Canadian Anti-Spam Law
The Canadian Anti-Spam Law (Bill C-28) was originally introduced as a way to stop unwanted e-mails and texts. Businesses who sell or promote products are now required to prove that they have 'express consent' to contact customers using electronic means. Penalties for non-compliance range from $1 Million for individuals, and up to $10 Million for businesses.
'Express Consent' requires disclosing the exact purpose for why consent is being requested, and identifying who is seeking the consent. This is a significant change from past practices, where business relied mainly on 'implied consent'
The most important act to understand for small businesses in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). This covers the collection, use, and disclosure of personal information in the course of commercial activity. According to the Office of the Privacy Commissioner of Canada, it is applicable everywhere in Canada other than Quebec, Alberta, and B.C., who have their own laws and Ontario, who has a data protection law that focuses specifically on personal health information.
So, here are a few ideas of how small businesses can safeguard the personal information stored within their offices, and adhere to Bill C-28.
- Leadership
One of the 10 Privacy Principles outlined in PIPEDA is accountability. Designate someone from your office to be accountable for the collection, usage, retention, disclosure, and disposal of personal information.
- Security Awareness
Create a comprehensive information security policy that outlines all security procedures. Teach employees about data protection, including email policies, computer network access, internet use policies, and customer information protection strategies.
- Physical Protection
Ensure your office is equipped with locks and alarms. Implement a Clean Desk Policy. Store printed records that contain sensitive information in a lockable filing cabinet. Keep copies of system and database backups in s safe. Employee access to sensitive, confidential information should be on a need-to-know basis.
- Technical Security
Ensure to use all available computer protections such as passwords, encryption software, firewalls, anti-virus softwares, and anti-spyware programs. There should be a security policy created specifically for the mobile workforce as well.
- Document Management
Only collect the personal information that is necessary for a particular purpose. Then, PIPEDA requires businesses to develop a 'records retention schedule'. When this information is no longer needed, it should be securely destroyed. **Most Important: Never just toss a business record into the trash or recycling bin. Partner with a secure document-shredding company to securely shred records.