ask for this to be explained to you, and the organization must respond.
For small business owners, this means you should now have a written policy on why you are collecting any and all personal information, and for what reason each piece of information is being requested. You should not be asking for any information that is above basic requirements for you and your clients to complete the transaction. If at any time you have a new purpose for this information, you should seek consent from the individual before using it. These requirements will also help you with the *Openness* and *Individual Access* principles that I will write about at a future date.
From [section 11](https://laws.justice.gc.ca/eng/P-8.6/page-1.html#codese:11) of PIPEDA:
*An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1.*
For more reading:
[The Canadian Privacy Commisioner’s website ](https://www.priv.gc.ca/information/guide_e.cfm#007)
[PIPEDA](https://laws.justice.gc.ca/en/P-8.6/)